Supplemental Document : BIG-IP 14.1.5.6 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 14.1.5

BIG-IP Analytics

  • 14.1.5

BIG-IP Link Controller

  • 14.1.5

BIG-IP LTM

  • 14.1.5

BIG-IP PEM

  • 14.1.5

BIG-IP AFM

  • 14.1.5

BIG-IP DNS

  • 14.1.5

BIG-IP FPS

  • 14.1.5

BIG-IP ASM

  • 14.1.5
Updated Date: 09/12/2023

BIG-IP Release Information

Version: 14.1.5.6
Build: 6.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v14.1.5.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x

Functional Change Fixes

None


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1283645-3 2-Critical BT1283645 Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued 16.1.4, 15.1.9, 14.1.5.6
1324745-4 3-Major   An undisclosed TMUI endpoint may allow unexpected behavior 14.1.5.6



Cumulative fixes from BIG-IP v14.1.5.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1285173-5 CVE-2023-38138 K000133474 Improper query string handling on undisclosed pages 17.1.0.2, 16.1.3.5, 15.1.9.1
1265425-4 CVE-2023-38423 K000134535 Improper query string handling on undisclosed pages 17.1.0.2, 16.1.3.5, 15.1.9.1
1189457-5 CVE-2023-22372 K000132522, BT1189457 Hardening of client connection handling from Edge client. 16.1.4, 15.1.9
1185421-2 CVE-2023-38419 K000133472, BT1185421 iControl SOAP uncaught exception when handling certain payloads 17.1.0.2, 16.1.3.5, 15.1.9.1


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.5.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1213305-1 CVE-2023-27378 K000132726, BT1213305 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1208989-6 CVE-2023-27378 K000132726, BT1208989 Improper value handling in DOS Profile properties page 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1208001-5 CVE-2023-22374 K000130415, BT1208001 iControl SOAP vulnerability CVE-2023-22374 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204961-2 CVE-2023-27378 K000132726 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204793-2 CVE-2023-27378 K000132726 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1196033-4 CVE-2023-27378 K000132726, BT1196033 Improper value handling in DataSafe UI 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1106989-1 CVE-2023-29163 K20145107, BT1106989 Certain configuration settings may lead to memory accumulation 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1086293-6 CVE-2023-22358 K76964818, BT1086293 Untrusted search path vulnerability in APM Windows Client installer processes 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4
1086289-6 CVE-2023-22358 K76964818, BT1086289 BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4
1207661-6 CVE-2023-28406 K000132768, BT1207661 Datasafe UI hardening 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1096373-4 CVE-2023-28742 K000132972, BT1096373 Unexpected parameter handling in BIG3d 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.5.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
982785-4 CVE-2022-25946 K52322100 Guided Configuration hardening 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3
982777-11 CVE-2022-27230 K21317311, BT982777 APM hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982769-10 CVE-2022-27806 K68647001, BT982769 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982753-4 CVE-2022-27806 K68647001, BT982753 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982745-3 CVE-2022-27806 K68647001, BT982745 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
963625-5 CVE-2022-27806 K68647001, BT963625 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
959153-5 CVE-2022-27806 K68647001, BT959153 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
890917-4 CVE-2023-22323 K56412001, BT890917 Performance may be reduced while processing SSL traffic 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1143073-2 CVE-2022-41622 K94221585, BT1143073 iControl SOAP vulnerability CVE-2022-41622 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1107481-1 CVE-2023-23555 K24572686, BT1107481 TMM restarting repeatedly after upgrade 15.1.5.1 15.1.8, 14.1.5.3
1107437-2 CVE-2023-22839 K37708118, BT1107437 TMM may crash when enable-rapid-response is enabled on a DNS profile 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1106161-4 CVE-2022-41800 K13325942, BT1106161 Securing iControlRest API for appliance mode 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1105389-1 CVE-2023-23552 K17542533, BT1105389 Incorrect HTTP request handling may lead to resource leak 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
1085077-2 CVE-2023-22340 K34525368, BT1085077 TMM may crash while processing SIP-ALG traffic 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3
1083225-4 CVE-2023-22842 K08182564, BT1083225 TMM may crash while processing SIP traffic 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3
1047925-2 CVE-2023-22341 K20717585 Tmm crash caused due to client request not handled properly on oauth 14.1.5.3
1032553-2 CVE-2023-22281 K46048342, BT1032553 Core when virtual server with destination NATing receives multicast 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
960845-4 CVE-2021-23046 K70652532, BT960845 Secure properties were logged in restnoded logs 16.1.0, 15.1.8, 14.1.5.3
1073005-4 CVE-2023-22326 K83284425, BT1073005 iControl REST use of the dig command does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1065917-4 CVE-2023-22418 K95503300, BT1065917 BIG-IP APM Virtual Server does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1113385-2 3-Major BT1113385 Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1103369-4 3-Major BT1103369 DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1082581 2-Critical BT1082581 Apmd sees large memory growth due to CRLDP Cache handling 17.1.0, 16.1.4, 15.1.9, 14.1.5.3
1174873-4 3-Major BT1174873 Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3



Cumulative fixes from BIG-IP v14.1.5.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1125385 CVE-2022-41691 K02694732, BT1125385 BD crash with a specific request 14.1.5.2
1106289-4 CVE-2022-41624 K43024307, BT1106289 TMM may leak memory when processing sideband connections. 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.5.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1093621-3 CVE-2022-41832 K10347453 Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1
1076397-3 CVE-2022-35735 K13213418, BT1076397 TMSH hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1066673-3 CVE-2022-35728 K55580033, BT1066673 BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1024029-4 CVE-2022-35245 K58235223, BT1024029 TMM may crash when processing traffic with per-session APM Access Policy 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
979877-6 CVE-2020-1971 K42910051, BT979877 CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information 16.1.1, 15.1.4, 14.1.5.1
919357-6 CVE-2022-41770 K22505850, BT919357 iControl REST hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
881809-4 CVE-2022-41983 K31523465, BT881809 Client SSL and Server SSL profile hardening 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
740321-3 CVE-2022-34851 K50310001, BT740321 iControl SOAP API does not follow current best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084013-2 CVE-2022-36795 K52494562, BT1084013 TMM does not follow TCP best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1073549-3 CVE-2022-35735 K13213418, BT1073549 TMSH hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1006921-4 CVE-2022-33962 K80970653, BT1006921 iRules Hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063641-2 CVE-2022-33968 K23465404, BT1063641 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063637-2 CVE-2022-33968 K23465404, BT1063637 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1036057-3 3-Major BT1036057 Add support for line folding in multipart parser. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1025261-1 3-Major BT1025261 Restjavad uses more resident memory in control plane after software upgrade 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
957637-3 2-Critical BT957637 The pfmand daemon can crash when it starts. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
940225-3 2-Critical BT940225 Not able to add more than 6 NICs on VE running in Azure 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1108181-4 2-Critical BT1108181 iControl REST call with token fails with 401 Unauthorized 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1079817-3 2-Critical BT1079817 Java null pointer exception when saving UCS with iAppsLX installed 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
1076921-3 2-Critical BT1076921 Hostname in BootMarker logs and /var/log/ltm logs that are sourced from TMM are getting truncated 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
992121-2 3-Major BT992121 REST "/mgmt/tm/services" endpoint is not accessible 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
958833-3 3-Major BT958833 After mgmt ip change via GUI, brower is not redirected to new address 16.1.0, 15.1.10, 14.1.5.1
886649-3 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
865225-4 3-Major BT865225 100G modules may not work properly in i15000 and i15800 platforms 16.1.0, 15.1.0.2, 14.1.5.1, 13.1.3.4
862693-2 3-Major BT862693 PAM_RHOST not set when authenticating BIG-IP using iControl REST 16.0.0, 15.1.6.1, 14.1.5.1
1102849-1 3-Major BT1102849 Less-privileged users (guest, operator, etc) are unable to run top level commands 17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1091345-4 3-Major BT1091345 The /root/.bash_history file is not carried forward by default during installations. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1075729 3-Major BT1075729 Virtual server may not properly exit from hardware SYN Cookie mode 17.1.0, 15.1.5.1, 14.1.5.1
1024661-1 3-Major BT1024661 SCTP forwarding flows based on VTAG for bigproto 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1080317-1 4-Minor BT1080317 Hostname is getting truncated on some logs that are sourced from TMM 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
831161-3 2-Critical BT831161 An iRule before HTTP_REQUEST calling persist none can crash tmm 15.1.0, 14.1.5.1
1074517-3 2-Critical BT1074517 Tmm may core while adding/modifying traffic-class attached to a virtual server 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1073609-2 2-Critical BT1073609 Tmm may core while using reject iRule command in LB_SELECTED event. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
780857-3 3-Major BT780857 HA failover network disruption when cluster management IP is not in the list of unicast addresses 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
748886-2 3-Major BT748886 Virtual server stops passing traffic after modification 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1099229-2 3-Major BT1099229 SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present 17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1091761-3 3-Major BT1091761 Mqtt_message memory leaks when iRules are used 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1082225-2 3-Major BT1082225 Tmm may core while Adding/modifying traffic-class attached to a virtual server. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1074505-3 3-Major BT1074505 Traffic classes are not attached to virtual server at TMM start 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1
1068445-3 3-Major BT1068445 TCP duplicate acks are observed in speed tests for larger requests 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1053149-3 3-Major BT1053149 A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1043805-1 3-Major BT1043805 ICMP traffic over NAT does not work properly. 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
1036169-2 3-Major BT1036169 VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1017721-2 3-Major BT1017721 WebSocket does not close cleanly when SSL enabled. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1
1006157-5 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config' 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
987885-3 4-Minor BT987885 Half-open unclean SSL termination might not close the connection properly 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
787905-4 4-Minor BT787905 Improve initializing TCP analytics for FastL4 15.1.0, 15.0.1.1, 14.1.5.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
993921-1 2-Critical BT993921 TMM SIGSEGV 16.1.0, 15.1.6.1, 14.1.5.1
1077701-3 2-Critical BT1077701 GTM "require M from N" monitor rules do not report when the number of "up" responses change 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1091249-4 3-Major BT1091249 BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071301-3 3-Major BT1071301 GTM server does not get updated even when the virtual server status changes. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071233-3 3-Major BT1071233 GTM Pool Members may not be updated accurately when multiple identical database monitors are configured 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084673-4 4-Minor BT1084673 GTM Monitor "require M from N" status change log message does not print pool name 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1096477 2-Critical BT1096477 Parameter set as non-Base64 encoded value is treated as a Base64 encoded value 14.1.5.1
886533-1 3-Major BT886533 Icap server connection adjustments 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1083913-3 3-Major BT1083913 Missing error check in ICAP handling 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1030133-4 3-Major BT1030133 BD core on XML out of memory 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
948241-1 4-Minor BT948241 Count Stateful anomalies based only on Device ID 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
797821-1 4-Minor BT797821 Logging profiles on /Common cannot be configured with publishers on other folders 15.1.0, 14.1.5.1
747905-4 4-Minor BT747905 'Illegal Query String Length' violation displays wrong length 15.0.0, 14.1.5.1, 14.0.1.1, 13.1.1.4
744226-1 4-Minor BT744226 DoSL7-related logs are not throttled 15.0.0, 14.1.5.1
1073625-4 4-Minor BT1073625 Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1040513-2 4-Minor BT1040513 The counter for "FTP commands" is always 0. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1014573-3 4-Minor BT1014573 Several large arrays/objects in JSON payload may core the enforcer 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1043217-3 3-Major BT1043217 NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1010597-3 3-Major BT1010597 Traffic disruption when virtual server is assigned to a non-default route domain 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1074465 3-Major BT1074465 TMM SIGSEGV crash 14.1.5.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1090649-2 3-Major BT1090649 PEM errors when configuring IPv6 flow filter via GUI 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
1094177-2 1-Blocking BT1094177 Analytics iApp installation fails 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1



Cumulative fixes from BIG-IP v14.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
996233-3 CVE-2022-33947 K38893457, BT996233 Tomcat may crash while processing TMUI requests 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
972489-3 CVE-2022-35243 K11010341, BT972489 BIG-IP Appliance Mode iControl hardening 17.0.0, 16.1.3, 15.1.5.1, 14.1.5
937777-3 CVE-2022-34655 K93504311, BT937777 HTTP::payload may cause the TMM to crash 16.1.0, 16.0.1.1, 15.1.6.1, 14.1.5
1079505-1 CVE-2022-33203 K52534925, BT1079505 TMM may consume excessive resources while processing SSL Orchestrator traffic 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1073841-3 CVE-2022-34862 K66510514, BT1073841 URI normalization does not function as expected 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1073357-4 CVE-2022-34862 K66510514, BT1073357 TMM may crash while processing HTTP traffic 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1071593-2 CVE-2022-32455 K16852653, BT1071593 TMM may crash while processing TLS traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1069629-2 CVE-2022-32455 K16852653, BT1069629 TMM may crash while processing TLS traffic 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1055737-3 CVE-2022-35236 K79933541, BT1055737 TMM may consume excessive resources while processing HTTP/2 traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1032513-1 CVE-2022-35240 K28405643, BT1032513 TMM may consume excessive resources while processing MRF traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
981273-3 CVE-2021-23054 K41997459, BT981273 APM webtop hardening 16.1.0, 15.1.4, 14.1.5, 13.1.5
968725-4 CVE-2017-10661 K04337834, BT968725 Linux Kernel Vulnerability CVE-2017-10661 16.1.0, 15.1.5.1, 14.1.5
947057-3 CVE-2022-34865 K25046752, BT947057 Traffic intelligence feeds to do not follow best practices 16.1.0, 15.1.6.1, 14.1.5, 12.1.6
1081201-3 CVE-2022-41694 K64829234, BT1081201 MCPD certification import hardening 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1081153-6 CVE-2022-41813 K93723284, BT1081153 TMM may crash while processing administrative requests 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1063389-4 CVE-2015-5191 K84583382, BT1063389 open-vm-tools vulnerability: CVE-2015-5191 17.0.0, 16.1.2.1, 14.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1078821-3 2-Critical BT1078821 Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
971217-3 3-Major BT971217 AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. 16.1.0, 15.1.6.1, 14.1.5
874941-3 3-Major BT874941 HTTP authentication in the access policy times out after 60 seconds 16.1.2.2, 15.1.6.1, 14.1.5
669046-4 3-Major BT669046 Handling large replies to MCP audit_request messages 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050969-4 1-Blocking BT1050969 After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
992097-1 2-Critical BT992097 Incorrect hostname is seen in logging files 16.1.0, 15.1.6.1, 14.1.5
987113-2 2-Critical BT987113 CMP state degraded while under heavy traffic 17.1.0, 15.1.4, 14.1.5
943109-3 2-Critical BT943109 Mcpd crash when bulk deleting Bot Defense profiles 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1075905 2-Critical BT1075905 TCP connections may fail when hardware SYN Cookie is active 17.1.0, 15.1.5.1, 14.1.5
977657-1 3-Major BT977657 SELinux errors when deploying a vCMP guest. 16.1.0, 15.1.6.1, 14.1.5
943653-3 3-Major BT943653 Allow 32-bit processes to use larger area of virtual address space 16.1.0, 15.1.6.1, 14.1.5
907549-3 3-Major BT907549 Memory leak in BWC::Measure 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5
894133-3 3-Major BT894133 After ISO upgrade the SSL Orchestrator guided configuration user interface is not available. 16.0.0, 15.1.5.1, 14.1.5
752994-1 3-Major BT752994 Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod 15.0.0, 14.1.5
742753-4 3-Major BT742753 Accessing the BIG-IP system's WebUI via special proxy solutions may fail 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
738881-3 3-Major BT738881 Qkview does not collect any data under certain conditions that cause a timeout 15.0.0, 14.1.5, 13.1.3.4
724653-2 3-Major BT724653 In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1064461-2 3-Major BT1064461 PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1063473-3 3-Major BT1063473 While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly 17.1.0, 15.1.5.1, 14.1.5
1060009-2 3-Major BT1060009 Platform Agent may run out of file descriptors 17.1.0, 15.1.6.1, 14.1.5
1072237-3 4-Minor BT1072237 Retrieval of policy action stats causes memory leak 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1062333-3 4-Minor   Linux kernel vulnerability: CVE-2019-19523 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1034329-3 4-Minor BT1034329 SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
841469-4 2-Critical BT841469 Application traffic may fail after an internal interface failure on a VIPRION system. 16.0.0, 15.1.2.1, 14.1.5, 13.1.3.4
1071449-2 2-Critical BT1071449 The statsd memory leak on platforms with license disabled processors. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1047581-1 2-Critical BT1047581 Ramcache can crash when serving files from the hot cache 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
993517-4 3-Major BT993517 Loading an upgraded config can result in a file object error in some cases 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
976525-2 3-Major BT976525 Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled 17.0.0, 16.1.4, 15.1.6.1, 14.1.5
972517-3 3-Major   Appliance mode hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
953601-2 3-Major BT953601 HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
936441-3 3-Major BT936441 Nitrox5 SDK driver logging messages 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
934697-2 3-Major BT934697 Route domain is not reachable (strict mode) 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
927713-5 3-Major BT927713 Clsh reboot hangs when executed from the primary blade. 16.1.0, 15.1.5.1, 14.1.5
883049-4 3-Major BT883049 Statsd can deadlock with rrdshim if an rrd file is invalid 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
813673-2 3-Major BT813673 The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets. 15.1.0, 14.1.5, 13.1.3.2
794385-2 3-Major BT794385 BGP sessions may be reset after CMP state change 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1083989-3 3-Major BT1083989 TMM may restart if abort arrives during MBLB iRule execution 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1072953-1 3-Major BT1072953 Memory leak in traffic management interface. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1063453-3 3-Major BT1063453 FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1042913-1 3-Major BT1042913 Pkcs11d CPU utilization jumps to 100% 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1024225-2 3-Major BT1024225 BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1004689-2 3-Major BT1004689 TMM might crash when pool routes with recursive nexthops and reselect option are used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1080341-2 4-Minor BT1080341 Changing an L2-forward virtual to any other virtual type might not update the configuration. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064669-3 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1026005-3 4-Minor BT1026005 BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
968581-3 5-Cosmetic BT968581 TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1027657-2 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1076401-2 3-Major BT1076401 Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1046785-4 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1069501-3 2-Critical K22251611, BT1069501 ASM may not match certain signatures 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1068237-3 2-Critical BT1068237 Some attack signatures added to policies are not used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1000789-3 2-Critical BT1000789 ASM-related iRule keywords may not work as expected 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
923221-1 3-Major BT923221 BD does not use all the CPU cores 16.1.2.2, 15.1.6.1, 14.1.5
874185-3 3-Major BT874185 Incorrect Alarm/Block flags displayed for Signature with previously enforced rule 14.1.5
1070073-1 3-Major BT1070073 ASM Signature Set accuracy filter is wrong on GUI. 15.1.6.1, 14.1.5
1069133-2 3-Major BT1069133 ASMConfig memory leak 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1061617-2 3-Major BT1061617 Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1056365-4 3-Major BT1056365 Bot Defense injection does not follow best SOP practice. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1033017-5 3-Major BT1033017 Policy changes learning mode to automatic after upload and sync 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1028473-3 3-Major BT1028473 URL sent with trailing slash might not be matched in ASM policy 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
842029-1 4-Minor BT842029 Unable to create policy: Inherited values may not be changed. 16.0.0, 15.1.5.1, 14.1.5
1035361-5 4-Minor BT1035361 Illegal cross-origin after successful CAPTCHA 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
987341-3 2-Critical BT987341 BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
858005-3 3-Major BT858005 When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
470916-4 3-Major BT470916 Launching resources that are published on an apm webtop from multiple VMWare servers will fail when the Native View client is selected. 16.0.0, 15.1.6.1, 14.1.5
1097821-4 3-Major BT1097821 Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1053309-3 3-Major BT1053309 Localdbmgr leaks memory while syncing data to sessiondb and mysql. 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1082885-3 3-Major BT1082885 MR::message route virtual asserts when configuration changes during ongoing traffic 17.0.0, 16.1.2.2, 15.1.6, 14.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
998781 3-Major BT998781 When large no of feed list URLs are configured, BIG-IP takes long time to sync IP list 14.1.5
964625-2 3-Major BT964625 Improper processing of firewall-rule metadata 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1076477 3-Major BT1076477 AFM allows deletion of a firewall policy even if it's being used in a route domain. 17.0.0, 14.1.5
1012581-4 3-Major BT1012581 Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1064217-3 3-Major BT1064217 Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1071181 3-Major BT1071181 Improving Signature Detection Accuracy 16.1.2.2, 15.1.6.1, 14.1.5


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1072733-2 2-Critical   Protocol Inspection IM package hardening 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1070677-2 3-Major BT1070677 Learning phase does not take traffic into account - dropping all. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
854129-4 3-Major BT854129 SSL monitor continues to send previously configured server SSL configuration after removal 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5



Cumulative fixes from BIG-IP v14.1.4.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
965853-1 CVE-2022-28695 K08510472, BT965853 IM package file hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
964489-3 CVE-2022-28695 K08510472, BT964489 Protocol Inspection IM package hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1051561-3 CVE-2022-1388 K23605346, BT1051561 BIG-IP iControl REST vulnerability CVE-2022-1388 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
993981-4 CVE-2022-28705 K52340447, BT993981 TMM may crash when ePVA is enabled 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982697-4 CVE-2022-26071 K41440465, BT982697 ICMP hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
951257-1 CVE-2022-26130 K82034427, BT951257 FTP active data channels are not established 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
946325-3 CVE-2022-28716 K25451853, BT946325 PEM subscriber GUI hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
830361-4 CVE-2012-6711 K05122252, BT830361 CVE-2012-6711 Bash Vulnerability 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
818169-3 CVE-2022-26372 K23454411, BT818169 TMM may consume excessive resources when processing DNS profiles with DNS queing enabled 16.0.0, 15.1.0.2, 14.1.4.6, 13.1.5
1087201-4 CVE-2022-0778 K31323265, BT1087201 OpenSSL Vulnerability: CVE-2022-0778 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1078721-4 CVE-2022-27189 K16187341, BT1078721 TMM may consume excessive resources while processing ICAP traffic 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1067993-6 CVE-2022-28714 K54460845, BT1067993 APM Windows Client installer hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1059185-3 CVE-2022-26415 K81952114, BT1059185 iControl REST Hardening 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1057801-4 CVE-2022-28707 K70300233, BT1057801 TMUI does not follow current best practices 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056933-2 CVE-2022-26370 K51539421, BT1056933 TMM may crash while processing SIP traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1051797-3 CVE-2018-18281 K36462841, BT1051797 Linux kernel vulnerability: CVE-2018-18281 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1047053-1 CVE-2022-28691 K37155600, BT1047053 TMM may consume excessive resources while processing RTSP traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1045101-2 CVE-2022-26890 K03442392, BT1045101 Bd may crash while processing ASM traffic 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5
1019161-5 CVE-2022-29263 K33552735, BT1019161 Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1002565-4 CVE-2021-23840 K24624116, BT1002565 OpenSSL vulnerability CVE-2021-23840 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
992073-1 CVE-2022-27181 K93543114, BT992073 APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982757-6 CVE-2022-26835 K53197140 APM Access Guided Configuration hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982341-4 CVE-2022-26835 K53197140, BT982341 iControl REST endpoint hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
931677-4 CVE-2022-29479 K64124988, BT931677 IPv6 hardening 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
919249-3 CVE-2022-28859 K47662005, BT919249 NETHSM installation script hardening 16.1.0, 15.1.5.1, 14.1.4.6
915981-2 CVE-2022-26340 K38271531, BT915981 BIG-IP SCP hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1071365-3 CVE-2022-29474 K59904248, BT1071365 iControl SOAP WSDL hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1057809-4 CVE-2022-27659 K41877405, BT1057809 Saved dashboard hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047089-4 CVE-2022-29491 K14229426, BT1047089 TMM may terminate while processing TLS/DTLS traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1016657-4 CVE-2022-26517 K54082580, BT1016657 TMM may crash while processing LSN traffic 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
1009049-6 CVE-2022-27636 K57110035, BT1009049 browser based vpn did not follow best practices while logging. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1000021-4 CVE-2022-27182 K31856317, BT1000021 TMM may consume excessive resources while processing packet filters 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050537-3 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1046669-3 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1033837-3 4-Minor K23605346, BT1033837 REST authentication tokens persist on reboot 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
976669-3 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
957897-2 2-Critical BT957897 Unable to modify gateway-ICMP monitor fields in the GUI 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
944513-1 2-Critical BT944513 Apache configuration file hardening 16.1.0, 15.1.4, 14.1.4.6
1048141-1 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error' 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
999125-3 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
956589-2 3-Major BT956589 The tmrouted daemon restarts and produces a core file 16.1.0, 15.1.2.1, 14.1.4.6, 13.1.5
943577-3 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
919317-3 3-Major BT919317 NSM consumes 100% CPU processing nexthops for recursive ECMP routes 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
918409-4 3-Major BT918409 BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
901669-2 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
755976-3 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
405329-2 3-Major   The imish utility cores while checking help strings for OSPF6 vertex-threshold 16.0.0, 15.1.0.5, 14.1.4.6
1066285-1 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1056993-4 3-Major BT1056993 404 error is raised on GUI when clicking "App IQ." 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047169-3 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1022637-3 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1020789-2 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1019085-2 3-Major BT1019085 Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file. 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
1008269-4 3-Major BT1008269 Error: out of stack space 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
713614-4 4-Minor BT713614 Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) 16.0.0, 15.1.0.5, 14.1.4.6, 13.1.5
528894-7 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1058677-3 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1046693-2 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1045549-2 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1040821-2 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034589-3 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1031425-1 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1030645-2 4-Minor BT1030645 BGP session resets during traffic-group failover 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1024621-2 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1002809-2 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
946481-3 2-Critical BT946481 Virtual Edition FIPS not compatible with TLS 1.3 16.1.0, 15.1.5.1, 14.1.4.6
910213-4 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
757407-1 2-Critical BT757407 Error reading RRD file may induce processes to mutually wait for each other forever 15.0.0, 14.1.4.6, 13.1.5
1064617-3 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
999901-4 3-Major K68816502, BT999901 Certain LTM policies may not execute correctly after a system reboot or TMM restart. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
987077-4 3-Major BT987077 TLS1.3 with client authentication handshake failure 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
967101-3 3-Major BT967101 When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
955617-6 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
939085-1 3-Major BT939085 /config/ssl/ssl.csr directory disappears after creating certificate archive 16.1.0, 15.1.5.1, 14.1.4.6
912517-4 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
892485-1 3-Major BT892485 A wrong OCSP status cache may be looked up and re-used during SSL handshake. 16.1.0, 15.1.5.1, 14.1.4.6
892073-1 3-Major BT892073 TLS1.3 LTM policy rule based on SSL SNI is not triggered 16.0.0, 15.1.5.1, 14.1.4.6
838353-3 3-Major BT838353 MQTT monitor is not working in route domain. 16.0.0, 15.1.5.1, 14.1.4.6
826349-2 3-Major BT826349 VXLAN tunnel might fail due to misbehaving NIC checksum offload 15.1.0, 14.1.4.6
825245-2 3-Major BT825245 SSL::enable does not work for server side ssl 16.0.0, 15.1.5.1, 14.1.4.6
803109-2 3-Major BT803109 Certain configuration may result in zombie forwarding flows 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
793929-1 3-Major BT793929 In-TMM monitor agent might crash during TMM shutdown 15.1.0, 14.1.4.6
793669-1 3-Major BT793669 FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5
672963-3 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1058469-3 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1052929-2 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1043357-2 3-Major BT1043357 SSL handshake may fail when using remote crypto client 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043017-2 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1029897-3 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1023341-3 3-Major   HSM hardening 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5
1017533-1 3-Major BT1017533 Using TMC might cause virtual server vlans-enabled configuration to be ignored 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1016449-1 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016049-3 3-Major BT1016049 EDNS query with CSUBNET dropped by protocol inspection 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008501-4 3-Major BT1008501 TMM core 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
838305-4 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
717806-3 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1026605-3 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1016441-2 4-Minor   RFC Enforcement Hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
873249-3 5-Cosmetic BT873249 Switching from fast_merge to slow_merge can result in incorrect tmm stats 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
741862-1 2-Critical BT741862 DNS GUI may generate error or display names with special characters incorrectly. 15.0.0, 14.1.4.6, 13.1.5
1062513-2 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1044425-4 3-Major K85021277, BT1044425 NSEC3 record improvements for NXDOMAIN 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1039205-1 3-Major BT1039205 DNSSEC key stored on netHSM fails to generate if the key name length is > 24 15.1.5.1, 14.1.4.6
1018613-4 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
753821-3 4-Minor BT753821 Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned 15.0.0, 14.1.4.6, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1079909-3 2-Critical K82724554, BT1079909 The bd generates a core file 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1069449-3 2-Critical K39002226, BT1069449 ASM attack signatures may not match cookies as expected 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
965785-3 3-Major BT965785 Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
961509-4 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
926845-4 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
921697-4 3-Major BT921697 Attack signature updates fail to install with Installation Error. 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6
871881-1 3-Major BT871881 Apply Policy action is not synchronized after making bulk signature changes 14.1.4.6, 13.1.5
818889-3 3-Major BT818889 False positive malformed json or xml violation. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1072197-3 3-Major K94142349, BT1072197 Issue with input normalization in WebSocket. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1067285-3 3-Major BT1067285 Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1060933-3 3-Major K49237345 Issue with input normalization. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1051213-3 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1051209-3 3-Major K53593534, BT1051209 BD may not process certain HTTP payloads as expected 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1047389-1 3-Major BT1047389 Bot Defense challenge hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043385-2 3-Major BT1043385 No Signature detected If Authorization header is missing padding. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038733-2 3-Major BT1038733 Attack signature not detected for unsupported authorization types. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1037457-3 3-Major BT1037457 High CPU during specific dos mitigation 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1030853-3 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1023993-2 3-Major BT1023993 Brute Force is not blocking requests, even when auth failure happens multiple times 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1012221-3 3-Major BT1012221 Message: childInheritanceStatus is not compatible with parentInheritanceStatus 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1011069-4 3-Major BT1011069 Group/User R/W permissions should be changed for .pid and .cfg files. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
973661 4-Minor BT973661 Two different 'Attack Signature' updates shown as 'Currently Installed' 14.1.4.6
844045-2 4-Minor BT844045 ASM Response event logging for "Illegal response" violations. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1055453 4-Minor BT1055453 Blocking page trims the last digit of the Support ID. 14.1.4.6, 13.1.5
1050697-2 4-Minor BT1050697 Traffic learning page counts Disabled signatures when they are ready to be enforced 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1038741-2 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1036521-4 4-Minor BT1036521 TMM crash in certain cases 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034941-3 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1020717-2 4-Minor BT1020717 Policy versions cleanup process sometimes removes newer versions 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1002385-4 4-Minor K67397230, BT1002385 Fixing issue with input normalization 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038913-2 3-Major BT1038913 The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
868557-3 3-Major BT868557 Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. 14.1.4.6
423519-2 3-Major K74302282, BT423519 Bypass disabling the redirection controls configuration of APM RDP Resource. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1029397-2 2-Critical BT1029397 Tmm may crash with SIP-ALG deployment in a particular race condition 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1007109-4 2-Critical BT1007109 Flowmap entry is deleted before updating its timeout to INDEFINITE 16.1.0, 15.1.5.1, 14.1.4.6
957905-3 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1058645-3 2-Critical BT1058645 ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. 17.0.0, 15.1.5.1, 14.1.4.6
808893-2 3-Major BT808893 DNS DoS profile vectors do not function correctly 17.0.0, 15.1.0, 14.1.4.6
808889-2 3-Major BT808889 DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold 15.1.0, 14.1.4.6
1070033 3-Major BT1070033 Virtual server may not fully enter hardware SYN Cookie mode. 17.0.0, 16.1.4, 14.1.4.6
1008265-4 3-Major K92306170, BT1008265 DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
756457-2 4-Minor BT756457 tmsh command 'show security' returning a parsing error 15.0.0, 14.1.4.6
1072057-3 4-Minor BT1072057 "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1069745 4-Minor BT1069745 GUI issues in Security->NetworkFirewall->Active Rules, rule movement to 101, 201 position. 14.1.4.6


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
756595-1 1-Blocking BT756595 Traffic redirection to an internal virtual server may fail. 15.0.0, 14.1.4.6, 13.1.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019613-2 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
873617-3 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1060409-4 4-Minor BT1060409 Behavioral DoS enable checkbox is wrong. 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1052153-1 3-Major BT1052153 Signature downloads for traffic classification updates via proxy fail 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
940261-2 4-Minor BT940261 Support IPS package downloads via HTTP proxy. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-3 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5



Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
999933-4 CVE-2022-23017 K28042514, BT999933 TMM may crash while processing DNS traffic on certain platforms 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
989701-4 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
989637-4 CVE-2022-23015 K08476614, BT989637 TMM may crash while processing SSL traffic 16.1.0, 15.1.4.1, 14.1.4.5
988549-4 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
910517 CVE-2022-23012 K26310765, BT910517 TMM may crash while processing HTTP traffic 15.1.4.1, 14.1.4.5
1032405-4 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1028669-4 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1028573-4 CVE-2020-10878 K40508224, BT1028573 Perl vulnerability: CVE-2020-10878 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1028497-4 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1012365-3 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1007489-4 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
997193-2 CVE-2022-23028 K16101409, BT997193 TCP connections may fail when AFM global syncookies are in operation. 16.1.0, 15.1.5, 14.1.4.5, 13.1.5
975593-2 CVE-2022-29473 K06323049, BT975593 TMM may crash while processing IPSec traffic 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5
974341-3 CVE-2022-23026 K08402414, BT974341 REST API: File upload 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
941649-4 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
940185-3 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
823877-2 CVE-2019-10098
CVE-2020-1927
K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
803965-2 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1009725-4 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
713754-1 CVE-2017-15715 K27757011 Apache vulnerability: CVE-2017-15715 16.1.2.2, 15.1.5.1, 14.1.4.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
930633-1 3-Major BT930633 Delay in using new route updates by existing connections on BIG-IP. 16.1.0, 15.1.5.1, 14.1.4.5
1015133-2 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
985953-2 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1042993-1 1-Blocking K19272127, BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
1039049-1 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
831821-3 2-Critical BT831821 Corrupted DAG packets causes bcm56xxd core on VCMP host 16.0.0, 15.1.4.1, 14.1.4.5
1043277-2 2-Critical BT1043277 'No access' error page displays for APM policy export and apply options. 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
1004929-4 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 17.0.0, 15.1.5, 14.1.4.5, 13.1.5
996001-2 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
958093-2 3-Major BT958093 IPv6 routes missing after BGP graceful restart 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
935801-3 3-Major BT935801 HSB diagnostics are not provided under certain types of failures 16.1.0, 15.1.2, 14.1.4.5
922185-4 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
900933-2 3-Major BT900933 IPsec interoperability problem with ECP PFS 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.5
881085-1 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1045421-3 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1032077-3 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1026549-4 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1015093-4 3-Major BT1015093 The "iq" column is missing from the ndal_tx_stats table 15.1.4.1, 14.1.4.5
1003257-3 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
988533-3 4-Minor BT988533 GRE-encapsulated MPLS packet support 17.0.0, 15.1.4.1, 14.1.4.5
889813-1 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second 17.0.0, 16.1.4, 15.1.10, 14.1.4.5
1030845-3 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1005433 1-Blocking BT1005433 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured 14.1.4.5, 13.1.5
862885-1 2-Critical BT862885 Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error 16.1.0, 15.1.4.1, 14.1.4.5
788813-1 2-Critical BT788813 TMM crash when deleting virtual-wire config 15.1.0, 14.1.4.5
750702-1 2-Critical BT750702 TMM crashes while making changes to virtual wire configuration 15.1.0, 14.1.4.5
1040361-3 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. 17.0.0, 16.1.2, 15.1.5, 14.1.4.5
1019081-2 2-Critical K97045220, BT1019081 HTTP/2 hardening 16.1.0, 15.1.3.1, 14.1.4.5, 13.1.5
1009161 2-Critical BT1009161 SSL mirroring protect for null sessions 15.1.5.1, 14.1.4.5
999097-4 3-Major BT999097 SSL::profile may select profile with outdated configuration 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
963705-2 3-Major BT963705 Proxy ssl server response not forwarded 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
904041-4 3-Major BT904041 Ephemeral pool members may be incorrect when modified via various actions 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
872721-1 3-Major BT872721 SSL connection mirroring intermittent failure with TLS1.3 16.0.0, 15.1.5.1, 14.1.4.5
803629-2 3-Major BT803629 SQL monitor fails with 'Analyze Response failure' message even if recv string is correct 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4.5, 13.1.5
761477-7 3-Major BT761477 Client authentication performance when large CRL is used 15.1.0, 14.1.4.5
1038629-3 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1034365-1 3-Major BT1034365 DTLS handshake fails with DTLS1.2 client version 15.1.5, 14.1.4.5, 13.1.5
1020941-3 3-Major BT1020941 HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags 16.1.0, 15.1.4, 14.1.4.5
1018577-2 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1017513-2 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
1015161-3 3-Major BT1015161 Ephemeral pool member may not be created when FQDN resolves to address that matches static node 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5
1008017-1 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1008009-1 3-Major BT1008009 SSL mirroring null hs during session sync state 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
936557-3 4-Minor BT936557 Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
890881-3 4-Minor BT890881 ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address 16.1.0, 15.1.4.1, 14.1.4.5
1045913-4 4-Minor BT1045913 COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression 15.1.5.1, 14.1.4.5
1018493-3 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1005109-1 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1002945-1 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
898929-2 5-Cosmetic BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1035853-4 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1009037-4 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
863917-3 3-Major BT863917 The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.5, 13.1.4.1
756470-5 3-Major BT756470 Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. 15.0.0, 14.1.4.5, 13.1.3.4
1024553-3 3-Major BT1024553 GTM Pool member set to monitor type "none" results in big3d: timed out 15.1.5, 14.1.4.5, 13.1.5
1021417-4 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1021061-2 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993613-4 2-Critical BT993613 Device fails to request full sync 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
912149-4 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
879841-3 2-Critical BT879841 Domain cookie same-site option is missing the "None" as value in GUI and rest 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
1019853-3 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1011061-1 2-Critical K39002226, BT1011061 Certain attack signatures may not match in multipart content 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
984593-3 3-Major BT984593 BD crash 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
948805-3 3-Major BT948805 False positive "Null in Request" 16.1.0, 15.1.4.1, 14.1.4.5
907025-1 3-Major BT907025 Live update error" 'Try to reload page' 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
886865-2 3-Major BT886865 P3P header is added for all browsers, but required only for Internet Explorer 16.1.0, 15.1.5, 14.1.4.5
885765-4 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
857633-2 3-Major BT857633 Attack Type (SSRF) appears incorrectly in REST result 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
842013-4 3-Major BT842013 ASM Configuration is Lost on License Reactivation 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
785873-2 3-Major BT785873 ASM should treat 'Authorization: Negotiate TlR' as NTLM 15.1.0, 14.1.4.5, 13.1.5
731168-1 3-Major BT731168 BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. 15.0.0, 14.1.4.5, 13.1.5
1042069-3 3-Major   Some signatures are not matched under specific conditions. 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5
1017153-1 3-Major BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1005105-4 3-Major BT1005105 Requests are missing on traffic event logging 17.0.0, 16.1.1, 15.1.4, 14.1.4.5
1004069-2 3-Major BT1004069 Brute force attack is detected too soon 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
883673-1 4-Minor   BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool 14.1.4.5
1031029 4-Minor BT1031029 "Use of uninitialized value" warning observed during UCS restore. 14.1.4.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
832805-1 3-Major BT832805 AVR should make sure file permissions are correct (tmstat_tables.xml) 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5
787677-3 3-Major BT787677 AVRD stays at 100% CPU constantly on some systems 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5
1035133-2 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
948113-4 4-Minor BT948113 User-defined report scheduling fails 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883889-1 2-Critical BT883889 Tmm might crash when under memory pressure 16.0.0, 15.1.5, 14.1.4.5
860617-2 2-Critical BT860617 Radius sever pool without attaching the load balancing algorithm will result into core 16.0.0, 15.1.4.1, 14.1.4.5
1006893-1 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993457-3 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
969317-2 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
956645-1 3-Major BT956645 Per-request policy execution may timeout. 17.0.0, 16.1.4, 15.1.9, 14.1.4.5
941393 3-Major BT941393 Memory leak in SWG 14.1.4.5
932213-1 3-Major BT932213 Local user db not synced to standby device when it is comes online after forced offline state 16.1.0, 15.1.4.1, 14.1.4.5
924857-4 3-Major BT924857 Logout URL with parameters resets TCP connection 16.1.0, 16.0.1.2, 15.1.2, 14.1.4.5
915509-3 3-Major BT915509 RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true 16.1.0, 15.1.4.1, 14.1.4.5
853325-3 3-Major BT853325 TMM Crash while parsing form parameters by SSO. 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.5
828761-3 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
827393-1 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
802381-2 3-Major BT802381 Localdb authentication fails 15.1.0, 15.0.1.3, 14.1.4.5
738593-1 3-Major BT738593 Vmware Horizon session collaboration (shadow session) feature does not work through APM. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
712857-3 3-Major BT712857 SWG-Explicit rejects large POST bodies during policy evaluation 14.1.4.5, 14.1.0, 12.1.3.6
1045229-3 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1044121-1 3-Major BT1044121 APM logon page is not rendered if db variable "ipv6.enabled" is set to false 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1021485-1 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1001337 3-Major BT1001337 Cannot read single sign-on configuration from GUI when logged in as guest 15.1.4.1, 14.1.4.5
942965-1 4-Minor BT942965 Local users database can sometimes take more than 5 minutes to sync to the standby device 16.1.0, 15.1.5, 14.1.4.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007113-4 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1039329-3 3-Major BT1039329 MRF per peer mode is not working in vCMP guest. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1025529-3 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
1003633-4 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1049229-3 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
995433-4 3-Major BT995433 IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT 16.1.0, 15.1.4.1, 14.1.4.5


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956013 3-Major BT956013 System reports{{validation_errors}} 16.1.2.1, 15.1.5, 14.1.4.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
922665-1 3-Major BT922665 The admd process is terminated by watchdog on some heavy load configuration process 16.1.0, 15.1.5, 14.1.4.5
1023437-4 3-Major   Buffer overflow during attack with large HTTP Headers 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1033829 2-Critical BT1033829 Unable to load Traffic Classification package 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
686783-3 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1032689-4 4-Minor BT1032689 UlrCat Custom db feedlist does not work for some URLs 16.1.2, 15.1.4.1, 14.1.4.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
873545-1 3-Major BT873545 SSL Orchestrator Configuration GUI freezes after management IP change. 15.1.10, 14.1.4.5
761314-2 3-Major BT761314 OSPF Hello does not work for L2 wire 15.1.0, 14.1.4.5



Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
981461-3 CVE-2021-23032 K45407662, BT981461 Unspecified DNS responses cause TMM crash 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5
966901-3 CVE-2020-14364 K09081535, BT966901 CVE-2020-14364: Qemu Vulnerability 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
940317-3 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
937333-4 CVE-2022-23013 K29500533, BT937333 Incomplete validation of input in unspecified forms 16.1.0, 15.1.4, 14.1.4.4, 13.1.5
550928-4 CVE-2022-23010 K34360320, BT550928 TMM may crash when processing HTTP traffic with a FastL4 virtual server 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
1030689-3 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
1017973-3 CVE-2021-25215 K96223611, BT1017973 BIND Vulnerability CVE-2021-25215 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
1017965-3 CVE-2021-25214 K11426315, BT1017965 BIND Vulnerability CVE-2021-25214 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
1009029 CVE-2021-23035 K70415522, BT1009029 TMM may crash while processing HTTP requests 14.1.4.4
975589-2 CVE-2020-8277 K07944249, BT975589 CVE-2020-8277 Node.js vulnerability 16.1.0, 15.1.4.1, 14.1.4.4
973409-4 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
962069-1 CVE-2021-23047 K79428827, BT962069 Excessive resource consumption while processing OSCP requests via APM 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5
954425-3 CVE-2022-23031 K61112120, BT954425 Hardening of Live-Update 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
887965-3 CVE-2022-23027 K30573026, BT887965 Virtual server may stop responding while processing TCP traffic 16.0.0, 15.1.4, 14.1.4.4, 13.1.5
1013145-3 CVE-2021-23052 K32734107 APM Hardening 14.1.4.4, 13.1.5
1008561-5 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
1008077-4 CVE-2022-23029 K50343028, BT1008077 TMM may crash while processing TCP traffic with a FastL4 VS 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
741869-1 2-Critical BT741869 Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups. 15.0.0, 14.1.4.4
923301-1 3-Major BT923301 ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
911141-4 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
866073-1 3-Major BT866073 Add option to exclude stats collection in qkview to avoid very large data files 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
754335-1 3-Major BT754335 Install ISO does not boot on BIG-IP VE 16.1.0, 15.1.4.1, 14.1.4.4
752542-4 3-Major BT752542 Automatic eviction of PEM URLCAT cloud cache 15.0.0, 14.1.4.4
751032-3 4-Minor BT751032 TCP receive window may open too slowly after zero-window 16.0.0, 15.1.4, 14.1.4.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1002109-4 1-Blocking BT1002109 Xen binaries do not follow security best practices 16.1.0, 15.1.4, 14.1.4.4, 13.1.5
998729 2-Critical BT998729 Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries 14.1.4.4
980325-4 2-Critical BT980325 Chmand core due to memory leak from dossier requests. 16.1.0, 15.1.4, 14.1.4.4, 13.1.5
942549-3 2-Critical BT942549 Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 16.1.0, 15.1.4.1, 14.1.4.4
831549-1 2-Critical BT831549 Marketing name does not display properly for BIG-IP i10010 (C127) 14.1.4.4, 13.1.3.2
767013-3 2-Critical BT767013 Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch 15.1.0, 14.1.4.4, 13.1.3.4, 12.1.5.2, 11.6.5.2
749332-3 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4
730852-3 2-Critical BT730852 The tmrouted repeatedly crashes and produces core when new peer device is added 16.1.0, 15.1.5.1, 14.1.4.4
718573-1 2-Critical BT718573 Internal SessionDB invalid state 16.1.0, 15.1.5.1, 14.1.4.4
1034449 2-Critical BT1034449 Excessive CPU consumption by platform_agent. 14.1.4.4
969105-1 3-Major BT969105 HA failover connections via the management address do not work on vCMP guests running on VIPRION 16.1.0, 15.1.4, 14.1.4.4, 13.1.5
965205-3 3-Major BT965205 BIG-IP dashboard downloads unused widgets 16.1.0, 15.1.4.1, 14.1.4.4
958465-3 3-Major BT958465 in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.4
956293-1 3-Major BT956293 High CPU from analytics-related REST calls - Dashboard TMUI 16.1.0, 15.1.4, 14.1.4.4
950849-2 3-Major BT950849 B4450N blades report page allocation failure. 16.1.0, 15.1.3.1, 14.1.4.4
947529-1 3-Major BT947529 Security tab in virtual server menu renders slowly 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
940885-3 3-Major BT940885 Add embedded SR-IOV support for Mellanox CX5 Ex adapter 16.1.0, 15.1.4.1, 14.1.4.4
850193-2 3-Major BT850193 Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues 16.0.0, 15.1.4, 14.1.4.4
827033-3 3-Major BT827033 Boot marker is being logged before shutdown logs 16.0.0, 15.1.4, 14.1.4.4
809657-2 3-Major BT809657 HA Group score not computed correctly for an unmonitored pool when mcpd starts 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5
787881-2 3-Major BT787881 TMSH displays TSIG keys 15.1.0, 14.1.4.4
755027-1 3-Major BT755027 Timer processing taking too long 15.1.0, 14.1.4.4
741702-3 3-Major BT741702 TMM crash 16.1.0, 15.1.5.1, 14.1.4.4
1024877-1 3-Major BT1024877 Systemd[]: systemd-ask-password-serial.service failed. 16.1.0, 15.1.4.1, 14.1.4.4
1010393-3 3-Major BT1010393 Unable to relax AS-path attribute in multi-path selection 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
1009949-1 3-Major BT1009949 High CPU usage when upgrading from previous version 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
1008837-3 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4
898441-4 4-Minor BT898441 Enable logging of IKE keys 16.1.0, 15.1.4, 14.1.4.4
884165-2 4-Minor BT884165 Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5
851393-3 4-Minor BT851393 Tmipsecd leaves a zombie rm process running after starting up 16.0.0, 15.1.0.5, 14.1.4.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846217-1 2-Critical BT846217 Translucent vlan-groups set local bit in destination MAC address 16.0.0, 15.1.2.1, 14.1.4.4
837617-3 2-Critical BT837617 Tmm may crash while processing a compression context 16.0.0, 15.1.0.2, 14.1.4.4
745589-6 2-Critical BT745589 In very rare situations, some filters may cause data-corruption. 15.0.0, 14.1.4.4
997929-4 3-Major BT997929 Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
978833-3 3-Major BT978833 Use of CRL-based Certificate Monitoring Causes Memory Leak 16.1.0, 15.1.4.1, 14.1.4.4
969637-3 3-Major BT969637 Config may fail to load with "FIPS 140 operations not available on this system" after upgrade 16.1.0, 15.1.4, 14.1.4.4
956133-4 3-Major BT956133 MAC address might be displayed as 'none' after upgrading. 17.0.0, 16.1.4, 15.1.4, 14.1.4.4
941481-3 3-Major BT941481 iRules LX - nodejs processes consuming excessive memory 16.1.0, 15.1.4, 14.1.4.4
941257-2 3-Major BT941257 Occasional Nitrox3 ZIP engine hang 16.1.0, 15.1.4, 14.1.4.4, 13.1.5
915773 3-Major BT915773 Restart of TMM after stale interface reference 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
912945-4 3-Major BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
910905-2 3-Major BT910905 TMM crash when processing virtual server traffic with TLS/SSL session cache enabled 15.1.5.1, 14.1.4.4
818833-3 3-Major BT818833 TCP re-transmission during SYN Cookie activation results in high latency 16.0.0, 15.1.4, 14.1.4.4
778841-2 3-Major BT778841 Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother 16.0.0, 14.1.4.4
749608-2 3-Major BT749608 HTTP Persistence cookies erroneously sent when cookie persistence turned off 15.0.0, 14.1.4.4
723112-5 3-Major BT723112 LTM policies does not work if a condition has more than 127 matches 16.1.0, 15.1.4.1, 14.1.4.4
714372-3 3-Major BT714372 Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.4.4
1015209-1 3-Major BT1015209 Memory may be leaked when handling chunked responses 14.1.4.4
1015201-1 3-Major BT1015201 HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. 15.1.5, 14.1.4.4
1004897-3 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4
936773-1 4-Minor BT936773 Improve logging for "double flow removal" TMM Oops 16.1.0, 15.1.4.1, 14.1.4.4
753925-1 4-Minor BT753925 CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections 15.0.0, 14.1.4.4


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
1030665 2-Critical BT1030665 Apmd crashes during shutdown under certain conditions 14.1.4.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
995853-3 2-Critical BT995853 Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. 16.1.0, 15.1.4, 14.1.4.4, 13.1.5
850509-3 2-Critical BT850509 Zone Trusted Signature inadequately maintained, following change of master key 16.0.0, 15.1.2, 14.1.4.4, 13.1.5
993489-4 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
864797-1 3-Major BT864797 Cached results for a record are sent following region modification 16.1.0, 15.1.4, 14.1.4.4
847105-3 3-Major BT847105 The bigip_gtm.conf is reverted to default after rebooting with license expired 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
816277-2 4-Minor BT816277 Extremely long nameserver name causes GUI Error 16.0.0, 14.1.4.4, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
997137-4 2-Critical K80945213, BT997137 CSRF token modification may allow WAF bypass on GET requests 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
996381-4 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
970329-4 2-Critical K70134152, BT970329 ASM hardening 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
965229-3 2-Critical BT965229 ASM Load hangs after upgrade 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
920197-2 2-Critical BT920197 Brute force mitigation can stop mitigating without a notification 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
964245-3 3-Major BT964245 ASM reports and enforces username always 16.1.0, 15.1.4, 14.1.4.4, 13.1.5
962589-1 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
962497-4 3-Major BT962497 BD crash after ICAP response 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
955017-4 3-Major BT955017 Excessive CPU consumption by asm_config_event_handler 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
951133-1 3-Major BT951133 Live Update does not work properly after upgrade 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4
946081-3 3-Major BT946081 Getcrc tool help displays directory structure instead of version 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
932133-3 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
928717-1 3-Major BT928717 [ASM - AWS] - ASU fails to sync 16.1.0, 15.1.4, 14.1.4.4
920149-2 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4
914277-4 3-Major BT914277 [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.4
904133-2 3-Major BT904133 Creating a user-defined signature via iControl REST occasionally fails with a 400 response code 16.0.0, 15.1.4.1, 14.1.4.4
867825-2 3-Major BT867825 Export/Import on a parent policy leaves children in an inconsistent state 16.0.0, 15.1.4, 14.1.4.4, 13.1.5
767057-2 3-Major BT767057 In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server 15.1.0, 14.1.4.4, 13.1.5
753715-1 3-Major BT753715 False positive JSON max array length violation 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
712336-1 3-Major BT712336 bd daemon restart loop 15.0.0, 14.1.4.4, 13.1.5, 12.1.5.3
1022269-3 3-Major BT1022269 False positive RFC compliant violation 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5
1000741-4 3-Major K67397230, BT1000741 Fixing issue with input normalization 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
952509-1 4-Minor BT952509 Cross origin AJAX requests are blocked in case there is no Origin header 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
944441-3 4-Minor BT944441 BD_XML logs memory usage at TS_DEBUG level 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
941249-4 4-Minor BT941249 Improvement to getcrc tool to print cookie names when cookie attributes are involved 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
746167-1 4-Minor BT746167 Memory pressure from nsyncd 15.0.0, 14.1.4.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-4 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
926341-3 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5
922105-4 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
909161-4 3-Major BT909161 A core file is generated upon avrd process restart or stop 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
1020705-3 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
789085-2 2-Critical BT789085 When executing the ACCESS::session iRule command under a serverside event, tmm may crash 15.1.0, 14.1.4.4
766921-1 2-Critical BT766921 Localdbmgr process crashes and generates a core 15.0.0, 14.1.4.4
1020349-1 2-Critical BT1020349 APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL 16.1.0, 15.1.6.1, 14.1.4.4
984765-4 3-Major BT984765 APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) 16.1.0, 15.1.4, 14.1.4.4
949477-2 3-Major BT949477 NTLM RPC exception: Failed to verify checksum of the packet 16.1.0, 15.1.4.1, 14.1.4.4
946125-1 3-Major BT946125 Tmm restart adds 'Revoked' tokens to 'Active' token count 16.1.0, 15.1.4, 14.1.4.4
849029-3 3-Major BT849029 No configurable setting for maximum entries in CRLDP cache 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4
844781-1 3-Major BT844781 [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4
844281-1 3-Major BT844281 [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4
803825-3 3-Major BT803825 WebSSO does not support large NTLM target info length 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4
744407-3 3-Major BT744407 While the client has been closed, iRule function should not try to check on a closed session 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4
1007629-2 3-Major BT1007629 APM policy configured with many ACL policies can create APM memory pressure 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
1002557-3 3-Major BT1002557 Tcl free object list growth 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
1001041-2 3-Major BT1001041 Reset cause 'Illegal argument' 16.1.0, 15.1.4, 14.1.4.4
939877-2 4-Minor BT939877 OAuth refresh token not found 17.0.0, 16.1.2, 15.1.4, 14.1.4.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913-1 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
1012721-2 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5
996113-4 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
805821-4 3-Major BT805821 GTP log message contains no useful information 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
919301-4 4-Minor BT919301 GTP::ie count does not work with -message option 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913413-4 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913409-4 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913393-4 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
990461-2 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
744204-1 3-Major BT744204 PCCD may exhaust system memory when compiling 15.0.0, 14.1.4.4
1012521-4 3-Major BT1012521 BIG-IP UI file permissions 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
926425 4-Minor BT926425 Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts 14.1.4.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
913453-3 2-Critical BT913453 URL Categorization: wr_urldbd cores while processing urlcat-query 16.1.0, 15.1.4, 14.1.4.4
760961-3 2-Critical BT760961 TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts 15.0.0, 14.1.4.4, 13.1.1.5
958085-2 3-Major BT958085 IM installation fails with error: Spec file not found 16.1.0, 15.1.4, 14.1.4.4
785605-2 3-Major BT785605 Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group 15.1.0, 14.1.4.4
974205-2 4-Minor BT974205 Unconstrained wr_urldbd size causing box to OOM 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
970829-4 2-Critical K03310534, BT970829 iSeries LCD incorrectly displays secure mode 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
929213-3 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
946185-4 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
822245-5 4-Minor BT822245 Large number of in-TMM monitors results in some monitors being marked down or delay in marking node down 16.1.0, 15.1.4, 14.1.4.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
918317-3 3-Major BT918317 SSL Orchestrator resets subsequent requests when HTTP services are being used. 16.1.0, 15.1.4, 14.1.4.4



Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
989009-4 CVE-2021-23033 K05314769, BT989009 BD daemon may crash while processing WebSocket traffic 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1
980125-4 CVE-2021-23030 K42051445, BT980125 BD Daemon may crash while processing WebSocket traffic 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1
946377-3 CVE-2021-23027 K24301698, BT946377 HSM WebUI Hardening 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3
968349-1 CVE-2021-23048 K19012930, BT968349 TMM crashes with unspecified message 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1
950017-3 CVE-2021-23045 K94941221, BT950017 TMM may crash while processing SCTP traffic 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1
819053-2 CVE-2019-13232 K80311892, BT819053 CVE-2019-13232 unzip: overlapping of files in ZIP container 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
797797-3 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3
968733-5 CVE-2018-1120 K42202505, BT968733 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
939421-4 CVE-2020-10029 K38481791, BT939421 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
876937-1 3-Major BT876937 DNS Cache not functioning 16.0.0, 15.1.4, 14.1.4.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
967905-3 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
1004517-3 2-Critical BT1004517 BIG-IP tenants on VELOS cannot install EHFs 17.1.0, 15.1.4, 14.1.4.3
1000973-2 2-Critical BT1000973 Unanticipated restart of TMM due to heartbeat failure 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
998221-4 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
996593-3 3-Major BT996593 Password change through REST or GUI not allowed if the password is expired 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
994801-4 3-Major   SCP file transfer system 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1
908601-4 3-Major BT908601 System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
841277-5 3-Major BT841277 C4800 LCD fails to load after annunciator hot-swap 16.0.0, 15.1.4, 14.1.4.3
804477-4 3-Major BT804477 Add HSB register logging when parts of the device becomes unresponsive 15.1.0, 14.1.4.3, 13.1.3.4
1004417-1 4-Minor BT1004417 Provisioning error message during boot up 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1008525-1 2-Critical BT1008525 The partition text field becomes unusable when the user enters an invalid entry such as, "<, >, &, ", ', ', etc. 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3
1007505 2-Critical BT1007505 TLS handshake times out if intermediate CA cert status cannot be determined 14.1.4.3
1001509-1 2-Critical K11162395, BT1001509 Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates 15.1.3, 14.1.4.3
994125-1 3-Major BT994125 NetHSM Sanity results are not reflecting in GUI test output box 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3
882549-3 3-Major BT882549 Sock driver does not use multiple queues in unsupported environments 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
962433-3 4-Minor BT962433 HTTP::retry for a HEAD request fails to create new connection 15.1.4, 14.1.4.3, 13.1.4.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1017645-3 2-Critical BT1017645 False positive HTTP compliance violation 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
981785-2 3-Major BT981785 Incorrect incident severity in Event Correlation statistics 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
833113-3 3-Major BT833113 Avrd core when sending large messages via https 16.0.0, 15.1.4, 15.0.1.3, 14.1.4.3, 13.1.3.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
660913-3 2-Critical BT660913 For ActiveSync client type, browscap info provided is incorrect. 15.0.0, 14.1.4.3, 13.1.3.4, 12.1.4.1
924521-1 3-Major BT924521 OneConnect does not work when WEBSSO is enabled/configured. 16.1.0, 15.1.4, 14.1.4.3
470346-2 3-Major BT470346 Some IPv6 client connections get RST when connecting to APM virtual 16.0.0, 15.1.4, 14.1.4.3, 13.1.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
991037-1 3-Major BT991037 MR::message can cause tmm crash 14.1.4.3
788625-3 3-Major BT788625 A pool member is not marked up by the inband monitor even after successful connection to the pool member 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
874677 2-Critical BT874677 Traffic Classification auto signature update fails from GUI 16.1.0, 16.0.1.1, 15.1.3, 14.1.4.3
976365-1 3-Major BT976365 Traffic Classification hardening 16.1.0, 15.1.3.1, 14.1.4.3


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
795329-2 3-Major BT795329 IM installation fails if 'auto-add-new-inspections' enabled on profile 15.1.0, 15.0.1.1, 14.1.4.3


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
947925-4 3-Major BT947925 TMM may crash when executing L7 Protocol Lookup per-request policy agent 16.1.0, 15.1.4, 14.1.4.3



Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
962341-4 CVE-2021-23028 K00602225, BT962341 BD crash while processing JSON content 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4
935433-4 CVE-2021-23026 K53854428, BT935433 iControl SOAP 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1
981693-2 CVE-2022-23024 K54892865, BT981693 TMM may consume excessive resources while processing IPSec ALG traffic 16.1.0, 15.1.4.1, 14.1.4.2, 13.1.5
965485-2 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
949889-2 CVE-2019-3900 K04107324, BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
942701-3 CVE-2021-23044 K35408374, BT942701 TMM may consume excessive resources while processing HTTP traffic 16.1.0, 15.1.3.1, 14.1.4.2, 13.1.4.1
937365-4 CVE-2021-23041 K42526507, BT937365 LTM UI does not follow best practices 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1
907245-3 CVE-2021-23040 K94255403, BT907245 AFM UI Hardening 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1
906377-4 CVE-2021-23038 K61643620, BT906377 iRulesLX hardening 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1
803933-2 CVE-2018-20843 K51011533, BT803933 Expat XML parser vulnerability CVE-2018-20843 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1
1003557-4 CVE-2021-23015 K74151369, BT1003557 Not following best practices in Guided Configuration Bundle Install worker 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1004833-1 1-Blocking BT1004833 NIST SP800-90B compliance 17.0.0, 16.1.3, 15.1.4, 14.1.4.2
976505-1 3-Major BT976505 Rotated restnoded logs will fail logintegrity verification. 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
975809-2 3-Major BT975809 Rotated restjavad logs fail logintegrity verification. 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
959629-3 3-Major BT959629 Logintegrity script for restjavad/restnoded fails 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
958353-3 3-Major BT958353 Restarting the mcpd messaging service renders the PAYG VE license invalid. 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
946089-1 3-Major BT946089 BIG-IP might send excessive multicast/broadcast traffic. 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
932497-1 3-Major BT932497 Autoscale groups require multiple syncs of datasync-global-dg 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
913849 3-Major BT913849 Syslog-ng periodically logs nothing for 20 seconds 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
764873-2 3-Major BT764873 An accelerated flow may transmit packets to an unavailable pool member. 15.1.0, 15.0.1.3, 14.1.4.2, 13.1.3.2
1009133 3-Major BT1009133 BIG-IP vCMP guests that have HA Groups configured to include trunk scoring may fail to upgrade properly 14.1.4.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
945997-3 2-Critical BT945997 LTM policy applied to HTTP/2 traffic may crash TMM 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
980821-1 3-Major BT980821 Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2
895557-1 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2
773253-3 4-Minor BT773253 The BIG-IP may send VLAN failsafe probes from a disabled blade 16.0.0, 15.1.2.1, 14.1.4.2, 13.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918597-4 2-Critical BT918597 Under certain conditions, deleting a topology record can result in a crash. 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
717306-1 2-Critical BT717306 Added ability to use VIP-targeting-VIP with DNS Cache server-side connections 15.1.0, 14.1.4.2
973261-4 3-Major BT973261 GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
912001-4 3-Major BT912001 TMM cores on secondary blades of the Chassis system. 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
835209-1 3-Major BT835209 External monitors mark objects down 16.0.0, 15.1.3, 14.1.4.2
746719-1 3-Major BT746719 SERVFAIL when attempting to view or edit NS resource records in zonerunner 15.0.0, 14.1.4.2
857953-3 4-Minor BT857953 Non-functional disable/enable buttons present in GTM wide IP members page 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968421-4 2-Critical K30291321, BT968421 ASM attack signature doesn't matched 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4.2, 13.1.4.1, 12.1.6, 11.6.5.3
943913-4 2-Critical K30150004, BT943913 ASM attack signature does not match 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1
854001-4 2-Critical BT854001 TMM might crash in case of trusted bot signature and API protected url 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
810497-2 2-Critical BT810497 Pabnagd cores during device group settings changes 15.1.0, 14.1.4.2
950917-2 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1
928685-3 3-Major K49549213, BT928685 ASM Brute Force mitigation not triggered as expected 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1
922261-4 3-Major BT922261 WebSocket server messages are logged even it is not configured 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
912089-3 3-Major BT912089 Some roles are missing necessary permission to perform Live Update 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
907337-4 3-Major BT907337 BD crash on specific scenario 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
888289-3 3-Major BT888289 Add option to skip percent characters during normalization 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
883853-1 3-Major BT883853 Bot Defense Profile with staged signatures prevents signature update 16.0.0, 15.1.4, 14.1.4.2
881757-2 3-Major BT881757 Unnecessary HTML response parsing and response payload is not compressed 16.1.0, 16.0.1.2, 15.1.1, 14.1.4.2
846181-1 3-Major BT846181 Request samples for some of the learning suggestions are not visible 16.0.0, 15.1.4, 14.1.4.2
830341-1 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
792341-2 3-Major BT792341 Google Analytics shows incorrect stats. 15.1.0, 14.1.4.2, 13.1.4.1
673272-4 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4
941929-1 4-Minor BT941929 Google Analytics shows incorrect stats, when Google link is redirected. 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
911729-1 4-Minor BT911729 Redundant learning suggestion to set a Maximum Length when parameter is already at that value 17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
981385-4 3-Major BT981385 AVRD does not send HTTP events to BIG-IQ DCD 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4
932485-2 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
913085-4 3-Major BT913085 Avrd core when avrd process is stopped or restarted 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
995029 2-Critical BT995029 Configuration is not updated during auto-discovery 16.1.0, 15.1.4, 14.1.4.2
783233-2 2-Critical BT783233 OAuth puts quotation marks around claim values that are not string type 15.1.0, 14.1.4.2
894885 3-Major BT894885 [SAML] SSO crash while processing client SSL request 16.1.0, 15.1.4, 14.1.4.2
866109-1 3-Major BT866109 JWK keys frequency does not support fewer than 60 minutes 16.0.0, 15.1.4, 14.1.4.2, 13.1.4.1
757781-3 3-Major BT757781 Portal Access: cookie exchange may be broken sometimes 15.1.0, 15.0.1.1, 14.1.4.2, 14.0.0.5, 13.1.1.5
738865-3 3-Major BT738865 MCPD might enter into loop during APM config validation 16.0.0, 15.1.4, 14.1.4.2
828773-1 4-Minor BT828773 Incomplete response to an internal request by Portal Access 14.1.4.2
766017-1 4-Minor BT766017 [APM][LocalDB] Local user database instance name length check inconsistencies 16.1.0, 16.0.1.1, 15.1.2, 14.1.4.2, 13.1.3.5, 12.1.5.3
747234-5 4-Minor BT747234 Macro policy does not find corresponding access-profile directly 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
974881-1 2-Critical BT974881 Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
868781-2 2-Critical BT868781 TMM crashes while processing MRF traffic 16.0.0, 15.1.1, 14.1.4.2, 13.1.4.1
989753-3 3-Major BT989753 In HA setup, standby fails to establish connection to server 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
992213-1 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 17.0.0, 16.1.1, 15.1.4, 14.1.4.2
988005-3 3-Major BT988005 Zero active rules counters in GUI 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
783217-1 3-Major BT783217 Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks 15.1.0, 14.1.4.2
751116-1 3-Major BT751116 DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring 15.0.0, 14.1.4.2, 13.1.3.4
716746-1 3-Major BT716746 Possible tmm restart when disabling single endpoint vector while attack is ongoing 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.0.7
685904-2 3-Major BT685904 Firewall Rule hit counts are not auto-updated after a Reset is done 16.0.0, 15.1.4, 14.1.4.2
977005-2 4-Minor BT977005 Network Firewall Policy rules-list showing incorrect 'Any' for source column 16.1.0, 15.1.4, 14.1.4.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
981689-1 2-Critical BT981689 TMM memory leak with IPsec ALG 16.1.0, 15.1.4.1, 14.1.4.2
994985-1 3-Major BT994985 CGNAT GUI shows blank page when applying SIP profile 17.0.0, 15.1.4, 14.1.4.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
893721-1 2-Critical BT893721 PEM-provisioned systems may suffer random tmm crashes after upgrading 16.1.0, 15.1.4, 14.1.4.2
948573-2 3-Major BT948573 Wr_urldbd list of valid TLDs needs to be updated 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
846601-3 3-Major BT846601 Traffic classification does not update when an inactive slot becomes active after upgrade 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
912425-1 3-Major BT912425 Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2



Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
980809-3 CVE-2021-23031 K41351250, BT980809 ASM REST Signature Rule Keywords Tool Hardening 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3
990333-4 CVE-2021-23016 K75540265, BT990333 APM may return unexpected content when processing HTTP requests 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
945109-4 CVE-2015-9382 K46641512, BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-9382 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3
1002561-1 CVE-2021-23007 K37451543, BT1002561 TMM vulnerability CVE-2021-23007 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
933777-2 3-Major BT933777 Context use and syntax changes clarification 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
704552-2 3-Major BT704552 Support for ONAP site licensing 15.1.0, 14.1.4.1, 14.0.0.2, 13.1.0.7
918097-1 4-Minor BT918097 Cookies set in the URI on Safari 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
995629-2 2-Critical BT995629 Loading UCS files may hang if ASM is provisioned 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1
876957-2 2-Critical BT876957 Reboot after tmsh load sys config changes sys FPGA firmware-config value 16.0.0, 15.1.1, 14.1.4.1
978393 3-Major BT978393 GUI screen shows blank screen while importing a certificate 14.1.4.1
969213-2 3-Major BT969213 VMware: management IP cannot be customized via net.mgmt.addr property 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
922297-3 3-Major BT922297 TMM does not start when using more than 11 interfaces with more than 11 vCPUs 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
914245-1 3-Major BT914245 Reboot after tmsh load sys config changes sys FPGA firmware-config value 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
841649-2 3-Major BT841649 Hardware accelerated connection mismatch resulting in tmm core 16.0.0, 15.1.2, 14.1.4.1
839121-1 3-Major K74221031, BT839121 A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
829821-3 3-Major BT829821 Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
692218-3 3-Major BT692218 Audit log messages sent from the primary blade to the secondaries should not be logged. 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
675911-13 3-Major K13272442, BT675911 Different sections of the GUI can report incorrect CPU utilization 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
601220-3 3-Major BT601220 Multi-blade trunks seem to leak packets ingressed via one blade to a different blade 15.1.0, 14.1.4.1
569859-5 3-Major BT569859 Password policy enforcement for root user when mcpd is not available 16.0.0, 15.1.3, 14.1.4.1
879189-3 4-Minor BT879189 Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
658943-2 4-Minor BT658943 Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants 14.1.4.1
440599-1 4-Minor BT440599 Added DB Variable to configure 'difok' variable in password policy 16.0.0, 14.1.4.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
908621-3 2-Critical BT908621 Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core 16.0.0, 15.1.2, 14.1.4.1
738964-2 2-Critical   Instruction logger debugging enhancement 16.1.0, 15.1.3, 14.1.4.1
888517-3 3-Major BT888517 Busy polling leads to high CPU 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4
878925-3 3-Major BT878925 SSL connection mirroring failover at end of TLS handshake 16.0.0, 15.1.2, 14.1.4.1
760406-3 3-Major BT760406 HA connection might stall on Active device when the SSL session cache becomes out-of-sync. 16.0.0, 15.1.5.1, 14.1.4.1
756812-2 3-Major BT756812 Nitrox 3 instruction/request logger may fail due to SELinux permission error 16.1.0, 15.1.3, 14.1.4.1
756817-1 4-Minor BT756817 ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks. 15.1.0, 15.0.1.4, 14.1.4.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
971297-3 3-Major BT971297 DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
885201-3 4-Minor BT885201 BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log 16.1.0, 15.1.3, 14.1.4.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956373-3 3-Major BT956373 ASM sync files not cleaned up immediately after processing 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1
947341-3 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1
929001-4 3-Major K48321015, BT929001 ASM form handling improvements 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3
767077-1 3-Major BT767077 Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error 15.1.0, 14.1.4.1
824093-3 4-Minor BT824093 Parameters payload parser issue 16.0.0, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
869049-2 3-Major BT869049 Charts discrepancy in AVR reports 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883577-2 3-Major BT883577 ACCESS::session irule command does not work in HTTP_RESPONSE event 16.1.0, 15.1.3, 14.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
750679-1 2-Critical BT750679 Tmm crash on standby device and Diameter stats issues 15.0.0, 14.1.4.1
982869-3 3-Major BT982869 With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
977053-3 3-Major BT977053 TMM crash on standby due to invalid MR router instance 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
966701-3 3-Major BT966701 Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
851745-1 2-Critical BT851745 High cpu consumption due when enabling large number of virtual servers 16.0.0, 15.1.2, 14.1.4.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
914293-1 3-Major BT914293 TMM SIGSEGV and crash 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964577-1 4-Minor BT964577 IPS automatic IM download not working as expected 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1



Cumulative fixes from BIG-IP v14.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
975233-3 CVE-2021-22992 K52510511, BT975233 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
973333-3 CVE-2021-22991 K56715231, BT973333 TMM buffer-overflow vulnerability CVE-2021-22991 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3
955145-3 CVE-2021-22986 K03009991, BT955145 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3
954381-3 CVE-2021-22986 K03009991, BT954381 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3
953677-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT953677 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3
951705-3 CVE-2021-22986 K03009991, BT951705 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
981169-3 CVE-2021-22994 K66851119, BT981169 F5 TMUI XSS vulnerability CVE-2021-22994 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
959121-2 CVE-2021-23015 K74151369, BT959121 Not following best practices in Guided Configuration Bundle Install worker 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
953729-3 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101, BT953729 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
949933-2 CVE-2021-22980 K29282483, BT949933 BIG-IP APM CTU vulnerability CVE-2021-22980 16.1.0, 16.0.1.1, 15.1.4, 14.1.4, 13.1.3.6
931837-5 CVE-2020-13817 K55376430, BT931837 NTP has predictable timestamps 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
882633-4 CVE-2021-23008 K51213246, BT882633 Active Directory authentication does not follow current best practices 16.1.0, 15.1.3, 14.1.4, 13.1.4, 12.1.6
976925-3 CVE-2021-23002 K71891773, BT976925 BIG-IP APM VPN vulnerability CVE-2021-23002 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6
954429-3 CVE-2021-23014 K23203045, BT954429 User authorization changes for live update 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
948769-4 CVE-2021-23013 K05300051, BT948769 TMM panic with SCTP traffic 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3
946581-3 CVE-2020-27713 K37960100, BT946581 TMM vulnerability CVE-2020-27713 14.1.4, 13.1.3.5
938233-3 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4, 12.1.6
937637-4 CVE-2021-23002 K71891773, BT937637 BIG-IP APM VPN vulnerability CVE-2021-23002 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
935401-4 CVE-2021-23001 K06440657, BT935401 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
932697-2 CVE-2021-23000 K34441555, BT932697 BIG-IP TMM vulnerability CVE-2021-23000 14.1.4, 13.1.4, 12.1.5.3
903889 CVE-2021-22999 K02333782, BT903889 BIG-IP HTTP/2 vulnerability CVE-2021-22999 14.1.4
877109-3 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4
825689-3 CVE-2023-3470 K000135449, BT825689 Enhance FIPS crypto-user storage 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6
743105-4 CVE-2021-22998 K31934524, BT743105 BIG-IP SNAT vulnerability CVE-2021-22998 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
718189-7 CVE-2021-23011 K10751325, BT718189 Unspecified IP traffic can cause low-memory conditions 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6, 11.6.5.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
912289-3 2-Critical BT912289 Cannot roll back after upgrading on certain platforms 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6
776393-2 2-Critical BT776393 Restjavad restarts frequently due to insufficient memory with relatively large configurations 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
945265-3 3-Major BT945265 BGP may advertise default route with incorrect parameters 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
913829-3 3-Major BT913829 i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
867793-3 3-Major BT867793 BIG-IP sending the wrong trap code for BGP peer state 16.0.0, 15.1.2.1, 14.1.4
794417-1 3-Major BT794417 Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not 16.1.3, 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
742860-3 3-Major BT742860 VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. 15.1.0, 14.1.4, 13.1.3.6
719338-2 4-Minor BT719338 Concurrent management SSH connections are unlimited 16.1.0, 15.1.1, 14.1.4, 13.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
990849-3 2-Critical BT990849 Loading UCS with platform-migrate option hangs and requires exiting from the command 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1
940021-2 2-Critical BT940021 Syslog-ng hang may lead to unexpected reboot 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6
932437-4 2-Critical BT932437 Loading SCF file does not restore files from tar file 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
915305-3 2-Critical BT915305 Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4
908517-1 2-Critical BT908517 LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
888341-5 2-Critical BT888341 HA Group failover may fail to complete Active/Standby state transition 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
886693-2 2-Critical BT886693 System might become unresponsive after upgrading. 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
817085-4 2-Critical BT817085 Multicast Flood Can Cause the Host TMM to Restart 15.1.0, 14.1.4, 12.1.5.3
811973-2 2-Critical BT811973 TMM may crash when shutting down 15.1.0, 14.1.4
797221-1 2-Critical BT797221 BCM daemon can be killed by watchdog timeout during blade-to-blade failover 15.1.0, 14.1.4
785017-1 2-Critical BT785017 Secondary blades go offline after new primary is elected 16.1.0, 15.1.3, 14.1.4, 13.1.4
751991-1 2-Critical BT751991 BIOS update fails with "flashrom not safe for BIOS updates yet" log message 15.0.0, 14.1.4
739507-1 2-Critical BT739507 Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check 16.1.0, 15.1.0.5, 14.1.4, 13.1.1.2
739505-2 2-Critical BT739505 Automatic ISO digital signature checking not required when FIPS license active 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.1.2
973201 3-Major BT973201 F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions 16.1.0, 15.1.4, 14.1.4
967745-2 3-Major BT967745 Last resort pool error for the modify command for Wide IP 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4
963017-3 3-Major BT963017 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed 16.1.0, 15.1.3, 14.1.4
946745-3 3-Major BT946745 'System Integrity: Invalid' after Engineering Hotfix installation 16.1.0, 15.1.3, 14.1.4
943793 3-Major BT943793 Neurond continuously restarting. 16.1.0, 15.1.5.1, 14.1.4
939541-3 3-Major BT939541 TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
930905-1 3-Major BT930905 Management route lost after reboot. 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
927941-3 3-Major BT927941 IPv6 static route BFD does not come up after OAMD restart 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
914081-3 3-Major BT914081 Engineering Hotfixes missing bug titles 16.0.0, 15.1.3, 14.1.4
913433-1 3-Major BT913433 On blade failure, some trunked egress traffic is dropped. 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
909197-5 3-Major BT909197 The mcpd process may become unresponsive 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4
904785-3 3-Major BT904785 Remotely authenticated users might not be able to log in over the serial console 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
896817-4 3-Major BT896817 iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
896553-2 3-Major BT896553 On blade failure, some trunked egress traffic is dropped. 16.0.0, 15.1.3, 14.1.4, 13.1.3.6
895837-1 3-Major BT895837 Mcpd crash when a traffic-matching-criteria destination-port-list is modified 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
893949 3-Major BT893949 Support TCP directional offload for hardware-accelerated connections 14.1.4
893885 3-Major BT893885 The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation 16.1.0, 15.1.3, 14.1.4
891337-3 3-Major BT891337 'save_master_key(master): Not ready to save yet' errors in the logs 16.0.0, 15.1.3, 14.1.4
889029-4 3-Major BT889029 Unable to login if LDAP user does not have search permissions 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
879829-3 3-Major BT879829 HA daemon sod cannot bind to ports numbered lower than 1024 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
876805-1 3-Major BT876805 Modifying address-list resets the route advertisement on virtual servers. 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
862937-2 3-Major BT862937 Running cpcfg after first boot can result in daemons stuck in restart loop 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
838901-2 3-Major BT838901 TMM receives invalid rx descriptor from HSB hardware 16.0.0, 15.1.2, 14.1.4, 13.1.4
830413-4 3-Major BT830413 Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
820845-2 3-Major BT820845 Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
814053-2 3-Major BT814053 Under heavy load, bcm56xxd can be killed by the watchdog 15.1.0, 14.1.4
803237-4 3-Major BT803237 PVA does not validate interface MTU when setting MSS 16.0.0, 15.1.3, 14.1.4
799001-3 3-Major BT799001 Sflow agent does not handle disconnect from SNMPD manager correctly 16.1.0, 15.1.3, 14.1.4
787885-1 3-Major BT787885 The device status is falsely showing as forced offline on the network map while actual device status is not. 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
759596-2 3-Major BT759596 Tcl errors in iRules 'table' command 15.0.0, 14.1.4, 13.1.3.6, 12.1.5.3
754132-2 3-Major BT754132 A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command 15.0.0, 14.1.4, 13.1.3.6
751448-1 3-Major BT751448 TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart 15.0.0, 14.1.4
751021-1 3-Major BT751021 One or more TMM instances may be left without dynamic routes. 15.1.0, 14.1.4, 13.1.3.5
750194-4 3-Major   CVE-2018-18065: net-snmp security update 15.0.0, 14.1.4, 13.1.3.5
749007-2 3-Major BT749007 South Sudan is missing in the GTM region list 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
744252-2 3-Major BT744252 BGP route map community value: either component cannot be set to 65535 15.0.0, 14.1.4, 13.1.3.6
719555-5 3-Major BT719555 Interface listed as 'disable' after SFP insertion and enable 16.0.0, 15.1.1, 14.1.4, 13.1.5
661640-1 3-Major BT661640 Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair. 15.1.0, 14.1.4
615934-4 3-Major BT615934 Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. 16.1.0, 15.1.3, 14.1.4, 13.1.3.5
966277-3 4-Minor BT966277 BFD down on multi-blade system 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
959889-1 4-Minor BT959889 Cannot update firewall rule with ip-protocol property as 'any' 16.1.0, 15.1.3, 14.1.4
947865-3 4-Minor BT947865 Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read 16.1.0, 15.1.3, 14.1.4
774617-1 4-Minor BT774617 SNMP daemon reports integer truncation error for values greater than 32 bits 16.0.0, 15.1.0.4, 14.1.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
926929-2 1-Blocking BT926929 RFC Compliance Enforcement lacks configuration availability 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4, 13.1.4
910653-3 2-Critical BT910653 iRule parking in clientside/serverside command may cause tmm restart 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
889209-1 2-Critical BT889209 Sflow receiver configuration may lead to egress traffic dropped after TMM starts. 16.0.0, 15.1.1, 14.1.4
882157-2 2-Critical BT882157 One thread of pkcs11d consumes 100% without any traffic. 16.0.0, 15.1.3, 14.1.4
876801-3 2-Critical BT876801 Tmm crash: invalid route type 16.0.0, 15.1.2, 14.1.4, 13.1.4
812525-3 2-Critical K27551003, BT812525 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4
968641-1 3-Major BT968641 Fix for zero LACP priority 16.0.1.2, 15.1.3, 14.1.4
965537 3-Major BT965537 SSL filter does not re-initialize when OCSP validator is modified 14.1.4
953845-4 3-Major BT953845 After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6
944641-3 3-Major BT944641 HTTP2 send RST_STREAM when exceeding max streams 16.1.0, 16.0.1.1, 15.1.4, 14.1.4
940209-1 3-Major BT940209 Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. 15.1.2, 14.1.4
932033-1 3-Major BT932033 Chunked response may have DATA frame with END_STREAM prematurely 15.1.2, 14.1.4
928857-3 3-Major BT928857 Use of OCSP responder may leak X509 store instances 16.1.0, 15.1.3, 14.1.4
928805-3 3-Major BT928805 Use of OCSP responder may cause memory leakage 16.1.0, 15.1.3, 14.1.4
928789-3 3-Major BT928789 Use of OCSP responder may leak SSL handshake instances 16.1.0, 15.1.3, 14.1.4
921881-4 3-Major BT921881 Use of IPFIX log destination can result in increased CPU utilization 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
892941-4 3-Major K20105555, BT892941 F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) 16.1.0, 16.0.1.1, 15.1.2, 14.1.4
889601-1 3-Major K14903688, BT889601 OCSP revocation not properly checked 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
889165-1 3-Major BT889165 "http_process_state_cx_wait" errors in log and connection reset 16.1.0, 15.1.3, 14.1.4
868209-1 3-Major BT868209 Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection 16.1.0, 15.1.2.1, 14.1.4
858701-3 3-Major BT858701 Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
858301-3 3-Major K27551003, BT858301 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2
858297-3 3-Major K27551003, BT858297 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2
858289-3 3-Major K27551003, BT858289 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4
858285-3 3-Major K27551003, BT858285 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4
845333-3 3-Major BT845333 An iRule with a proc referencing a datagroup cannot be assigned to Transport Config 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
818109-3 3-Major BT818109 Certain plaintext traffic may cause SSL Orchestrator to hang 16.0.0, 15.1.2.1, 14.1.4
795501-3 3-Major BT795501 Possible SSL crash during config sync 15.1.0, 14.1.4
790845-2 3-Major BT790845 An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default 16.0.0, 15.1.2, 14.1.4, 13.1.3.5
785877-2 3-Major BT785877 VLAN groups do not bridge non-link-local multicast traffic. 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
767341-3 3-Major BT767341 If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
758099-1 3-Major BT758099 TMM may crash in busy environment when handling HTTP responses 15.0.0, 14.1.4
757442-2 3-Major BT757442 A missed SYN cookie check causes crash at the standby TMM in HA mirroring system 15.0.0, 14.1.4, 13.1.3
753383-4 3-Major BT753383 Deadlock While Attaching NDAL Devices 15.1.0, 14.1.4
719304-1 3-Major BT719304 Inconsistent node ICMP monitor operation for IPv6 nodes 15.0.0, 14.1.4, 13.1.3
714642-4 3-Major BT714642 Ephemeral pool-member state on the standby is down 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6
962177-3 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1
804157-1 4-Minor BT804157 ICMP replies are forwarded with incorrect checksums causing them to be dropped 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
772297-2 4-Minor BT772297 LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade 15.1.0, 14.1.4
748333-4 4-Minor BT748333 DHCP Relay does not retain client source IP address for chained relay mode 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
743253-3 4-Minor BT743253 TSO in software re-segments L3 fragments. 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
738032-1 4-Minor BT738032 BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
960749-3 1-Blocking BT960749 TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3
933405-3 1-Blocking K34257075, BT933405 Zonerunner GUI hangs when attempting to list Resource Records 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4
960437-3 2-Critical BT960437 The BIG-IP system may initially fail to resolve some DNS queries 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3
905557-6 2-Critical BT905557 Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure 16.0.0, 15.1.2, 14.1.4, 13.1.5
921625-4 3-Major BT921625 The certs extend function does not work for GTM/DNS sync group 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6
891093-3 3-Major BT891093 iqsyncer does not handle stale pidfile 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4
858973-3 3-Major BT858973 DNS request matches less specific WideIP when adding new wildcard wideips 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
885869-4 4-Minor BT885869 Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime 16.0.0, 15.1.5.1, 14.1.4
853585-2 4-Minor BT853585 REST Wide IP object presents an inconsistent lastResortPool value 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.6


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846057-2 2-Critical BT846057 UCS backup archive may include unnecessary files 16.0.0, 15.1.3, 14.1.4, 13.1.4
960369-3 3-Major BT960369 Negative value suggested in Traffic Learning as max value 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
941621-3 3-Major K91414704, BT941621 Brute Force breaks server's Post-Redirect-Get flow 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4
929077-1 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4
921677-4 3-Major BT921677 Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
904053-4 3-Major BT904053 Unable to set ASM Main Cookie/Domain Cookie hashing to Never 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6
867373-2 3-Major BT867373 Methods Missing From ASM Policy 16.0.0, 15.1.3, 14.1.4
864677-3 3-Major BT864677 ASM causes high mcpd CPU usage 16.0.0, 15.1.3, 14.1.4
964897-4 4-Minor BT964897 Live Update - Indication of "Update Available" when there is no available update 17.0.0, 16.0.1.2, 15.1.3, 14.1.4
935293-3 4-Minor BT935293 'Detected Violation' Field for event logs not showing 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5
922785-4 4-Minor BT922785 Live Update scheduled installation is not installing on set schedule 17.0.0, 16.0.1.2, 15.1.3, 14.1.4
767941-1 4-Minor BT767941 Gracefully handle policy builder errors 15.1.0, 14.1.4, 13.1.3.6
758336-3 4-Minor BT758336 Incorrect recommendation in Online Help of Proactive Bot Defense 16.1.0, 15.1.2.1, 14.1.4, 13.1.1.5, 12.1.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
965581 2-Critical BT965581 Statistics are not reported to BIG-IQ 17.1.0, 15.1.4, 14.1.4
949593-2 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition 17.0.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4
743826-1 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6
648242-4 3-Major K73521040, BT648242 Administrator users unable to access all partition via TMSH for AVR reports 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 14.0.0.5, 13.1.0.8, 12.1.3.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
894565-2 2-Critical BT894565 Autodosd.default crash with SIGFPE 16.0.0, 15.1.3, 14.1.4
976501-3 3-Major BT976501 Failed to establish VPN connection 16.1.0, 15.1.3, 14.1.4, 13.1.3.6
952557-1 3-Major BT952557 Azure B2C Provider OAuth URLs are updated for B2Clogin.com 16.1.0, 15.1.3, 14.1.4
925573-3 3-Major BT925573 SIGSEGV: receiving a sessiondb callback response after the flow is aborted 15.1.3, 14.1.4
916969-2 3-Major BT916969 Support of Microsoft Identity 2.0 platform 16.1.0, 15.1.3, 14.1.4
892937-4 3-Major K20105555, BT892937 F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) 16.1.0, 16.0.1, 15.1.1, 14.1.4
850277-3 3-Major BT850277 Memory leak when using OAuth 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4, 13.1.3.4
774301-4 3-Major BT774301 Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList 15.1.0, 15.0.1.3, 14.1.4, 12.1.5
709126-1 3-Major BT709126 Localdb authentication may fail 15.0.0, 14.1.4
833049-2 4-Minor BT833049 Category lookup tool in GUI may not match actual traffic categorization 16.0.0, 15.1.2, 14.1.4, 13.1.3.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
952545-3 3-Major BT952545 'Current Sessions' statistics of HTTP2 pool may be incorrect 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
939529-3 3-Major BT939529 Branch parameter not parsed properly when topmost via header received with comma separated values 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3
913373-3 3-Major BT913373 No connection error after failover with MRF, and no connection mirroring 16.1.0, 16.0.1.1, 15.1.3, 14.1.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
969509-3 3-Major BT969509 Possible memory corruption due to DOS vector reset 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
965617-1 3-Major BT965617 HSB mitigation is not applied on BDoS signature with stress-based mitigation mode 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
963237-1 3-Major BT963237 Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
910417-3 3-Major BT910417 TMM core may be seen when reattaching a vector to a DoS profile 16.1.0, 16.0.1.2, 15.1.2, 14.1.4
903561-2 3-Major BT903561 Autodosd returns small bad destination detection value when the actual traffic is high 16.0.0, 15.1.3, 14.1.4
887017-2 3-Major BT887017 The dwbld daemon consumes a large amount of memory 16.0.0, 15.1.3, 14.1.4
840809-1 3-Major BT840809 If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged 16.0.0, 15.1.2, 14.1.4
837233-1 3-Major BT837233 Application Security Administrator user role cannot use GUI to manage DoS profile 16.0.0, 15.1.3, 14.1.4
819321-1 3-Major BT819321 DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie 15.1.0, 14.1.4
789857-1 3-Major BT789857 "TCP half open' reports drops made by LTM syn-cookies mitigation. 15.1.1, 14.1.4
773773-2 3-Major BT773773 DoS auto-threshold detection values are not reloaded correctly after a reboot. 15.1.0, 14.1.4
760497-1 3-Major BT760497 Invalid configuration parameters are visible when Dos Vector is in "Auto Detection/Multiplier Based Mitigation" 15.0.0, 14.1.4
759004-2 3-Major BT759004 Autodosd history files not loaded correctly after software upgrade 15.1.0, 14.1.4
753141-2 3-Major BT753141 Hardware returning incorrect type of entry when notifying software might cause tmm crash 15.0.0, 14.1.4
686043-1 3-Major BT686043 dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets 15.1.0, 14.1.4
967889-2 4-Minor BT967889 Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) 16.1.0, 15.1.3, 14.1.4
748561-1 4-Minor BT748561 Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context 16.0.0, 15.1.3, 14.1.4


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
845313 2-Critical BT845313 Tmm crash under heavy load 16.0.0, 15.1.2.1, 14.1.4
941169-1 3-Major BT941169 Subscriber Management is not working properly with IPv6 prefix flows. 16.1.0, 15.1.2.1, 14.1.4
875401-3 3-Major BT875401 PEM subcriber lookup can fail for internet side new connections 16.0.0, 15.1.2.1, 14.1.4
842989-7 3-Major BT842989 PEM: tmm could core when running iRules on overloaded systems 16.1.0, 15.1.2, 14.1.4


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
928553-1 2-Critical BT928553 LSN64 with hairpinning can lead to a tmm core in rare circumstances 16.1.0, 16.0.1.1, 15.1.3, 14.1.4
966681-2 3-Major BT966681 NAT translation failures while using SP-DAG in a multi-blade chassis 16.1.0, 16.0.1.1, 15.1.3, 14.1.4


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
943889-1 2-Critical BT943889 Reopening the publisher after a failed publishing attempt 14.1.4, 13.1.3.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
932737-1 2-Critical BT932737 DNS & BADOS high-speed logger messages are mixed 16.0.1.2, 15.1.3, 14.1.4
922597-1 3-Major BT922597 BADOS default sensitivity of 50 creates false positive attack on some sites 16.1.0, 15.1.3, 14.1.4
915489-1 4-Minor BT915489 LTM Virtual Server Health is not affected by iRule Requests dropped 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
768085-3 4-Minor BT768085 Error in python script /usr/libexec/iAppsLX_save_pre line 79 16.1.0, 16.0.1.1, 15.1.3, 14.1.4


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964585-4 3-Major BT964585 "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update 16.1.0, 16.0.1.2, 15.1.3, 14.1.4
825501-1 3-Major BT825501 IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline. 16.1.0, 16.0.1.1, 15.1.3, 14.1.4



Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
950077-3 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT950077 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
943125-3 CVE-2021-23010 K18570111, BT943125 ASM bd may crash while processing WebSocket traffic 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
941449-4 CVE-2021-22993 K55237223, BT941449 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3
935029-1 CVE-2020-27720 K04048104, BT935029 TMM may crash while processing IPv6 NAT traffic 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
932065-3 CVE-2021-22978 K87502622, BT932065 iControl REST vulnerability CVE-2021-22978 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3
931513-2 CVE-2021-22977 K14693346, BT931513 TMM vulnerability CVE-2021-22977 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1, 13.1.3.6
928321-3 CVE-2020-27719 K19166530, BT928321 K19166530: XSS vulnerability CVE-2020-27719 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
921337-3 CVE-2021-22976 K88230177, BT921337 BIG-IP ASM WebSocket vulnerability CVE-2021-22976 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3
917509-5 CVE-2020-27718 K58102101, BT917509 BIG-IP ASM vulnerability CVE-2020-27718 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3
916821-4 CVE-2021-22974 K68652018, BT916821 iControl REST vulnerability CVE-2021-22974 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6
908673-3 CVE-2020-27717 K43850230, BT908673 TMM may crash while processing DNS traffic 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3
904165-3 CVE-2020-27716 K51574311, BT904165 BIG-IP APM vulnerability CVE-2020-27716 16.0.0, 15.1.1, 14.1.3.1, 13.1.5
882189-5 CVE-2020-5897 K20346072, BT882189 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
882185-5 CVE-2020-5897 K20346072, BT882185 BIG-IP Edge Client Windows ActiveX 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2
881317-4 CVE-2020-5896 K15478554, BT881317 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
881293-5 CVE-2020-5896 K15478554, BT881293 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
754855-2 CVE-2020-27714 K60344652, BT754855 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile 16.0.0, 15.1.1, 14.1.3.1, 13.1.4
939845-3 CVE-2021-23004 K31025212, BT939845 BIG-IP MPTCP vulnerability CVE-2021-23004 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
939841-3 CVE-2021-23003 K43470422, BT939841 BIG-IP MPTCP vulnerability CVE-2021-23003 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
928037-3 CVE-2020-27729 K15310332, BT928037 APM Hardening 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
919841-1 CVE-2020-27728 K45143221, BT919841 AVRD may crash while processing Bot Defense traffic 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
912969-4 CVE-2020-27727 K50343630, BT912969 iAppsLX REST vulnerability CVE-2020-27727 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
905125-3 CVE-2020-27726 K30343902, BT905125 Security hardening for APM Webtop 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
904937-4 CVE-2020-27725 K25595031, BT904937 Excessive resource consumption in zxfrd 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3
898949-3 CVE-2020-27724 K04518313, BT898949 APM may consume excessive resources while processing VPN traffic 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3
881445-5 CVE-2020-5898 K69154630, BT881445 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2
880361-3 CVE-2021-22973 K13323323, BT880361 iRules LX vulnerability CVE-2021-22973 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
842829-3 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730, BT842829 Multiple tcpdump vulnerabilities 16.0.0, 15.1.3, 14.1.3.1, 13.1.4.1
842717-4 CVE-2020-5855 K55102004, BT842717 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
832757-5 CVE-2017-18551 K48073202, BT832757 Linux kernel vulnerability CVE-2017-18551 15.1.3, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
831777-3 CVE-2020-27723 K42933418, BT831777 Tmm crash in Ping access use case 15.1.0, 14.1.3.1, 13.1.3.5
811965-2 CVE-2020-27722 K73657294, BT811965 Some VDI use cases can cause excessive resource consumption 15.1.0, 15.0.1.4, 14.1.3.1, 13.1.3.5
778049-4 CVE-2018-13405 K00854051, BT778049 Linux Kernel Vulnerability: CVE-2018-13405 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5
693360-4 CVE-2020-27721 K52035247, BT693360 A virtual server status changes to yellow while still available 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
639773-1 CVE-2021-22983 K76518456 BIG-IP AFM vulnerability CVE-2021-22983 16.0.1, 15.1.1, 14.1.3.1
852929-7 CVE-2020-5920 K25160703, BT852929 AFM WebUI Hardening 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2
825413-2 CVE-2021-23053 K36942191, BT825413 ASM may consume excessive resources when matching signatures 16.0.0, 15.1.3, 14.1.3.1, 13.1.3.6
818213-2 CVE-2019-10639 K32804955, BT818213 CVE-2019-10639: KASLR bypass using connectionless protocols 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
773693-5 CVE-2020-5892 K15838353, BT773693 CVE-2020-5892: APM Client Vulnerability 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 11.6.5.2
834533-2 CVE-2019-15916 K57418558, BT834533 Linux kernel vulnerability CVE-2019-15916 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
920961-3 3-Major BT920961 Devices incorrectly report 'In Sync' after an incremental sync 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
756139-1 3-Major BT756139 Inconsistent logging of hostname files when hostname contains periods 16.0.1.1, 15.1.2, 14.1.3.1
921421-1 4-Minor BT921421 iRule support to get/set UDP's Maximum Buffer Packets 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
809553 1-Blocking BT809553 ONAP Licensing - Cipher negotiation fails 15.1.0, 14.1.3.1
957337-4 2-Critical BT957337 Tab complete in 'mgmt' tree is broken 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
954025 2-Critical BT954025 "switchboot -b HD1.1" fails to reboot chassis 14.1.3.1
933409-4 2-Critical BT933409 Tomcat upgrade via Engineering Hotfix causes live-update files removal 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
927033-1 2-Critical BT927033 Installer fails to calculate disk size of destination volume 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
910201-1 2-Critical BT910201 OSPF - SPF/IA calculation scheduling might get stuck infinitely 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
896217-4 2-Critical BT896217 BIG-IP GUI unresponsive 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
860517-3 2-Critical BT860517 MCPD may crash on startup with many thousands of monitors on a system with many CPUs. 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3
829277-1 2-Critical BT829277 A Large /config folder can cause memory exhaustion during live-install 16.0.0, 15.1.2.1, 14.1.3.1
796601-4 2-Critical BT796601 Invalid parameter in errdefsd while processing hostname db_variable 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
787285 2-Critical BT787285 Configuration fails to load after install of v14.1.0 or v14.1.2 on BIG-IP 800 14.1.3.1
770989 2-Critical BT770989 Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x. 14.1.3.1, 13.1.3.5
769817-3 2-Critical BT769817 BFD fails to propagate sessions state change during blade restart 15.1.0, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.1
706521-4 2-Critical K21404407, BT706521 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3
934941-3 3-Major BT934941 Platform FIPS power-up self test failures not logged to console 16.1.0, 15.1.3, 14.1.3.1
930741-1 3-Major BT930741 Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot 16.1.0, 15.1.2, 14.1.3.1, 13.1.3.6
920301-2 3-Major BT920301 Unnecessarily high number of JavaScript Obfuscator instances when device is busy 15.1.2, 14.1.3.1
915825-4 3-Major BT915825 Configuration error caused by Drafts folder in a deleted custom partition while upgrading. 16.1.0, 15.1.1, 14.1.3.1, 13.1.3.5
915497-3 3-Major BT915497 New Traffic Class Page shows multiple question marks. 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.3.1
911809-1 3-Major BT911809 TMM might crash when sending out oversize packets. 16.0.0, 15.1.2, 14.1.3.1
908021-2 3-Major BT908021 Management and VLAN MAC addresses are identical 16.1.0, 15.1.3, 14.1.3.1, 13.1.3.5
904845-3 3-Major BT904845 VMware guest OS customization works only partially in a dual stack environment. 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
902401-3 3-Major BT902401 OSPFd SIGSEGV core when 'ospf clear' is done on remote device 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
898705-3 3-Major BT898705 IPv6 static BFD configuration is truncated or missing 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
898461-4 3-Major BT898461 Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1
889041-1 3-Major BT889041 Failover scripts fail to access resolv.conf due to permission issues 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
886689-4 3-Major BT886689 Generic Message profile cannot be used in SCTP virtual 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1
867181-3 3-Major BT867181 ixlv: double tagging is not working 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
865241-3 3-Major BT865241 Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
865177-2 3-Major BT865177 Cert-LDAP returning only first entry in the sequence that matches san-other oid 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1
860317-1 3-Major BT860317 JavaScript Obfuscator can hang indefinitely 16.0.0, 15.1.2, 14.1.3.1
851733-1 3-Major BT851733 Tcpdump messages (warning, error) are sent to stdout instead of stderr 16.0.0, 14.1.3.1
850777-1 3-Major BT850777 BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config 16.0.0, 15.1.1, 14.1.3.1
846441-1 3-Major BT846441 Flow-control is reset to default for secondary blade's interface 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
846137-3 3-Major BT846137 The icrd returns incorrect route names in some cases 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
843597-3 3-Major BT843597 Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
829193-2 3-Major BT829193 REST system unavailable due to disk corruption 16.0.0, 15.1.0.4, 14.1.3.1, 13.1.3.6
826905-1 3-Major BT826905 Host traffic via IPv6 route pool uses incorrect source address 16.0.0, 15.1.2, 14.1.3.1
806073-3 3-Major BT806073 MySQL monitor fails to connect to MySQL Server v8.0 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1
795649-3 3-Major BT795649 Loading UCS from one iSeries model to another causes FPGA to fail to load 16.0.0, 15.1.0.3, 14.1.3.1, 13.1.3.5, 12.1.5.2
788577-4 3-Major BT788577 BFD sessions may be reset after CMP state change 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2
783113-4 3-Major BT783113 BGP sessions remain down upon new primary slot election 15.1.0, 15.0.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.2
767737-2 3-Major BT767737 Timing issues during startup may make an HA peer stay in the inoperative state 16.0.0, 15.1.2.1, 14.1.3.1, 13.1.3.5
755197-3 3-Major BT755197 UCS creation might fail during frequent config save transactions 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
754971-2 3-Major BT754971 OSPF inter-process redistribution might break OSPF route redistribution of various types. 15.0.0, 14.1.3.1, 13.1.3.5
751584-1 3-Major BT751584 Custom MIB actions can be blocked by SELINUX permissions 15.0.0, 14.1.3.1
740589-1 3-Major BT740589 MCPD crashes with core after 'tmsh edit /sys syslog all-properties' 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
737098-2 3-Major BT737098 ASM Sync does not work when the configsync IP address is an IPv6 address 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
652502-3 3-Major BT652502 SNMP queries return 'No Such Object available' error for LTM OIDs 15.0.0, 14.1.3.1, 13.1.1.4
933461-3 4-Minor BT933461 BGP multi-path candidate selection does not work properly in all cases. 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3
924429-3 4-Minor BT924429 Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
892677-4 4-Minor BT892677 Loading config file with imish adds the newline character 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6
882713-1 4-Minor BT882713 BGP SNMP trap has the wrong sysUpTime value 16.0.0, 15.1.2, 14.1.3.1
864757-2 4-Minor BT864757 Traps that were disabled are enabled after configuration save 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
722230-3 4-Minor BT722230 Cannot delete FQDN template node if another FQDN node resolves to same IP address 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.4, 12.1.5.2
591732-5 4-Minor BT591732 Local password policy not enforced when auth source is set to a remote type. 15.1.0, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.1
583084-8 4-Minor K15101680, BT583084 iControl produces 404 error while creating records successfully 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5
849085-3 5-Cosmetic BT849085 Lines with only asterisks filling message and user.log file 16.0.0, 15.1.1, 14.1.3.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941089 2-Critical BT941089 TMM core when using Multipath TCP 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
911041-2 2-Critical BT911041 Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.3.1
891849-2 2-Critical BT891849 Running iRule commands while suspending iRule commands that are running can lead to a crash 16.1.0, 14.1.3.1
879409-2 2-Critical BT879409 TMM core with mirroring traffic due to unexpected interface name length 16.0.0, 15.1.1, 14.1.3.1
851857-3 2-Critical BT851857 HTTP 100 Continue handling does not work when it arrives in multiple packets 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5
851345-2 2-Critical BT851345 The TMM may crash in certain rare scenarios involving HTTP/2 16.0.0, 15.1.2, 14.1.3.1
850873-1 2-Critical BT850873 LTM global SNAT sets TTL to 255 on egress. 16.0.0, 15.1.2, 14.1.3.1
824881-2 2-Critical BT824881 A rare TMM crash cause by the fix for ID 816625 15.1.0, 15.0.1.1, 14.1.3.1
811161-1 2-Critical BT811161 Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992 15.1.0, 14.1.3.1
766509-1 2-Critical BT766509 Strict internal checking might cause tmm crash 15.0.0, 14.1.3.1
705768-1 2-Critical BT705768 The dynconfd process may core and restart with multiple DNS name servers configured 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2
951033-2 3-Major BT951033 Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' 15.1.0, 14.1.3.1, 13.1.3.5
949145-4 3-Major BT949145 Improve TCP's response to partial ACKs during loss recovery 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
948757-3 3-Major BT948757 A snat-translation address responds to ARP requests but not to ICMP ECHO requests. 16.1.0, 16.0.1, 15.1.2, 14.1.3.1
915689-4 3-Major BT915689 HTTP/2 dynamic header table may fail to identify indexed headers on the response side. 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
915605-1 3-Major K56251674, BT915605 Image install fails if iRulesLX is provisioned and /usr mounted read-write 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5
913249-4 3-Major BT913249 Restore missing UDP statistics 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
901929-4 3-Major BT901929 GARPs not sent on virtual server creation 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
892385-2 3-Major BT892385 HTTP does not process WebSocket payload when received with server HTTP response 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5
879413-3 3-Major BT879413 Statsd fails to start if one or more of its *.info files becomes corrupted 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
862597-5 3-Major BT862597 Improve MPTCP's SYN/ACK retransmission handling 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5
860005-3 3-Major BT860005 Ephemeral nodes/pool members may be created for wrong FQDN name 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2
857845-6 3-Major BT857845 TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
851477-3 3-Major BT851477 Memory allocation failures during proxy initialization are ignored leading to TMM cores 16.0.0, 15.1.1, 14.1.3.1
851045-3 3-Major BT851045 LTM database monitor may hang when monitored DB server goes down 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.6, 12.1.5.3
850145-3 3-Major BT850145 Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed 16.0.0, 15.1.2, 14.1.3.1
823921-2 3-Major BT823921 FTP profile causes memory leak 15.1.0, 14.1.3.1
820333-3 3-Major BT820333 LACP working member state may be inconsistent when blade is forced offline 16.0.0, 15.1.2, 14.1.3.1
819329-2 3-Major BT819329 Specific FIPS device errors will not trigger failover 16.1.0, 16.0.1.2, 15.1.4, 14.1.3.1, 13.1.5
818853-3 3-Major BT818853 Duplicate MAC entries in FDB 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5
809701-2 3-Major BT809701 Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist 16.0.0, 15.1.2, 15.0.1.3, 14.1.3.1
805017-2 3-Major BT805017 DB monitor marks pool member down if no send/recv strings are configured 15.1.0, 15.0.1.3, 14.1.3.1, 13.1.3.6, 12.1.5.3
803233-3 3-Major BT803233 Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2
796993-1 3-Major BT796993 Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs 15.1.0, 14.1.3.1, 13.1.3.4, 12.1.5.3
787853-2 3-Major BT787853 BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps. 15.1.0, 14.1.3.1
786517-3 3-Major BT786517 Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.5
783617-1 3-Major BT783617 Virtual server resets connections when all pool members are marked disabled 15.1.0, 14.1.3.1, 13.1.3.5
776229-2 3-Major BT776229 iRule 'pool' command no longer accepts pool members with ports that have a value of zero 15.1.0, 14.1.3.1, 13.1.3.4
759480-3 3-Major BT759480 HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash 15.0.0, 14.1.3.1, 13.1.3.4, 12.1.5
759056-2 3-Major BT759056 stpd memory leak on secondary blades in a multi-blade system 15.0.0, 14.1.3.1, 13.1.3.6
753805-3 3-Major BT753805 BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. 15.0.0, 14.1.3.1, 13.1.3.4, 12.1.5.3
753594-2 3-Major BT753594 In-TMM monitors may have duplicate instances or stop monitoring 15.0.0, 14.1.3.1, 13.1.3
750278-4 3-Major K25165813, BT750278 A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases 15.1.0, 15.0.1.3, 14.1.3.1
745682-1 3-Major BT745682 Failed to parse X-Forwarded-For header in HTTP requests 15.0.0, 14.1.3.1, 13.1.3.6
724824-3 3-Major BT724824 Ephemeral nodes on peer devices report as unknown and unchecked after full config sync 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
722707-2 3-Major BT722707 mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall 15.0.0, 14.1.3.1, 13.1.3.6, 12.1.5.3
720440-4 3-Major BT720440 Radius monitor marks pool members down after 6 seconds 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.6, 12.1.5.2
718790-1 3-Major BT718790 Virtual server reports unavailable and resets connection erroneously. 15.1.0, 14.1.3.1
710930-3 3-Major BT710930 Enabling BigDB key bigd.tmm may cause SSL monitors to fail 15.1.0, 14.1.3.1, 13.1.3.5
935593-3 4-Minor BT935593 Incorrect SYN re-transmission handling with FastL4 timestamp rewrite 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5
932937-3 4-Minor BT932937 HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
895153-2 4-Minor BT895153 HTTP::has_responded returns incorrect values when using HTTP/2 15.1.2, 14.1.3.1
895141 4-Minor BT895141 HTTP::has_responded returns incorrect values when using HTTP/2 14.1.3.1
822025-2 4-Minor BT822025 HTTP response not forwarded to client during an early response 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.6, 12.1.5.3
808409-3 4-Minor BT808409 Unable to specify if giaddr will be modified in DHCP relay chain 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3
801705-4 4-Minor BT801705 When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC 16.0.0, 15.1.5.1, 14.1.3.1, 13.1.3.6
781225-2 4-Minor BT781225 HTTP profile Response Size stats incorrect for keep-alive connections 15.1.0, 14.1.3.1, 13.1.3.5, 12.1.5.3
726983-2 4-Minor BT726983 Inserting multi-line HTTP header not handled correctly 15.0.0, 14.1.3.1, 13.1.3.5, 12.1.5.3
859717-3 5-Cosmetic BT859717 ICMP-limit-related warning messages in /var/log/ltm 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
919553-3 2-Critical BT919553 GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5
837637-2 2-Critical K02038650, BT837637 Orphaned bigip_gtm.conf can cause config load failure after upgrading 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
788465-2 2-Critical BT788465 DNS cache idx synced across HA group could cause tmm crash 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
926593-3 3-Major BT926593 GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
852101-3 3-Major BT852101 Monitor fails. 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6
844689-3 3-Major BT844689 Possible temporary CPU usage increase with unusually large named.conf file 16.0.0, 15.1.2, 14.1.3.1
781829-1 3-Major BT781829 GTM TCP monitor does not check the RECV string if server response string not ending with \n 15.1.0, 14.1.3.1, 13.1.3.5
644192-4 3-Major K23022557, BT644192 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5, 11.6.5.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
940249-3 2-Critical BT940249 Sensitive data is not masked after "Maximum Array/Object Elements" is reached 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6, 11.6.5.3
927617-3 2-Critical BT927617 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3
941853-2 3-Major BT941853 Logging Profiles do not disassociate from virtual server when multiple changes are made 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3
940897-2 3-Major BT940897 Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6
893061-1 3-Major BT893061 Out of memory for restjavad 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
884425-1 3-Major BT884425 Creation of new allowed HTTP URL is not possible 16.0.0, 15.1.3, 14.1.3.1
868053-1 3-Major BT868053 Live Update service indicates update available when the latest update was already installed 16.0.0, 15.1.3, 14.1.3.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910097-3 2-Critical BT910097 Changing per-request policy while tmm is under traffic load may drop heartbeats 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
896709-2 2-Critical BT896709 Add support for Restart Desktop for webtop in VMware VDI 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6
760130-3 2-Critical BT760130 [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK 15.0.0, 14.1.3.1, 13.1.3
748572-2 2-Critical BT748572 Occasionally ramcache might crash when data is sent without the corresponding event. 15.0.0, 14.1.3.1
924929-1 3-Major BT924929 Logging improvements for VDI plugin 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6
914649-2 3-Major BT914649 Support USB redirection through VVC (VMware virtual channel) with BlastX 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6
771961-1 3-Major BT771961 While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core 16.0.0, 15.1.1, 14.1.3.1
760629-3 3-Major BT760629 Remove Obsolete APM keys in BigDB 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3
759356-2 3-Major BT759356 Access session data cache might leak if there are multiple TMMs 15.1.0, 14.1.3.1
747020-1 3-Major BT747020 Requests that evaluate to same subsession can be processed concurrently 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
739570-3 3-Major BT739570 Unable to install EPSEC package 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
904373-1 3-Major BT904373 MRF GenericMessage: Implement limit to message queues size 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1
891385-4 3-Major BT891385 Add support for URI protocol type "urn" in MRF SIP load balancing 16.1.0, 16.0.1, 15.1.1, 14.1.3.1
924349-1 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP 16.1.0, 16.0.1, 15.1.1, 14.1.3.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
938165-2 2-Critical BT938165 TMM Core after attempted update of IP geolocation database file 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1
747225-1 2-Critical BT747225 PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart 15.0.0, 14.1.3.1
872645 3-Major BT872645 Protected Object Aggregate stats are causing elevated CPU usage 16.0.0, 15.1.1, 14.1.3.1
813301 3-Major BT813301 LSN_PB_UPDATE logs are not generated when subscriber info changes 15.1.0, 14.1.3.1
781425 3-Major BT781425 Firewall rule list configuration causes config load failure 15.1.0, 14.1.3.1
920361-4 4-Minor BT920361 Standby device name sent in Traffic Statistics syslog/Splunk messages 16.1.0, 15.1.1, 14.1.3.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
783289-1 2-Critical BT783289 PEM actions not applied in VE bigTCP. 15.1.0, 14.1.3.1, 13.1.3.5


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
815001-1 2-Critical BT815001 TMM Crash with inbound traffic during high availability (HA) failover 15.1.0, 14.1.3.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
940401-3 5-Cosmetic BT940401 Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
944785-1 3-Major BT944785 Admd restarting constantly. Out of memory due to loading malformed state file 16.1.0, 16.0.1.2, 15.1.2, 14.1.3.1
923125-1 3-Major BT923125 Huge amount of admd processes caused oom 16.1.0, 15.1.2, 14.1.3.1
818465-2 3-Major BT818465 Unnecessary memory allocation in AVR module 15.1.0, 14.1.3.1


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
767613-2 3-Major BT767613 Restjavad can keep partially downloaded files open indefinitely 15.1.0, 14.1.3.1, 13.1.3.5



Cumulative fixes from BIG-IP v14.1.3 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
928029 2-Critical BT928029 Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis 17.1.0, 15.1.4, 14.1.3
905849 3-Major BT905849 FastL4 UDP flows might not get offloaded to hardware 14.1.3
829317-6 3-Major BT829317 Memory leak in icrd_child due to concurrent REST usage 16.0.0, 15.1.0.2, 14.1.3.1, 14.1.3, 13.1.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
943101 2-Critical BT943101 Tmm crash in cipher group delete. 17.1.0, 15.1.4, 14.1.3
934461 2-Critical BT934461 Connection error with server with TLS1.3 single-dh-use. 17.1.0, 15.1.4, 14.1.3
915957 2-Critical BT915957 The wocplugin may get into a restart loop when AAM is provisioned 15.1.2, 14.1.3
939209-3 3-Major BT939209 FIPS 140-2 SP800-56Arev3 compliance 16.1.0, 14.1.3
930385 3-Major BT930385 SSL filter does not re-initialize when an OCSP object is modified 17.1.0, 15.1.4, 14.1.3
921721-2 3-Major BT921721 FIPS 140-2 SP800-56Arev3 compliance 16.1.0, 15.1.3, 14.1.3
809597-3 3-Major BT809597 Memory leak in icrd_child observed during REST usage 16.0.0, 15.1.0.2, 14.1.3, 13.1.4
629787-1 3-Major BT629787 vCMP hypervisor version mismatch may cause connection mirroring problems. 15.1.0, 14.1.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
934393 1-Blocking BT934393 APM authentication fails due to delay in sessionDB readiness 17.1.0, 15.1.4, 14.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
697331-3 3-Major BT697331 Some TMOS tools for querying various DBs fail when only a single TMM is running 16.0.0, 15.1.1, 14.1.3.1, 14.1.3


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
892621-2 3-Major BT892621 Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software 16.0.0, 15.1.0.4, 14.1.3


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
927993-4 1-Blocking K97501254, BT927993 Built-in SSL Orchestrator RPM installation failure 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 14.1.3, 13.1.3.6, 12.1.5.3



Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
935721-4 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291, BT935721 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 16.1.0, 16.0.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
933741-4 CVE-2021-22979 K63497634, BT933741 BIG-IP FPS XSS vulnerability CVE-2021-22979 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
911761-4 CVE-2020-5948 K42696541, BT911761 F5 TMUI XSS vulnerability CVE-2020-5948 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
879745-1 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
917469-4 CVE-2020-5946 K53821711, BT917469 TMM may crash while processing FPS traffic 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
910017-4 CVE-2020-5945 K21540525, BT910017 Security hardening for the TMUI Interface page 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
907201-1 CVE-2021-23039 K66782293, BT907201 TMM may crash when processing IPSec traffic 16.1.0, 16.0.1.2, 15.1.3, 14.1.2.8, 13.1.5
889557-2 CVE-2019-11358 K20455158, BT889557 jQuery Vulnerability CVE-2019-11358 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.6, 11.6.5.3
870273-3 CVE-2020-5936 K44020030, BT870273 TMM may consume excessive resources when processing SSL traffic 16.0.0, 15.1.1, 14.1.2.8, 13.1.5, 12.1.5.2
856961-2 CVE-2018-12207 K17269881, BT856961 INTEL-SA-00201 MCE vulnerability CVE-2018-12207 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8, 13.1.3.5
751036-1 CVE-2020-27721 K52035247, BT751036 Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone 15.1.0, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
818177-4 CVE-2019-12295 K06725231, BT818177 CVE-2019-12295 Wireshark Vulnerability 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
717276-7 CVE-2020-5930 K20622530, BT717276 TMM Route Metrics Hardening 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4, 12.1.5.3, 11.6.5.3
858537-3 CVE-2019-1010204 K05032915, BT858537 CVE-2019-1010204: Binutilis Vulnerability 16.0.0, 15.1.1, 14.1.2.8
822377-2 CVE-2019-10092 K30442259, BT822377 CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability 16.1.0, 15.1.1, 14.1.2.8
767269-2 CVE-2018-16884 K21430012 Linux kernel vulnerability: CVE-2018-16884 16.0.0, 15.1.0.5, 14.1.2.8


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
890229-3 3-Major BT890229 Source port preserve setting is not honored 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5
747013-3 3-Major BT747013 Add OCSP server support to IKEv2 negotiation for IPsec peer authentication 15.1.0, 14.1.2.8
617929-2 3-Major BT617929 Support non-default route domains 15.1.0, 15.0.1.3, 14.1.2.8, 13.1.3.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
920481 2-Critical BT920481 REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase 14.1.2.8
871561-3 2-Critical BT871561 Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)' 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
860349-1 2-Critical BT860349 Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication 16.0.0, 15.1.3, 14.1.2.8
856713-1 2-Critical BT856713 IPsec crash during rekey 16.1.0, 16.0.1.2, 15.1.9, 14.1.2.8
854493-3 2-Critical BT854493 Kernel page allocation failures messages in kern.log 16.0.0, 15.1.0.2, 14.1.2.8
842865-1 2-Critical BT842865 Add support for Auto MAC configuration (ixlv) 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8
841953-5 2-Critical BT841953 A tunnel can be expired when going offline, causing tmm crash 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3
841333-5 2-Critical BT841333 TMM may crash when tunnel used after returning from offline 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3
818253-1 2-Critical BT818253 Generate signature files for logs 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8
817709-2 2-Critical BT817709 IPsec: TMM cored with SIGFPE in racoon2 16.1.0, 15.1.0.2, 14.1.2.8, 13.1.5
811149-1 2-Critical BT811149 Remotely-authenticated users are unable to authenticate through the serial console 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.8
807453-1 2-Critical BT807453 IPsec works inefficiently with a second blade in one chassis 15.1.0, 14.1.2.8
777229-1 2-Critical BT777229 IPsec improvements to internal pfkey messaging between TMMs on multi-blade 15.1.0, 14.1.2.8
774361-2 2-Critical BT774361 IPsec High Availability sync during multiple failover via RFC6311 messages 15.1.0, 14.1.2.8
769357-1 2-Critical   IPsec debug logging needs more organization and is missing HA-related logging 15.1.0, 14.1.2.8
755716-1 2-Critical BT755716 IPsec connection can fail if connflow expiration happens before IKE encryption 15.1.0, 14.1.2.8
749249-1 2-Critical BT749249 IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP 15.1.0, 14.1.2.8
741676-2 2-Critical BT741676 Intermittent crash switching between tunnel mode and interface mode 15.1.0, 14.1.2.8, 13.1.5
593536-7 2-Critical K64445052, BT593536 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations 16.0.0, 15.1.1, 14.1.2.8
924493-4 3-Major BT924493 VMware EULA has been updated 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
904705-3 3-Major BT904705 Cannot clone Azure marketplace instances. 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
888497-4 3-Major BT888497 Cacheable HTTP Response 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3
887089-3 3-Major BT887089 Upgrade can fail when filenames contain spaces 16.1.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
880625-2 3-Major BT880625 Check-host-attr enabled in LDAP system-auth creates unusable config 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
880165-1 3-Major BT880165 Auto classification signature update fails 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
858197-1 3-Major BT858197 Merged crash when memory exhausted 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.5
856953-2 3-Major BT856953 IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 16.0.0, 15.1.4.1, 14.1.2.8, 13.1.5
844085-3 3-Major BT844085 GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8
838297-1 3-Major BT838297 Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication 16.0.0, 15.1.1, 14.1.2.8
828789-3 3-Major BT828789 Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters 15.1.1, 14.1.2.8
820213-2 3-Major BT820213 'Application Service List' empty after UCS restore 15.1.0, 14.1.2.8
814585-3 3-Major BT814585 PPTP profile option not available when creating or modifying virtual servers in GUI 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3
810381-4 3-Major BT810381 The SNMP max message size check is being incorrectly applied. 16.0.0, 15.1.0.4, 14.1.2.8, 13.1.3.5
807337-3 3-Major BT807337 Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8
804537-1 3-Major BT804537 Check SAs in context callbacks 15.1.0, 14.1.2.8
802889 3-Major BT802889 Problems establishing HA connections on chassis platforms 15.1.0, 14.1.3, 14.1.2.8
797829-5 3-Major BT797829 The BIG-IP system may fail to deploy new or reconfigure existing iApps 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5
783753-1 3-Major BT783753 Increase vCPU amount guests can use on i11800-DS platforms. 15.1.0, 14.1.2.8
761753-2 3-Major BT761753 BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs 15.1.0, 14.1.2.8
759564-4 3-Major BT759564 GUI not available after upgrade 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
758517-1 3-Major BT758517 Callback for Diffie Hellman crypto is missing defensive coding 15.1.0, 14.1.2.8
758516-1 3-Major BT758516 IKEv2 auth encryption is missing defensive coding that checks object validity 15.1.0, 14.1.2.8
757862-1 3-Major BT757862 IKEv2 debug logging an uninitialized variable leading to core 15.1.0, 14.1.2.8
748443-1 3-Major BT748443 HiGig MAC recovery mechanism may fail continuously at runtime 15.0.0, 14.1.2.8
746704-2 3-Major BT746704 Syslog-ng Memory Leak 15.0.0, 14.1.2.8, 13.1.3.5
745261-2 3-Major BT745261 The TMM process may crash in some tunnel cases 15.0.0, 14.1.2.8, 13.1.3.5, 12.1.5.3
726416-3 3-Major BT726416 Physical disk HD1 not found for logical disk create 15.1.0, 14.1.2.8
489572-4 3-Major K60934489, BT489572 Sync fails if file object is created and deleted before sync to peer BIG-IP 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
431503-3 3-Major K14838, BT431503 TMSH crashes in rare initial tunnel configurations 15.1.1, 14.1.2.8, 13.1.3.5, 11.5.0
919745-4 4-Minor BT919745 CSV files downloaded from the Dashboard have the first row with all 'NaN 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8
918209-1 4-Minor BT918209 GUI Network Map icons color scheme is not section 508 compliant 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8
914761-1 4-Minor BT914761 Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8
906889-1 4-Minor BT906889 Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
902417-4 4-Minor BT902417 Configuration error caused by Drafts folder in a deleted custom partition 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
890277-2 4-Minor BT890277 Full config sync to a device group operation takes a long time when there are a large number of partitions. 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
779857-1 4-Minor BT779857 Misleading GUI error when installing a new version in another partition 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
777237-1 4-Minor   IPsec high availability (HA) for failover confused by runtime changes in blade count 15.1.0, 14.1.2.8
751103-4 4-Minor BT751103 TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
714176-3 5-Cosmetic BT714176 UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
858429 2-Critical BT858429 BIG-IP system sends ICMP packets on both virtual wire interfaces. 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.8
851581-1 2-Critical BT851581 Server-side detach may crash TMM 16.0.0, 15.1.1, 14.1.2.8
839749-2 2-Critical BT839749 Virtual server with specific address list might fail to create via GUI 16.0.0, 15.1.0.5, 15.0.1.1, 14.1.2.8
813561-3 2-Critical BT813561 MCPD crashes when assigning an iRule that uses a proc 15.1.0, 15.0.1.3, 14.1.2.8, 13.1.3.4
726518-3 2-Critical BT726518 Tmsh show command terminated with CTRL-C can cause TMM to crash. 16.0.0, 15.1.2, 14.1.2.8, 13.1.3.6
915281-1 3-Major BT915281 Do not rearm TCP Keep Alive timer under certain conditions 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3
816881-1 3-Major BT816881 Serverside conection may use wrong VLAN when virtual wire is configured 16.0.0, 15.1.1, 14.1.2.8
810445-2 3-Major BT810445 PEM: ftp-data not classified or reported 15.1.0, 14.1.2.8, 13.1.3.5
800101-1 3-Major BT800101 BIG-IP chassis system may send out duplicated UDP packets to the server side 15.1.0, 14.1.2.8
788753-4 3-Major BT788753 GATEWAY_ICMP monitor marks node down with wrong error code 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4
785701-1 3-Major BT785701 Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile 15.1.0, 14.1.2.8
785481-2 3-Major BT785481 A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached 15.1.0, 15.0.1.1, 14.1.2.8, 12.1.5.3
781753-3 3-Major BT781753 WebSocket traffic is transmitted with unknown opcodes 15.1.0, 14.1.2.8, 13.1.3.2
766169-2 3-Major BT766169 Replacing all VLAN interfaces resets VLAN MTU to a default value 15.1.0, 14.1.2.8, 13.1.3.5, 12.1.5.2
758437-6 3-Major BT758437 SYN w/ data disrupts stat collection in Fast L4 15.0.0, 14.1.2.8, 13.1.3.5
758436-4 3-Major BT758436 Optimistic ACKs degrade Fast L4 statistics 15.0.0, 14.1.2.8, 13.1.3.5
745663-3 3-Major BT745663 During traffic forwarding, nexthop data may be missed at large packet split 15.1.0, 14.1.2.8, 13.1.3.5
726734-4 3-Major BT726734 DAGv2 port lookup stringent may fail 15.0.0, 14.1.2.8, 13.1.3.2
814037-4 4-Minor BT814037 No virtual server name in Hardware Syncookie activation logs. 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
783125-2 2-Critical BT783125 iRule drop command on DNS traffic without Datagram-LB may cause TMM crash 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
800265-2 3-Major BT800265 Undefined subroutine in bigip_add_appliance_helper message 16.0.0, 14.1.2.8


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
911629 2-Critical BT911629 Manual upload of LiveUpdate image file results in NULL response 17.1.0, 15.0.1.4, 14.1.2.8
918933-3 3-Major K88162221, BT918933 The BIG-IP ASM system may not properly perform signature checks on cookies 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.6, 12.1.5.3, 11.6.5.3
901061-4 3-Major BT901061 Safari browser might be blocked when using Bot Defense profile and related domains. 16.1.0, 16.0.1, 15.1.1, 14.1.2.8
888285-3 3-Major K18304067, BT888285 Sensitive positional parameter not masked in 'Referer' header value 16.0.0, 15.1.1, 14.1.2.8
848445-3 3-Major K86285055, BT848445 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3
919001-1 4-Minor BT919001 Live Update: Update Available notification is shown twice in rare conditions 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8
879777 4-Minor BT879777 Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge 16.0.0, 15.1.1, 14.1.2.8


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
908065-4 3-Major BT908065 Logrotation for /var/log/avr blocked by files with .1 suffix 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
866613-1 4-Minor BT866613 Missing MaxMemory Attribute 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
891505-1 2-Critical BT891505 TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. 16.0.0, 15.1.4, 14.1.2.8
579219-3 2-Critical BT579219 Access keys missing from SessionDB after multi-blade reboot. 16.0.0, 15.1.1, 14.1.2.8, 13.1.5
706782-3 3-Major BT706782 Inefficient APM processing in large configurations. 17.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.8
679751-1 4-Minor BT679751 Authorization header can cause a connection reset 16.1.0, 15.1.1, 14.1.2.8, 13.1.3.5
602396-1 4-Minor BT602396 EPSEC Upload Package Button Is Greyed Out 15.1.0, 14.1.2.8
478450-2 4-Minor BT478450 Improve log details when "Detection invalid host header ()" is logged 15.1.0, 14.1.2.8


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
763121-3 2-Critical BT763121 Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. 15.0.0, 14.1.2.8, 13.1.3
870385-3 3-Major BT870385 TMM may restart under very heavy traffic load 16.0.0, 15.1.2.1, 14.1.2.8
811157-2 3-Major BT811157 Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself 15.1.0, 14.1.2.8
757555-2 3-Major BT757555 Network DoS Logging Profile does not work with other logging profiles together 15.0.0, 14.1.2.8
757279-1 3-Major BT757279 LDAP authenticated Firewall Manager role cannot edit firewall policies 15.1.0.5, 14.1.2.8, 13.1.1.5
746483-2 3-Major BT746483 The autodosd process consumes a lot of memory and continuously restarts. 15.0.0, 14.1.2.8
703165-4 3-Major BT703165 shared memory leakage 15.0.0, 14.1.2.8, 13.1.3.5
803149-1 4-Minor BT803149 Flow Inspector cannot filter on IP address with non-default route_domain 15.1.0, 14.1.2.8
906885 5-Cosmetic BT906885 Spelling mistake on AFM GUI Flow Inspector screen 16.1.0, 15.1.2.1, 14.1.2.8


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
741213-2 3-Major BT741213 Modifying disabled PEM policy causes coredump 15.1.0, 14.1.2.8


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
837269 3-Major BT837269 Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic 16.0.0, 15.1.0, 14.1.2.8


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
876581-4 3-Major BT876581 JavaScript engine file is empty if the original HTML page cached for too long 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5
891729-4 4-Minor BT891729 Errors in datasyncd.log 16.1.0, 16.0.1, 15.1.1, 14.1.2.8


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
797277-2 3-Major BT797277 URL categorization fails when multiple segments present in URL path and belong to different categories. 15.1.0, 14.1.2.8
761273-2 3-Major BT761273 wr_urldbd creates sparse log files by writing from the previous position after logrotate. 15.1.0, 14.1.2.8, 13.1.1.5



Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
912221-2 CVE-2020-12662
CVE-2020-12663
K37661551, BT912221 CVE-2020-12662 & CVE-2020-12663 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3
900905-1 CVE-2020-5926 K42830212, BT900905 TMM may crash while processing SIP data 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
891457-4 CVE-2020-5939 K75111593, BT891457 NIC driver may fail while transmitting data 16.1.0, 16.0.1, 15.1.0.4, 15.0.1.4, 14.1.2.7, 13.1.3.5
888417-4 CVE-2020-8840 K15320518, BT888417 Apache Vulnerability: CVE-2020-8840 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7
846917-3 CVE-2019-10744 K47105354, BT846917 lodash Vulnerability: CVE-2019-10744 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.5, 12.1.5.3
841577-4 CVE-2020-5922 K20606443, BT841577 iControl REST hardening 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2
839453-4 CVE-2019-10744 K47105354, BT839453 lodash library vulnerability CVE-2019-10744 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5, 12.1.5.2
788057-5 CVE-2020-5921 K00103216, BT788057 MCPD may crash while processing syncookies 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2, 11.6.5.3
917005-4 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3
909837-2 CVE-2020-5950 K05204103, BT909837 TMM may consume excessive resources when AFM is provisioned 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5
888489-4 CVE-2020-5927 K55873574, BT888489 ASM UI hardening 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
886085-3 CVE-2020-5925 K45421311, BT886085 BIG-IP TMM vulnerability CVE-2020-5925 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2
832885-3 CVE-2020-5923 K05975972, BT832885 Self-IP hardening 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2
816413-2 CVE-2019-1125 K31085564, BT816413 CVE-2019-1125: Spectre SWAPGS Gadget 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
888493-4 CVE-2020-5928 K40843345, BT888493 ASM GUI Hardening 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2
839145-2 CVE-2019-10744 K47105354, BT839145 CVE-2019-10744: lodash vulnerability 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
816233-3 2-Critical BT816233 Session and authentication cookies should use larger character set 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
724556-3 2-Critical BT724556 icrd_child spawns more than maximum allowed times (zombie processes) 15.0.0, 14.1.2.7, 13.1.3.2, 12.1.5.3
858189-1 3-Major BT858189 Make restnoded/restjavad/icrd timeout configurable with sys db variables. 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.2
802977-2 3-Major BT802977 PEM iRule crashes when more than 10 policies are tried to be set for a subscriber 15.1.0, 14.1.2.7
691499-3 3-Major BT691499 GTP::ie primitives in iRule to be certified 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4
745465-1 4-Minor BT745465 The tcpdump file does not provide the correct extension 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
864513-3 1-Blocking K48234609, BT864513 ASM policies may not load after upgrading to 14.x or later from a previous major version 16.0.0, 15.1.1, 14.1.2.7
891477 2-Critical BT891477 No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
829677-1 2-Critical BT829677 .tmp files in /var/config/rest/ may cause /var directory exhaustion 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.5
811701-1 2-Critical BT811701 AWS instance using xnet driver not receiving packets on an interface. 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7
810593-2 2-Critical K10963690, BT810593 Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade 15.1.0, 14.1.2.7, 13.1.3.5
805417-1 2-Critical BT805417 Unable to enable LDAP system auth profile debug logging 16.0.0, 15.1.1, 14.1.2.7
769581-1 2-Critical BT769581 Timeout when sending many large iControl REST requests 15.1.0, 14.1.2.7, 14.0.0.5, 13.1.3.5
758604-2 2-Critical BT758604 Deleting a port from a single-port trunk does not work. 15.0.0, 14.1.2.7
891721-1 3-Major BT891721 Anti-Fraud Profile URLs with query strings do not load successfully 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7
871657-2 3-Major BT871657 Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3
867013-1 3-Major BT867013 Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5
842189-2 3-Major BT842189 Tunnels removed when going offline are not restored when going back online 16.0.0, 15.1.2.1, 14.1.2.7, 13.1.3.6, 12.1.5.3
821309-3 3-Major BT821309 After an initial boot, mcpd has a defunct child "systemctl" process 16.0.0, 15.1.0.5, 14.1.2.7
812929-2 3-Major BT812929 mcpd may core when resetting a DSC connection 15.1.0, 15.0.1.4, 14.1.2.7
811053-2 3-Major BT811053 REBOOT REQUIRED prompt appears after failover and clsh reboot 16.0.0, 15.1.2, 14.1.2.7
810821-1 3-Major BT810821 Management interface flaps after rebooting the device. 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5
807005-1 3-Major BT807005 Save-on-auto-sync is not working as expected with large configuration objects 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.3, 11.6.5.2
806985 3-Major BT806985 Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package 15.1.0, 14.1.2.7
802685-3 3-Major BT802685 Unable to configure performance HTTP virtual server via GUI 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
793121-3 3-Major BT793121 Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.2
788949-3 3-Major BT788949 MySQL Password Initialization Loses Already Written Password 15.1.0, 14.1.2.7
760950-4 3-Major BT760950 Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment 15.0.0, 14.1.2.7, 13.1.5, 12.1.5.3
756153-3 3-Major BT756153 Add diskmonitor support for MySQL /var/lib/mysql 15.1.0, 14.1.2.7, 13.1.3, 12.1.4.1
753860-3 3-Major BT753860 Virtual server config changes causing incorrect route injection. 15.1.0, 14.1.2.7, 13.1.3.4
720610-2 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3
701529-2 3-Major BT701529 Configuration may not load or not accept vlan or tunnel names as "default" or "all" 15.1.0, 14.1.2.7, 13.1.3.4
688399-2 3-Major BT688399 HSB failure results in continuous TMM restarts 15.1.0, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.3
683135-1 3-Major BT683135 Hardware syncookies number for virtual server stats is unrealistically high 15.1.0, 14.1.2.7, 13.1.3.2
605675-4 3-Major BT605675 Sync requests can be generated faster than they can be handled 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3, 11.6.5.2
831293-3 4-Minor BT831293 SNMP address-related GET requests slow to respond. 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.5, 12.1.5.3
804309-2 4-Minor BT804309 [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5
755018-2 4-Minor BT755018 Egress traffic processing may be stopped on one or more VE trunk interfaces 15.1.0, 15.0.1.1, 14.1.2.7, 13.1.3.2
743815-2 4-Minor BT743815 vCMP guest observes connflow reset when a CMP state change occurs. 15.0.0, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2
484683-2 4-Minor BT484683 Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. 15.0.0, 14.1.2.7, 13.1.3.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
842937-4 2-Critical BT842937 TMM crash due to failed assertion 'valid node' 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.3
751589-1 2-Critical BT751589 In BIG-IP VE, some IP rules may not be created during the first boot up. 15.0.0, 14.1.2.7
893281-1 3-Major BT893281 Possible ssl stall on closed client handshake 16.1.0, 15.1.0.5, 14.1.2.7
852873 3-Major BT852873 Proprietary Multicast PVST+ packets are forwarded instead of dropped 16.0.0, 15.1.0.2, 14.1.2.7
848777-1 3-Major BT848777 Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. 16.0.0, 15.1.0.4, 14.1.2.7
828601-3 3-Major BT828601 IPv6 Management route is preferred over IPv6 tmm route 16.0.0, 15.1.0.3, 14.1.2.7, 13.1.3.5
813701-3 3-Major BT813701 Proxy ARP failure 16.0.0, 15.1.0.5, 14.1.2.7
810533-4 3-Major BT810533 SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile 16.0.0, 14.1.2.7
802245-1 3-Major BT802245 When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected. 15.1.0, 14.1.2.7
790205-3 3-Major BT790205 Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core 15.1.0, 15.0.1.1, 14.1.2.7, 14.0.1.1, 13.1.3, 12.1.5.3
781041-1 3-Major BT781041 SIP monitor in non default route domain is not working. 15.1.0, 14.1.2.7
778517-1 3-Major K91052217, BT778517 Large number of in-TMM monitors results in delayed processing 15.1.0, 14.1.2.7, 13.1.3.4
760050-2 3-Major BT760050 "cwnd too low" warning message seen in logs 16.0.0, 15.1.4, 14.1.2.7, 13.1.4.1
758599-1 3-Major BT758599 IPv6 Management route is preferred over IPv6 tmm route 16.0.0, 15.1.0.3, 15.0.1.4, 14.1.2.7, 13.1.3.5
758041-3 3-Major BT758041 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. 16.0.0, 15.1.4.1, 14.1.2.7, 13.1.3.5
757446-2 3-Major BT757446 Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. 15.0.0, 14.1.2.7, 13.1.5
756494-3 3-Major BT756494 For in-tmm monitoring: multiple instances of the same agent are running on the Standby device 15.0.0, 14.1.2.7, 13.1.3.4
752530-1 3-Major BT752530 TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. 15.0.0, 14.1.2.7, 13.1.4.1
752334-1 3-Major BT752334 Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation 15.0.0, 14.1.2.7, 13.1.4.1
750473-4 3-Major BT750473 VA status change while 'disabled' are not taken into account after being 'enabled' again 15.0.0, 14.1.2.7, 12.1.5.3, 11.6.5.2
746922-6 3-Major BT746922 When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. 15.0.0, 14.1.2.7, 14.0.1.1, 13.1.3, 12.1.4.1
714502-2 3-Major BT714502 bigd restarts after loading a UCS for the first time 16.0.0, 15.1.0.5, 14.1.2.7
686059-4 3-Major BT686059 FDB entries for existing VLANs may be flushed when creating a new VLAN. 15.1.0, 14.1.2.7, 13.1.3.4, 12.1.5.3
608952-3 3-Major BT608952 MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 16.0.0, 15.1.5, 14.1.2.7, 13.1.3.6, 12.1.5.3
522241-1 3-Major BT522241 Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete 15.0.0, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918169-2 2-Critical BT918169 The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.6
744743-1 2-Critical BT744743 Rolling DNSSEC Keys may stop generating after BIG-IP restart 15.1.0, 14.1.2.7
803645-3 3-Major BT803645 GTMD daemon crashes 15.1.0, 14.1.2.7, 13.1.3.3
789421-2 3-Major BT789421 Resource-administrator cannot create GTM server object through GUI 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7
778365-2 3-Major BT778365 dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service 15.1.0, 14.1.2.7, 13.1.3.4
774481-2 3-Major BT774481 DNS Virtual Server creation problem with Dependency List 15.1.0, 14.1.2.7, 13.1.3.4
769385-1 3-Major BT769385 GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message 15.1.0, 14.1.2.7, 14.0.0.5
758772-3 3-Major BT758772 DNS Cache RRSET Evictions Stat not increasing 15.1.0, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3
757464-1 3-Major BT757464 DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record 15.1.0, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3
746348-2 3-Major BT746348 On rare occasions, gtmd fails to process probe responses originating from the same system. 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.4, 12.1.5.2
712335-3 4-Minor BT712335 GTMD may intermittently crash under unusual conditions. 15.1.0, 14.1.2.7, 13.1.4, 12.1.6
774257-2 5-Cosmetic BT774257 tmsh show gtm pool and tmsh show gtm wideip print duplicate object types 16.0.0, 15.1.0.5, 14.1.2.7


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
904593-2 2-Critical BT904593 Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled 16.1.0, 15.1.0.5, 14.1.2.7
868641-1 2-Critical BT868641 Possible TMM crash when disabling bot profile for the entire connection 16.0.0, 15.1.1, 14.1.2.7
865461-3 2-Critical BT865461 BD crash on specific scenario 16.0.0, 15.1.0.5, 14.1.2.7
843801-1 2-Critical BT843801 Like-named previous Signature Update installations block Live Update usage after upgrade 16.0.0, 15.1.1, 14.1.2.7
813409-1 2-Critical BT813409 BD crash under certain circumstances 15.1.0, 14.1.2.7
803813-2 2-Critical BT803813 TMM may experience high latency when processing WebSocket traffic 15.1.0, 14.1.2.7, 13.1.3.4
903357-3 3-Major BT903357 Bot defense Profile list is loads too slow when there are 750 or more Virtual servers 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.7
900797-4 3-Major BT900797 Brute Force Protection (BFP) hash table entry cleanup 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
900793-2 3-Major K32055534, BT900793 APM Brute Force Protection resources do not scale automatically 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
900789-4 3-Major BT900789 Alert before Brute Force Protection (BFP) hash are fully utilized 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
898825-4 3-Major BT898825 Attack signatures are enforced on excluded headers under some conditions 14.1.2.7
898741-4 3-Major BT898741 Missing critical files causes FIPS-140 system to halt upon boot 16.1.0, 15.1.1, 14.1.2.7
892653-2 3-Major BT892653 Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7
880789-1 3-Major BT880789 ASMConfig Handler undergoes frequent restarts 16.0.0, 15.1.0.5, 14.1.2.7
880753-1 3-Major K38157961, BT880753 Possible issues when using DoSL7 and Bot Defense profile on the same virtual server 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.7
874753-1 3-Major BT874753 Filtering by Bot Categories on Bot Requests Log shows 0 events 16.0.0, 15.1.0.5, 14.1.2.7
868721-3 3-Major BT868721 Transactions are held for a long time on specific server related conditions 16.0.0, 15.1.0.5, 14.1.2.7
863609-2 3-Major BT863609 Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies 16.0.0, 15.1.0.5, 14.1.2.7
850677-2 3-Major BT850677 Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy 16.0.0, 15.1.0.5, 14.1.2.7
833685-3 3-Major BT833685 Idle async handlers can remain loaded for a long time doing nothing 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.5.3
809125-2 3-Major BT809125 CSRF false positive 16.0.0, 15.1.0.5, 14.1.2.7, 12.1.5.1
802873-1 3-Major BT802873 Manual changes to policy imported as XML may introduce corruption for Login Pages 16.0.0, 15.1.4, 14.1.2.7
799749-1 3-Major BT799749 Asm logrotate fails to rotate 16.0.0, 15.1.0.5, 14.1.2.7
793149-3 3-Major BT793149 Adding the Strict-transport-Policy header to internal responses 15.1.0, 14.1.2.7, 12.1.5.1
785529-1 3-Major BT785529 ASM unable to handle ICAP responses which length is greater then 10K 15.1.0, 14.1.2.7, 11.6.5.2
783165-3 3-Major BT783165 Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile 16.0.0, 15.1.0.5, 14.1.2.7
772165-1 3-Major BT772165 Sync Failed due to Bot Defense profile not found. 15.0.0, 14.1.2.7
759449-1 3-Major BT759449 Unable to modify the application language with 'Copy ASM Policy' 15.0.0, 14.1.2.7
751430-1 3-Major BT751430 Unnecessary reporting of errors with complex denial-of-service policies 15.0.0, 14.1.2.7
745324-1 3-Major BT745324 MCP crash or blocked for a long time when loading configuration 15.0.0, 14.1.2.7
742549-2 3-Major BT742549 Cannot create non-ASCII entities in non-UTF ASM policy using REST 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.6
726401-1 3-Major BT726401 ASM cannot complete initial startup with modified management interface on VE 15.1.0, 14.1.2.7
722337-1 3-Major BT722337 Always show violations in request log when post request is large 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.7, 13.1.3.5
640842-3 3-Major BT640842 ASM end user using mobile might be blocked when CSRF is enabled 16.0.0, 15.1.0.5, 14.1.2.7
896285-4 4-Minor BT896285 No parent entity in suggestion to add predefined-filetype as allowed filetype 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7
882769-3 4-Minor BT882769 Request Log: wrong filter applied when searching by Response contains or Response does not contain 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5
852613-1 4-Minor   Connection Mirroring and ASM Policy not supported on the same virtual server 14.1.2.7


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
902485-2 3-Major BT902485 Incorrect pool member concurrent connection value 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5
838685-2 3-Major BT838685 DoS report exist in per-widget but not under individual virtual 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
838861-2 2-Critical BT838861 TMM might crash once after upgrading SSL Orchestrator 16.0.0, 15.1.1, 14.1.2.7
895313 3-Major BT895313 Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2 14.1.2.7
831517-1 3-Major BT831517 TMM may crash when Network Access tunnel is used 16.0.0, 15.1.3, 14.1.2.7
799149-2 3-Major BT799149 Authentication fails with empty password 14.1.2.7, 13.1.3.2
750631-2 3-Major BT750631 There may be a latency between session termination and deletion of its associated IP address mapping 15.0.0, 14.1.2.7, 13.1.3
600985-1 3-Major BT600985 Network access tunnel data stalls 15.0.0, 14.1.2.7, 13.1.3
719589-2 4-Minor BT719589 GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic 15.1.0, 14.1.2.7, 13.1.3.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
814097-2 2-Critical BT814097 Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. 15.1.0, 14.1.2.7, 13.1.3.4, 11.6.5.2
898997-4 3-Major BT898997 GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes 16.1.0, 16.0.1, 15.1.1, 14.1.2.7
842625-3 3-Major BT842625 SIP message routing remembers a 'no connection' failure state forever 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.4
825013-3 3-Major BT825013 GENERICMESSAGE::message's src and dst may get cleared in certain scenarios 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.7
815529-2 3-Major BT815529 MRF outbound messages are dropped in per-peer mode 15.1.0, 14.1.2.7, 13.1.3.4
803809-2 3-Major BT803809 SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.4
782353-6 3-Major BT782353 SIP MRF via header shows TCP Transport when TLS is enabled 15.1.0, 14.1.2.7, 13.1.3.4
754658-2 3-Major BT754658 Improved matching of response messages uses end-to-end ID 15.0.0, 14.1.2.7, 13.1.3.4
754617-2 3-Major BT754617 iRule 'DIAMETER::avp read' command does not work with 'source' option 14.1.2.7, 13.1.3.4
746731-1 3-Major BT746731 BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set 15.0.0, 14.1.2.7, 13.1.3.4
696348-3 3-Major BT696348 "GTP::ie insert" and "GTP::ie append" do not work without "-message" option 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4
788513-2 4-Minor BT788513 Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2
786981-3 4-Minor BT786981 Pending GTP iRule operation maybe aborted when connection is expired 15.1.0, 14.1.2.7, 13.1.3.4
793005-3 5-Cosmetic BT793005 'Current Sessions' statistic of MRF/Diameter pool may be incorrect 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802421 2-Critical BT802421 The /var partition may become 100% full requiring manual intervention to clear space 16.0.0, 15.1.0.5, 14.1.2.7
755721-1 3-Major BT755721 A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper 15.0.0, 14.1.2.7


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
753014-4 3-Major BT753014 PEM iRule action with RULE_INIT event fails to attach to PEM policy 15.0.0, 14.1.2.7, 13.1.3.2, 12.1.5.3


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
888625-2 3-Major BT888625 CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks 16.0.0, 15.1.0.3, 14.1.2.7
806825 3-Major BT806825 Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool 15.1.0, 14.1.2.7
761517-1 4-Minor BT761517 nat64 and ltm pool conflict 15.1.0, 14.1.2.7


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
787965-1 3-Major BT787965 URLCAT by URI does not work if it contains port number 15.1.0, 14.1.2.7
754257-2 3-Major BT754257 URL lookup queries not working 15.0.0, 14.1.2.7, 12.1.5



Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
900757-4 CVE-2020-5902 K52145254, BT900757 TMUI RCE vulnerability CVE-2020-5902 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4
895525-4 CVE-2020-5902 K52145254, BT895525 TMUI RCE vulnerability CVE-2020-5902 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2
909237-4 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2
909233-4 CVE-2020-8616 K97810133, BT909233 DNS Hardening 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2
905905-3 CVE-2020-5904 K31301245, BT905905 TMUI CSRF vulnerability CVE-2020-5904 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2
895993-4 CVE-2020-5902 K52145254, BT895993 TMUI RCE vulnerability CVE-2020-5902 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2
895981-4 CVE-2020-5902 K52145254, BT895981 TMUI RCE vulnerability CVE-2020-5902 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2
895881-3 CVE-2020-5903 K43638305, BT895881 BIG-IP TMUI XSS vulnerability CVE-2020-5903 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2
726407 CVE-2017-6001 K24578092, BT726407 CVE-2017-6001: Race condition in kernel/events/core.c 14.1.2.6


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
742628-3 3-Major BT742628 A tmsh session initiation adds increased control plane pressure 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
897229 3-Major BT897229 TLS session ticket resumption SNI check 14.1.2.6



Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
883717-3 CVE-2020-5914 K37466356, BT883717 BD crash on specific server cookie scenario 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
879025-4 CVE-2020-5913 K72752002, BT879025 When processing TLS traffic, LTM may not enforce certificate chain restrictions 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5, 12.1.5.2
866013 CVE-2019-11477
CVE-2019-11478
CVE-2019-11479
K78234183, BT866013 Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 14.1.2.5
852445-3 CVE-2019-6477 K15840535, BT852445 Big-IP : CVE-2019-6477 BIND Vulnerability 16.0.0, 14.1.2.5, 13.1.3.4, 12.1.5.1, 11.6.5.2
838677-3 CVE-2019-10744 K47105354, BT838677 lodash library vulnerability CVE-2019-10744 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4
837773-2 CVE-2020-5912 K12936322, BT837773 Restjavad Storage and Configuration Hardening 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2
834257-3 CVE-2020-5931 K25400442, BT834257 TMM may crash when processing HTTP traffic 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.6
830401-3 CVE-2020-5877 K54200228, BT830401 TMM may crash while processing TCP traffic with iRules 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
819197-4 CVE-2019-13135 K20336394, BT819197 BIGIP: CVE-2019-13135 ImageMagick vulnerability 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
819189-3 CVE-2019-13136 K03512441, BT819189 BIGIP: CVE-2019-13136 ImageMagick vulnerability 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
814953-3 CVE-2020-5940 K43310520, BT814953 TMUI dashboard hardening 16.1.0, 16.0.1, 15.1.1, 14.1.2.5
805837-2 CVE-2019-6657 K22441651, BT805837 REST does not follow current design best practices 15.1.0, 15.0.1.1, 14.1.2.5, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2
802261-2 CVE-2020-5875 K65372933, BT802261 TMM may crash while processing SSL traffic via an HTTP/2 full-proxy 15.1.0, 15.0.1.1, 14.1.2.5
794561-1 CVE-2020-5874 K46901953, BT794561 TMM may crash while processing JWT/OpenID traffic. 15.1.0, 15.0.1.3, 14.1.2.5, 14.0.1.1, 13.1.4.1
780601-2 CVE-2020-5873 K03585731, BT780601 SCP file transfer hardening 15.1.0, 15.0.1.1, 14.1.2.5, 13.1.3.2, 12.1.5.1, 11.6.5.1
769589-2 CVE-2019-6974 K11186236, BT769589 CVE-2019-6974: Linux Kernel Vulnerability 15.1.0, 14.1.2.5, 13.1.3.2
767373-1 CVE-2019-8331
CVE-2018-14040
CVE-2018-14041
CVE-2018-14042
CVE-2016-10735
K24383845, BT767373 CVE-2019-8331: Bootstrap Vulnerability 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.1
762453-2 CVE-2020-5872 K63558580, BT762453 Hardware cryptography acceleration may fail 15.0.0, 14.1.2.5, 14.0.1.1, 13.1.3.2, 12.1.5
745377-1 CVE-2020-5871 K43450419, BT745377 TMM cores in certain scenarios with HTTP virtual server 15.0.0, 14.1.2.5
739971 CVE-2018-5391 K74374841, BT739971 Linux kernel vulnerability: CVE-2018-5391 15.0.0, 14.1.2.5, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1
873469-1 CVE-2020-5889 K24415506, BT873469 APM Portal Access: Base URL may be set to incorrectly 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
872673-3 CVE-2020-5918 K26464312, BT872673 TMM can crash when processing SCTP traffic 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
868349-3 CVE-2020-5935 K62830532, BT868349 TMM may crash while processing iRules with MQTT commands 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4
864109-3 CVE-2020-5889 K24415506, BT864109 APM Portal Access: Base URL may be set to incorrectly 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
859089-5 CVE-2020-5907 K00091341, BT859089 TMSH allows SFTP utility access 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2
858349-1 CVE-2020-5934 K44808538, BT858349 TMM may crash while processing SAML SLO traffic 16.0.0, 15.1.1, 14.1.2.5
858025-3 CVE-2021-22984 K33440533, BT858025 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
848405-4 CVE-2020-5933 K26244025, BT848405 TMM may consume excessive resources while processing compressed HTTP traffic 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.2
838881-3 CVE-2020-5853 K73183618, BT838881 APM Portal Access Vulnerability: CVE-2020-5853 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 12.1.5.2, 11.6.5.2
837837-3 CVE-2020-5917 K43404629, BT837837 F5 SSH server key size vulnerability CVE-2020-5917 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 12.1.5.2
832021-1 CVE-2020-5888 K73274382, BT832021 Port lockdown settings may not be enforced as configured 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
832017-1 CVE-2020-5887 K10251014, BT832017 Port lockdown settings may not be enforced as configured 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
829121-3 CVE-2020-5886 K65720640, BT829121 State mirroring default does not require TLS 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2
829117-3 CVE-2020-5885 K17663061, BT829117 State mirroring default does not require TLS 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2
811789-2 CVE-2020-5915 K57214921, BT811789 Device trust UI hardening 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2
810537-2 CVE-2020-5883 K12234501, BT810537 TMM may consume excessive resources while processing iRules 15.1.0, 15.0.1.1, 14.1.2.5, 14.0.1.1, 13.1.3.2
805557-2 CVE-2020-5882 K43815022, BT805557 TMM may crash while processing crypto data 15.1.0, 14.1.2.5, 12.1.5.1
789921-2 CVE-2020-5881 K03386032, BT789921 TMM may restart while processing VLAN traffic 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4
775833-2 CVE-2020-5880 K94325657, BT775833 Administrative file transfer may lead to excessive resource consumption 15.1.0, 15.0.1.4, 14.1.2.5
887637-1 CVE-2019-3815 K22040951, BT887637 Systemd-journald Vulnerability: CVE-2019-3815 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5
868097-1 CVE-2020-5891 K58494243, BT868097 TMM may crash while processing HTTP/2 traffic 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
823893-2 CVE-2020-5890 K03318649, BT823893 Qkview may fail to completely sanitize LDAP bind credentials 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2
748122-1 CVE-2018-15333 K53620021, BT748122 BIG-IP Vulnerability CVE-2018-15333 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5
746091-1 CVE-2019-19151 K21711352, BT746091 TMSH Vulnerability: CVE-2019-19151 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3
760723-2 CVE-2015-4037 K64765350, BT760723 Qemu Vulnerability 16.0.0, 15.0.1.4, 14.1.2.5, 12.1.5.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
870389-1 3-Major BT870389 Increase size of /var logical volume to 1.5 GiB for LTM-only VE images 16.0.0, 15.1.0.2, 14.1.2.5
858229-3 3-Major K22493037, BT858229 XML with sensitive data gets to the ICAP server 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2
738330-3 3-Major BT738330 /mgmt/toc endpoint issue after configuring remote authentication 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
819009-3 2-Critical BT819009 Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol. 15.1.0, 14.1.2.5
792285-2 2-Critical BT792285 TMM crashes if the queuing message to all HSL pool members fails 15.1.0, 14.1.2.5, 13.1.3.4
777993-2 2-Critical BT777993 Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same 15.1.0, 14.1.2.5
775897-1 2-Critical BT775897 High Availability failover restarts tmipsecd when tmm connections are closed 15.1.0, 14.1.2.5, 13.1.5
769169-3 2-Critical BT769169 BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring 15.1.0, 14.1.2.5, 14.0.0.5, 13.1.3.6
767689-1 2-Critical BT767689 F5optics_install using different versions of RPM 15.0.0, 14.1.2.5
749388-3 2-Critical BT749388 'table delete' iRule command can cause TMM to crash 15.0.0, 14.1.2.5, 13.1.3.2, 12.1.5.2
748205-3 2-Critical BT748205 SSD bay identification incorrect for RAID drive replacement 15.0.0, 14.1.2.5, 13.1.3, 12.1.5
699515-2 2-Critical BT699515 nsm cores during update of nexthop for ECMP recursive route 15.0.0, 14.1.2.5, 13.1.1.5
882557-4 3-Major BT882557 TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4
873877 3-Major BT873877 Kernel page allocation failure seen on VIPRION blades 14.1.2.5
866925-3 3-Major BT866925 The TMM pages used and available can be viewed in the F5 system stats MIB 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
852001-3 3-Major BT852001 High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
849405-1 3-Major BT849405 LTM v14.1.2.1 does not log after upgrade 16.0.0, 15.1.0.5, 14.1.2.5
842125-4 3-Major BT842125 Unable to reconnect outgoing SCTP connections that have previously aborted 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4
812981-4 3-Major BT812981 MCPD: memory leak on standby BIG-IP device 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1
810957-2 3-Major BT810957 Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core 15.1.0, 15.0.1.4, 14.1.2.5, 12.1.5.3
802281-1 3-Major BT802281 Gossip shows active even when devices are missing 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5
800185-4 3-Major BT800185 Saving a large encrypted UCS archive may fail and might trigger failover 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3
795685-2 3-Major BT795685 Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer 15.1.0, 14.1.2.5
772117-3 3-Major BT772117 Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card 15.1.0, 14.1.2.5
762073-2 3-Major BT762073 Continuous TMM restarts when HSB drops off the PCI bus 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2
759735-2 3-Major BT759735 OSPF ASE route calculation for new external-LSA delayed 15.1.0, 14.1.2.5, 13.1.3.2
759172-1 3-Major BT759172 Read Access Denied: user (gu, guest) type (Certificate Order Manager) 15.1.0, 14.1.2.5
758387-2 3-Major BT758387 BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it 15.1.0, 15.0.1.3, 14.1.2.5, 14.0.0.5
751573-1 3-Major BT751573 Updates to HSL pool members may not take effect 15.0.0, 14.1.2.5
749785-2 3-Major BT749785 nsm can become unresponsive when processing recursive routes 15.0.0, 14.1.2.5, 13.1.3, 12.1.5.3
749690-1 3-Major BT749690 MOS_Image2Disk_Installation- kjournald service error 15.0.0, 14.1.2.5
746861-1 3-Major BT746861 SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated 16.0.0, 15.1.4, 14.1.2.5
641450-7 3-Major K30053855, BT641450 A transaction that deletes and recreates a virtual may result in an invalid configuration 15.0.0, 14.1.2.5, 13.1.3.4, 12.1.5.1
755317-1 4-Minor BT755317 /var/log logical volume may run out of space due to agetty error message in /var/log/secure 16.0.0, 15.1.0.2, 14.1.2.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
715032-2 1-Blocking K73302459, BT715032 iRulesLX Hardening 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3
860881-1 2-Critical BT860881 TMM can crash when handling a compressed response from HTTP server 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
853329-4 2-Critical BT853329 HTTP explicit proxy can crash TMM when used with classification profile 15.0.1.3, 14.1.2.5, 13.1.3.4, 11.6.5.2
839401-3 2-Critical BT839401 Moving a virtual-address from one floating traffic-group to another does not send GARPs out. 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5
831325-2 2-Critical K10701310, BT831325 HTTP PSM detects more issues with Transfer-Encoding headers 15.1.0, 15.0.1.1, 14.1.2.5, 13.1.3.4, 12.1.5.2
799649-2 2-Critical BT799649 TMM crash 15.1.0, 14.1.2.5
757391-2 2-Critical BT757391 Datagroup iRule command class can lead to memory corruption 15.0.0, 14.1.2.5, 13.1.3, 12.1.5
755134-1 2-Critical BT755134 HTTP/2 connections may leak memory if server-side connection not established 15.0.0, 14.1.2.5
868889 3-Major BT868889 BIG-IP may reset a stream with an empty DATA frame as END_STREAM 14.1.2.5
853613-2 3-Major BT853613 Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
851789-3 3-Major BT851789 SSL monitors flap with client certs with private key stored in FIPS 16.0.0, 15.1.1, 14.1.2.5, 12.1.5.3
847325-1 3-Major BT847325 Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
843105-1 3-Major BT843105 Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP) 16.0.0, 14.1.2.5
809729-2 3-Major BT809729 When HTTP/2 stream is reset by a client, BIG-IP may not respond properly 15.1.0, 15.0.1.1, 14.1.2.5
795261-2 3-Major BT795261 LTM policy does not properly evaluate condition when an operand is missing 15.1.0, 15.0.1.1, 14.1.2.5
788741-2 3-Major BT788741 TMM cores in the MQTT proxy under rare conditions 15.1.0, 14.1.2.5
777269-1 3-Major BT777269 Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup 15.1.0, 14.1.2.5
770477-2 3-Major BT770477 SSL aborted when client_hello includes both renegotiation info extension and SCSV 15.1.0, 14.1.2.5, 13.1.3.2, 12.1.5.3
761030-2 3-Major BT761030 tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route 15.1.0, 14.1.2.5, 13.1.3.2
758631-4 3-Major BT758631 ec_point_formats extension might be included in the server hello even if not specified in the client hello 15.1.0, 14.1.2.5, 14.0.1.1, 13.1.3.5, 12.1.5
757827-1 3-Major BT757827 Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2
755997-2 3-Major BT755997 Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address 15.0.0, 14.1.2.5, 12.1.5.3
755727-2 3-Major BT755727 Ephemeral pool members not created after DNS flap and address record changes 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2, 12.1.5.2
755213-1 3-Major BT755213 TMM cores in certain scenarios with HTTP/2 virtual server 15.0.0, 14.1.2.5
751052-1 3-Major BT751052 HTTP iRule event HTTP_REJECT broken 15.0.0, 14.1.2.5
746078-1 3-Major BT746078 Upgrades break existing iRulesLX workspaces that use node version 6 15.0.0, 14.1.2.5
745923-2 3-Major BT745923 Connection flow collision can cause packets to be sent with source and/or destination port 0 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.5
743257-3 3-Major BT743257 Fix block size insecurity init and assign 15.0.0, 14.1.2.5, 14.0.0.5, 13.1.3.2
705112-4 3-Major BT705112 DHCP server flows are not re-established after expiration 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3, 12.1.4.1, 11.5.9
636842-2 3-Major K51472519, BT636842 A FastL4 virtual server may drop a FIN packet when mirroring is enabled 15.1.0, 14.1.2.5, 13.1.3.2, 12.1.5.1
601189-4 3-Major BT601189 The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode 15.1.0, 14.1.2.5, 13.1.3.2, 12.1.5.1
599567-4 3-Major BT599567 APM assumes SNAT automap, does not use SNAT pool 15.0.0, 14.1.2.5, 14.0.1.1, 13.1.1.5, 12.1.5
859113-3 4-Minor BT859113 Using "reject" iRules command inside "after" may causes core 16.0.0, 15.1.0.2, 14.1.2.5
852373-2 4-Minor BT852373 HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5
839245-1 4-Minor BT839245 IPother profile with SNAT sets egress TTL to 255 16.0.0, 15.1.0.2, 14.1.2.5
830833-2 4-Minor BT830833 HTTP PSM blocking resets should have better log messages 15.1.0, 15.0.1.1, 14.1.2.5, 13.1.4.1
760683-1 4-Minor BT760683 RST from non-floating self-ip may use floating self-ip source mac-address 15.1.0, 14.1.2.5, 13.1.3.2
757777-3 4-Minor BT757777 bigtcp does not issue a RST in all circumstances 15.1.0, 14.1.2.5, 13.1.5
746077-4 4-Minor BT746077 If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified 15.0.0, 14.1.2.5, 13.1.1.5, 12.1.5.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
807177-2 2-Critical BT807177 HTTPS monitoring is not caching SSL sessions correctly 15.1.0, 14.1.2.5, 13.1.3.4
704198-4 2-Critical K29403988, BT704198 Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance 15.1.0, 14.1.2.5, 13.1.3.4, 12.1.5.2
802961-2 3-Major BT802961 The 'any-available' prober selection is not as random as in earlier versions 15.1.0, 14.1.2.5, 13.1.3.4
772233-4 3-Major BT772233 IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2
754901-1 3-Major BT754901 Frequent zone update notifications may cause TMM to restart 15.0.0, 14.1.2.5, 13.1.3
750213-4 3-Major K25351434, BT750213 DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. 15.0.0, 14.1.2.5, 13.1.3, 12.1.5
744280-2 4-Minor BT744280 Enabling or disabling a Distributed Application results in a small memory leak 15.1.0, 14.1.2.5, 14.0.0.5, 13.1.3.4


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
852437-1 2-Critical K25037027, BT852437 Overly aggressive file cleanup causes failed ASU installation 16.0.0, 15.1.0.2, 14.1.2.5
882377-1 3-Major BT882377 ASM Application Security Editor Role User can update/install ASU 16.0.0, 15.1.4.1, 14.1.2.5
871905-1 3-Major K02705117, BT871905 Incorrect masking of parameters in event log 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.5
854177-3 3-Major BT854177 ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4, 12.1.5.1
850673-3 3-Major BT850673 BD sends bad ACKs to the bd_agent for configuration 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1
681010-3 3-Major K33572148, BT681010 'Referer' is not masked when 'Query String' contains sensitive parameter 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
838709-1 2-Critical BT838709 Enabling DoS stats also enables page-load-time 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
828937-3 2-Critical K45725467, BT828937 Some systems can experience periodic high IO wait due to AVR data aggregation 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4
870957-1 3-Major BT870957 "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
863161-3 3-Major BT863161 Scheduled reports are sent via TLS even if configured as non encrypted 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
835381-1 3-Major BT835381 HTTP custom analytics profile 'not found' when default profile is modified 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
830073-3 3-Major BT830073 AVRD may core when restarting due to data collection device connection timeout 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
817649-2 3-Major BT817649 AVR statistics for NAT cannot be shown on multi-bladed machine 15.1.0, 15.0.1.3, 14.1.2.5
865053-1 4-Minor BT865053 AVRD core due to a try to load vip lookup when AVRD is down 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
863069-3 4-Minor BT863069 Avrmail timeout is too small 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
879401-3 2-Critical K90423190, BT879401 Memory corruption during APM SAML SSO 16.0.0, 15.1.3, 14.1.2.5
871761-4 2-Critical BT871761 Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4
788593-2 2-Critical K43404365, BT788593 APM logs may contain additional data 15.1.0, 15.0.1.3, 14.1.2.5
884797-2 3-Major BT884797 Portal Access: in some cases data is not delivered via WebSocket connection 16.0.0, 15.1.0.5, 14.1.2.5
866685-3 3-Major BT866685 Empty HSTS headers when HSTS mode for HTTP profile is disabled 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
866161-3 3-Major BT866161 Client port reuse causes RST when the security service attempts server connection reuse. 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
852313-2 3-Major BT852313 VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
832569-2 3-Major BT832569 APM end-user connection reset 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
831781-5 3-Major BT831781 AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
798261-2 3-Major BT798261 APMD fails to create session variables if spanning is enabled on SWG transparent virtual server 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2
771905-2 3-Major BT771905 JWT token rejected due to unknown JOSE header parameters 15.1.0, 14.1.2.5
768025-4 3-Major BT768025 SAML requests/responses fail with "failed to find certificate" 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2
749036-2 3-Major BT749036 Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM 15.0.0, 14.1.2.5
747725-3 3-Major BT747725 Kerberos Auth agent may override settings that manually made to krb5.conf 15.0.0, 14.1.2.5, 13.1.3, 12.1.4.1
747624-2 3-Major BT747624 RADIUS Authentication over RSA SecureID is not working in challenge mode 15.0.0, 14.1.2.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
811105-1 2-Critical BT811105 MRF SIP-ALG drops SIP 183 and 200 OK messages 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4
781725-2 2-Critical BT781725 BIG-IP systems might not complete a short ICAP request with a body beyond the preview 15.1.0, 14.1.2.5
882273 3-Major BT882273 MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow 14.1.2.5, 13.1.3.4
876077-3 3-Major BT876077 MRF DIAMETER: stale pending retransmission entries may not be cleaned up 16.1.0, 15.1.0.5, 15.0.1.4, 14.1.2.5
868381-3 3-Major BT868381 MRF DIAMETER: Retransmission queue unable to delete stale entries 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5
866021-3 3-Major BT866021 Diameter Mirror connection lost on the standby due to "process ingress error" 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2
853545-3 3-Major BT853545 MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event 16.0.0, 15.1.0.2, 14.1.2.5
824149-3 3-Major BT824149 SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4
815877-1 3-Major BT815877 Information Elements with zero-length value are rejected by the GTP parser 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.3
811033-2 3-Major BT811033 MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used 15.1.0, 14.1.2.5, 13.1.3.4
788093 3-Major BT788093 MRF iRule command MR::restore with no argument causes tmm to crash 14.1.2.5
859721-3 4-Minor BT859721 Using GENERICMESSAGE create together with reject inside periodic after may cause core 16.0.0, 15.1.0.2, 14.1.2.5
836357-3 4-Minor BT836357 SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2
788005-2 4-Minor BT788005 Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP) 15.1.0, 14.1.2.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
778869-3 2-Critical K72423000, BT778869 ACLs and other AFM features (e.g., IPI) may not function as designed 15.1.0, 14.1.2.5, 14.0.1.1, 13.1.3.2
751292-1 2-Critical BT751292 mcpd core after changing parent netflow to use version9 15.0.0, 14.1.2.5
852289-2 3-Major K23278332, BT852289 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4
771173-3 3-Major BT771173 FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly. 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
857725 3-Major BT857725 Anti-Fraud/DataSafe Logging Settings page not found 14.1.2.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
761199-1 2-Critical BT761199 Wr_urldbd might crash while system is in a restarting loop. 15.0.0, 14.1.2.5
816529-2 3-Major BT816529 If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. 15.1.0, 14.1.2.5, 12.1.5.2


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
839597-4 3-Major BT839597 Restjavad fails to start if provision.extramb has a large value 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4
815649-1 3-Major BT815649 Named.config entry getting overwriting on SSL Orchestrator deployment 15.1.0, 15.0.1.3, 14.1.2.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
852557-1 2-Critical BT852557 Tmm core while using service chaining for SSL Orchestrator 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
759191-1 2-Critical BT759191 While using explicit or transparent http type service on SSL Orchestrator, TMM cores. 15.0.0, 14.1.2.5
864329-1 3-Major BT864329 Client port reuse causes RST when the backend server-side connection is open 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
852481-1 3-Major BT852481 Failure to check virtual-server context when closing server-side connection 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
852477-1 3-Major BT852477 Tmm core when SSL Orchestrator is enabled 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5
886713-3 4-Minor BT886713 Error log seen in case of SSL Orchestrator configured with http service during connection close. 16.0.0, 15.1.0.5, 14.1.2.5



Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release


Functional Change Fixes

None


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
867413-2 2-Critical BT867413 The allow-only-in-enterprise LAN feature on Mac OS not working after reboot 14.1.2.4
653210-2 3-Major BT653210 Rare resets during the login process 16.0.0, 14.1.2.4, 13.1.3.2



Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
849761-1 CVE-2019-6675 K55655944, BT849761 CVE-2019-6675: LDAP vulnerability 15.1.0, 14.1.2.3
846365-3 CVE-2020-5878 K35750231, BT846365 TMM may crash while processing IP traffic 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3
818709-2 CVE-2020-5858 K36814487, BT818709 TMSH does not follow current best practices 15.1.0, 15.0.1.4, 14.1.2.3, 13.1.3.4, 12.1.5.1, 11.6.5.2
818429-4 CVE-2020-5857 K70275209, BT818429 TMM may crash while processing HTTP traffic 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.1
808301-2 CVE-2019-6678 K04897373, BT808301 TMM may crash while processing IP traffic 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1, 13.1.3.2
757357-3 CVE-2019-6676 K92002212, BT757357 TMM may crash while processing traffic 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2
782529-2 CVE-2019-6685 K30215839, BT782529 iRules does not follow current design best practices 15.1.0, 15.0.1.3, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2
761144-4 CVE-2019-6684 K95117754, BT761144 Broadcast frames may be dropped 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2, 12.1.5.1, 11.6.5.2
761112-3 CVE-2019-6683 K76328112, BT761112 TMM may consume excessive resources when processing FastL4 traffic 15.1.0, 15.0.1.4, 14.1.2.3, 14.0.1.1, 13.1.3.4, 12.1.5.1, 11.6.5.2
725551-2 CVE-2019-6682 K40452417, BT725551 ASM may consume excessive resources 15.1.0, 15.0.1.4, 14.1.2.3, 13.1.3.2, 12.1.5.1, 11.6.5.2
846157-3 CVE-2020-5862 K01054113, BT846157 TMM may crash while processing traffic on AWS 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3
817917-1 CVE-2020-5856 K00025388, BT817917 TMM may crash when sending TCP packets 15.1.0, 15.0.1.2, 14.1.2.3
789893-2 CVE-2019-6679 K54336216, BT789893 SCP file transfer hardening 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
749324-1 CVE-2012-6708 K62532311, BT749324 jQuery Vulnerability: CVE-2012-6708 15.0.0, 14.1.2.3, 13.1.3.2, 12.1.5.2
738236-7 CVE-2019-6688 K25607522, BT738236 UCS does not follow current best practices 15.1.0, 15.0.1.3, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
819397-1 1-Blocking K50375550, BT819397 TMM does not enforce RFC compliance when processing HTTP traffic 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.1
769193-5 3-Major BT769193 Added support for faster congestion window increase in slow-start for stretch ACKs 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2, 12.1.5.1
760234-1 4-Minor BT760234 Configuring Advanced shell for Resource Administrator User has no effect 15.1.0, 15.0.1.4, 14.1.2.3, 12.1.5.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
806093-1 2-Critical BT806093 Unwanted LDAP referrals slow or prevent administrative login 15.1.0, 15.0.1.1, 14.1.2.3
789169-2 2-Critical BT789169 Unable to create virtual servers with port-lists from the GUI 15.1.0, 15.0.1.4, 14.1.2.3
780817-5 2-Critical BT780817 TMM can crash on certain vCMP hosts after modifications to VLANs and guests. 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.3
762385 2-Critical BT762385 Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later 15.1.0, 14.1.2.3
762205-2 2-Critical BT762205 IKEv2 rekey fails to recognize VENDOR_ID payload when it appears 15.1.0, 15.0.1.4, 14.1.2.3, 13.1.3.4
809205 3-Major   CVE-2019-3855: libssh2 Vulnerability 16.0.1.2, 15.1.3, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.1
794501-2 3-Major BT794501 Duplicate if_indexes and OIDs between interfaces and tunnels 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.3
785741-1 3-Major K19131357, BT785741 Unable to login using LDAP with 'user-template' configuration 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.3
778125-1 3-Major BT778125 LDAP remote authentication passwords are limited to fewer than 64 bytes 15.1.0, 15.0.1.4, 14.1.2.3
760439-4 3-Major BT760439 After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.3
760259-3 3-Major BT760259 Qkview silently fails to capture qkviews from other blades 15.1.0, 14.1.2.3
759654-1 3-Major BT759654 LDAP remote authentication with remote roles and user-template failing 15.1.0, 15.0.1.4, 14.1.2.3
759499-2 3-Major BT759499 Upgrade from version 12.1.x to version 13.1.x and later failing with error 15.1.0, 15.0.1.1, 14.1.2.3
758781-3 3-Major BT758781 iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2
758527-2 3-Major K39604784, BT758527 BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode 15.1.0, 15.0.1.3, 14.1.2.3, 14.0.0.5, 13.1.3.2, 12.1.5, 11.6.5.1
757519-1 3-Major K92525101, BT757519 Unable to logon using LDAP authentication with a user-template 15.1.0, 15.0.1.4, 14.1.2.3
756450-1 3-Major BT756450 Traffic using route entry that's more specific than existing blackhole route can cause core 15.0.0, 14.1.2.3, 13.1.3, 12.1.5, 11.6.5.1
754691-1 3-Major BT754691 During failover, an OSPF routing daemon may crash. 15.1.0, 15.0.1.4, 14.1.2.3
750318-3 3-Major BT750318 HTTPS monitor does not appear to be using cert from server-ssl profile 15.0.0, 14.1.2.3, 13.1.1.5
746266-3 3-Major BT746266 A vCMP guest VLAN MAC mismatch across blades. 15.0.0, 14.1.2.3, 13.1.3, 12.1.5
738943-3 3-Major BT738943 imish command hangs when ospfd is enabled 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.3
705037-7 3-Major K32332000, BT705037 System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart 14.1.2.3, 14.1.0, 14.0.1.1, 13.1.3, 12.1.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
816273-2 1-Blocking BT816273 L7 Policies may execute CONTAINS operands incorrectly. 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4
826601-5 2-Critical BT826601 Prevent receive window shrinkage for looped flows that use a SYN cookie 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.4, 12.1.5.1, 11.6.5.2
817417-1 2-Critical BT817417 Blade software installation stalled at Waiting for product image 15.1.0, 15.0.1.4, 14.1.2.3
816625-1 2-Critical BT816625 The TMM may crash in a rare scenario involving HTTP unchunking, and plugins. 15.1.0, 15.0.1.1, 14.1.2.3
800369-2 2-Critical BT800369 The fix for ID 770797 may cause a TMM crash 15.1.0, 15.0.1.1, 14.1.2.3
800305-2 2-Critical BT800305 VDI::cmp_redirect generates flow with random client port 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2
791057-1 2-Critical BT791057 MCP may crash when traffic matching criteria is updated 15.1.0, 15.0.1.3, 14.1.2.3
770797-1 2-Critical BT770797 HTTP2 streams may get stuck in rare situations 15.0.0, 14.1.2.3
836661 3-Major BT836661 Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet. 16.0.0, 15.1.0.2, 14.1.2.3
834373-3 3-Major BT834373 Possible handshake failure with TLS 1.3 early data 16.0.0, 15.0.1.1, 14.1.2.3
830797-2 3-Major BT830797 Standby high availability (HA) device passes traffic through virtual wire 16.0.0, 15.1.1, 15.0.1.1, 14.1.2.3
815449-2 3-Major BT815449 BIG-IP closes connection when an unsized response is served to a HEAD request 15.1.0, 15.0.1.1, 14.1.2.3
814761-2 3-Major BT814761 PostgreSQL monitor fails on second ping with count != 1 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.6, 12.1.5.3
797977-1 3-Major BT797977 Self-IP traffic does not preserve the TTL from the Linux host 15.1.0, 15.0.1.4, 14.1.2.3
789365-1 3-Major BT789365 pkcs11d CPU usage increases after running nethsm self validation test 14.1.2.3
772545-3 3-Major BT772545 Tmm core in SSLO environment 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.6
765517-1 3-Major BT765517 Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN 15.1.0, 15.0.1.4, 14.1.2.3
761185-2 3-Major K50375550, BT761185 Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.1
760771-1 3-Major BT760771 FastL4-steered traffic might cause SSL resume handshake delay 15.0.0, 14.1.2.3, 13.1.3
758992-2 3-Major BT758992 The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2
758872-3 3-Major BT758872 TMM memory leak 15.0.0, 14.1.2.3, 13.1.3.4, 12.1.5
758655-1 3-Major BT758655 TMC does not allow inline addresses with non-zero Route-domain. 15.1.0, 14.1.2.3
753514-3 3-Major BT753514 Large configurations containing LTM Policies load slowly 15.0.0, 14.1.2.3, 14.0.1.1, 13.1.3
749689-2 3-Major BT749689 HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart 15.0.0, 14.1.2.3, 13.1.1.5
726176-2 3-Major BT726176 Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2
712919-2 3-Major K54802336, BT712919 Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. 15.0.0, 14.1.2.3, 14.0.1.1, 13.1.3
687887-3 3-Major BT687887 Unexpected result from multiple changes to a monitor-related object in a single transaction 15.0.0, 14.1.2.3, 13.1.3.2, 12.1.5.3
824365-3 4-Minor BT824365 Need informative messages for HTTP iRule runtime validation errors 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.3, 13.1.3.6
806085-2 4-Minor BT806085 In-TMM MQTT monitor is not working as expected 15.1.0, 15.0.1.1, 14.1.2.3
791337-1 4-Minor BT791337 Traffic matching criteria fails when using shared port-list with virtual servers 15.1.0, 14.1.2.3
769309-2 4-Minor BT769309 DB monitor reconnects to server on every probe when count = 0 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.3
754003-3 4-Minor K73202036, BT754003 Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2
747628-1 4-Minor BT747628 BIG-IP sends spurious ICMP PMTU message to server 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2
744210-2 4-Minor BT744210 DHCPv6 does not have the ability to override the hop limit from the client. 15.0.0, 14.1.2.3, 13.1.3.2


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
776133-1 2-Critical BT776133 RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices 15.0.0, 14.1.2.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
761032-2 3-Major K36328238, BT761032 TMSH displays TSIG keys 15.1.0, 14.1.2.3, 14.0.1.1, 13.1.3.2
760471-3 3-Major BT760471 GTM iQuery connections may be reset during SSL key renegotiation. 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.3, 13.1.3.5, 12.1.5.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
813945-3 2-Critical BT813945 PB core dump while processing many entities 15.1.0, 14.1.2.3, 13.1.3.2
813389-1 2-Critical BT813389 TMM Crashes upon failure in Bot Defense Client-Side code 15.1.0, 14.1.2.3
791669 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3
790349-2 2-Critical BT790349 merged crash with a core file 15.1.0, 14.1.2.3
756108-1 2-Critical BT756108 BD crash on specific cases 15.0.0, 14.1.2.3
754109-1 2-Critical BT754109 ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive 15.0.0, 14.1.2.3, 13.1.3.4
832857 3-Major BT832857 Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log 14.1.2.3
832205 3-Major BT832205 ASU cannot be completed after Signature Systems database corruption following binary Policy import 14.1.2.3, 12.1.5.1
831661-2 3-Major BT831661 ASMConfig Handler undergoes frequent restarts 15.1.0, 14.1.2.3, 12.1.5.1
824101-1 3-Major BT824101 Request Log export file is not visible for requests including binary data 15.1.0, 14.1.2.3
824037-2 3-Major BT824037 Bot Defense whitelists do not apply for IP 'Any' when using route domains 15.1.0, 14.1.2.3
812341-2 3-Major BT812341 Patch or Delete commands take a long time to complete when modifying an ASM signature set. 15.1.0, 14.1.2.3, 13.1.3.2
805353-1 3-Major BT805353 ASM reporting for WebSocket frames has empty username field 15.1.0, 14.1.2.3
800453-3 3-Major K72252057, BT800453 False positive virus violations 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2
793017-1 3-Major BT793017 Files left behind by failed Attack Signature updates are not cleaned 16.0.0, 15.1.0.2, 14.1.2.3
786913-2 3-Major BT786913 Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7 15.1.0, 14.1.2.3
783513-2 3-Major BT783513 ASU is very slow on device with hundreds of policies due to logging profile handling 15.1.0, 14.1.2.3, 13.1.3.2
781021-2 3-Major BT781021 ASM modifies cookie header causing it to be non-compliant with RFC6265 15.1.0, 14.1.2.3
778681-2 3-Major BT778681 Factory-included Bot Signature update file cannot be installed without subscription 15.1.0, 15.0.1.1, 14.1.2.3
754841-1 3-Major BT754841 Policy updates stall and never complete 15.0.0, 14.1.2.3
754425-1 3-Major BT754425 Exported requests cannot be opened in Internet Explorer or Edge browser 15.0.0, 14.1.2.3
739618-2 3-Major BT739618 When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy 15.1.0.2, 14.1.2.3, 14.1.0, 13.1.3.2
734228 3-Major BT734228 False-positive illegal-length violation can appear 14.1.2.3, 14.0.1.1, 13.1.1.4
795769-3 4-Minor BT795769 Incorrect value of Systems in system-supplied signature sets 15.1.0, 15.0.1.1, 14.1.2.3
789817-1 4-Minor BT789817 In rare conditions info fly-out not shown 15.1.0, 15.0.1.4, 14.1.2.3
760462-1 4-Minor BT760462 Live update notification is shown only for provisioned/licensed modules 15.1.0, 14.1.2.3
758459-1 4-Minor BT758459 Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection 15.0.0, 14.1.2.3
620301-1 4-Minor BT620301 Policy import fails due to missing signature System in associated Signature Set 15.0.0, 14.1.2.3, 12.1.5.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
781581-3 3-Major BT781581 Monpd uses excessive memory on requests for network_log data 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757782-1 2-Critical BT757782 OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default 15.0.0, 14.1.2.3, 14.0.1.1
825805-1 3-Major BT825805 NTLM Auth may fail due to incorrect handling of EPM response 15.1.0, 15.0.1.3, 14.1.2.3
766577-2 3-Major BT766577 APMD fails to send response to client and it already closed connection. 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5
756363-1 3-Major BT756363 SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset 15.0.0, 14.1.2.3
741222-2 3-Major BT741222 Install epsec1.0.0 into software partition. 15.1.0, 15.0.1.3, 14.1.2.3
643935-4 3-Major BT643935 Rewriting may cause an infinite loop while processing some objects 15.0.0, 14.1.2.3, 14.0.1.1, 13.1.3.2


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
833213-3 3-Major BT833213 Conditional requests are served incorrectly with AAM policy in webacceleration profile 15.1.3, 15.0.1.3, 14.1.2.3, 13.1.3.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802865-1 3-Major BT802865 The iControl REST query request returning empty list for DoS Protected Objects 15.1.0, 14.1.2.3
761345-3 3-Major BT761345 Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode 15.1.0, 14.1.2.3, 13.1.3.2
738284-2 3-Major BT738284 Creating or deleting rule list results in warning message: Schema object encode failed 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
821133-2 3-Major BT821133 Wrong wildcard URL matching when none of the configured URLS include QS 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748813-3 2-Critical BT748813 tmm cores under stress test on virtual server with DoS profile with admd enabled 15.0.0, 14.1.2.3, 14.0.0.5, 13.1.1.4
767045-2 3-Major BT767045 TMM cores while applying policy 15.1.0, 14.1.2.3, 13.1.3.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
787845 4-Minor BT787845 Tmsh command 'show running-config' fails when Protocol Inspection is not licensed. 14.1.2.3


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
777241-2 3-Major BT777241 smtps partial_conncount issues and unexpected resets 15.1.0, 14.1.2.3



Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
741163-3 CVE-2018-3693 K54252492, BT741163 RHEL7: Kernel CVE-2018-3693 15.0.0, 14.1.2.2
740755-6 CVE-2018-3620 K95275140, BT740755 Kernel vulnerability: CVE-2018-3620 15.0.0, 14.1.2.2
721319-1 CVE-2018-3639 K29146534, BT721319 CVE-2018-3639 15.0.0, 14.1.2.2


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
815689-3 3-Major BT815689 Azure walinuxagent has been updated to v2.2.42. 14.1.2.2
760574 3-Major BT760574 Updating BIG-IP 14.1.x Linux kernel to RHEL7.5 14.1.2.2
760468 3-Major BT760468 Route domains cause diskmonitor errors in logs 14.1.2.2



Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
795437-4 CVE-2019-6677 K06747393, BT795437 Improve handling of TCP traffic for iRules 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1
795197-1 CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 K26618426, BT795197 Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
781377-2 CVE-2019-6681 K93417064, BT781377 tmrouted may crash while processing Multicast Forwarding Cache messages 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1
778077-3 CVE-2019-6680 K53183580, BT778077 Virtual to virtual chain can cause TMM to crash 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.4, 12.1.5.1, 11.6.5.1
771873-5 CVE-2019-6642 K40378764, BT771873 TMSH Hardening 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1
767653-1 CVE-2019-6660 K23860356, BT767653 Malformed HTTP request can result in endless loop in an iRule script 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3
636400-3 CVE-2019-6665 K26462555, BT636400 CPB (BIG-IP->BIGIQ log node) Hardening 15.1.0.2, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2
810657-2 CVE-2019-6674 K21135478, BT810657 Tmm core while using service chaining for SSLO 15.1.0, 15.0.1.1, 14.1.2.1
809165-2 CVE-2020-5854 K50046200, BT809165 TMM may crash will processing connector traffic 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2
808525-2 CVE-2019-6686 K55812535, BT808525 TMM may crash while processing Diameter traffic 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1, 13.1.3.2
795797-2 CVE-2019-6658 K21121741, BT795797 AFM WebUI Hardening 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 12.1.5.1
788773-2 CVE-2019-9515 K50233772, BT788773 HTTP/2 Vulnerability: CVE-2019-9515 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
788769-2 CVE-2019-9514 K01988340, BT788769 HTTP/2 Vulnerability: CVE-2019-9514 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
788033 CVE-2020-5851 K91171450, BT788033 tpm-status may return "Invalid" after engineering hotfix installation 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1
781449-2 CVE-2019-6672 K14703097, BT781449 Increase efficiency of sPVA DoS protection on wildcard virtual servers 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2
777737-3 CVE-2019-6671 K39225055, BT777737 TMM may consume excessive resources when processing IP traffic 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2
773673-2 CVE-2019-9512 K98053339, BT773673 HTTP/2 Vulnerability: CVE-2019-9512 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
768981-2 CVE-2019-6670 K05765031, BT768981 VCMP Hypervisor Hardening 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
761160-2 CVE-2019-1559 K18549143, BT761160 OpenSSL vulnerability: CVE-2019-1559 15.1.0, 15.0.1.1, 14.1.2.1
761014-2 CVE-2019-6669 K11447758, BT761014 TMM may crash while processing local traffic 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1
758018-5 CVE-2019-6661 K61705126, BT758018 APD/APMD may consume excessive resources 15.1.0, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1
756458-3 CVE-2018-18559 K28241423, BT756458 Linux kernel vulnerability: CVE-2018-18559 15.1.0, 15.0.1.4, 14.1.2.1, 13.1.3.4
756218-1 CVE-2019-6654 K45644893, BT756218 Improve default management port firewall 15.0.0, 14.1.2.1
751152-1 CVE-2018-5407 K49711130, BT751152 OpenSSL Vulnerability: CVE-2018-5407 15.0.0, 14.1.2.1
751143-1 CVE-2018-5407 K49711130, BT751143 OpenSSL Vulnerability: CVE-2018-5407 15.0.0, 14.1.2.1
745103-6 CVE-2018-7159 K27228191, BT745103 NodeJS Vulnerability: CVE-2018-7159 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3.4
798249-2 CVE-2019-6673 K81557381, BT798249 TMM may crash while processing HTTP/2 requests 15.1.0, 15.0.1.1, 14.1.2.1
779177-2 CVE-2019-19150 K37890841, BT779177 Apmd logs "client-session-id" when access-policy debug log level is enabled 15.1.0, 15.0.1.3, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2
759536-2 CVE-2019-8912 K31739796, BT759536 Linux kernel vulnerability: CVE-2019-8912 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.4
757617-1 CVE-2018-16864
CVE-2018-16865
K06044762, BT757617 Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865 15.1.0, 15.0.1.4, 14.1.2.1
747592-1 CVE-2018-17082 K89095152, BT747592 PHP vulnerability CVE-2018-17082 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
759135-2 3-Major BT759135 AVR report limits are locked at 1000 transactions 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2
714292-3 3-Major BT714292 Transparent forwarding mode across multiple VLAN groups or virtual-wire 14.1.2.1
788269-3 4-Minor BT788269 Adding toggle to disable AVR widgets on device-groups 15.1.0, 15.0.1.3, 14.1.2.1, 14.0.1.1, 13.1.3.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
793045-2 2-Critical BT793045 File descriptor leak in net-snmpd while reading /shared/db/cluster.conf 15.1.0, 15.0.1.1, 14.1.2.1
770953 2-Critical BT770953 'smbclient' executable does not work 15.1.0, 14.1.2.1
767877-3 2-Critical BT767877 TMM core with Bandwidth Control on flows egressing on a VLAN group 15.1.0, 15.0.1.1, 14.1.2.1
765533-2 2-Critical K58243048, BT765533 Sensitive information logged when DEBUG logging enabled 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5.1, 11.6.5.2
760475-1 2-Critical BT760475 Apache spawns more processes than the configured limit, causing system low memory condition 15.0.0, 14.1.2.1
755575-1 2-Critical BT755575 In MOS, the 'image2disk' utility with the '-format' option does not function properly 15.0.0, 14.1.2.1
726240-1 2-Critical BT726240 'Cannot find disk information' message when running Configuration Utility 15.1.0, 14.1.2.1
788557-5 3-Major BT788557 BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 11.6.5.2
788301-5 3-Major K58243048, BT788301 SNMPv3 Hardening 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1
777261-4 3-Major BT777261 When SNMP cannot locate a file it logs messages repeatedly 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1
766873 3-Major BT766873 Omission of lower-layer types from sFlow packet samples 15.0.0, 14.1.2.1
761993-2 3-Major BT761993 The nsm process may crash if it detects a nexthop mismatch 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2
761933-1 3-Major BT761933 Reboot with 'tmsh reboot' does not log message in /var/log/audit 15.0.0, 14.1.2.1
760998-1 3-Major BT760998 F5.ip_forwarding iAPP fails to deploy 15.0.0, 14.1.2.1
759814-1 3-Major BT759814 Unable to view iApp component view 15.0.0, 14.1.2.1
758119-6 3-Major K58243048, BT758119 qkview may contain sensitive information 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1
724109-2 3-Major BT724109 Manual config-sync fails after pool with FQDN pool members is deleted 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 12.1.5.3
680917-5 3-Major BT680917 Invalid monitor rule instance identifier 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5.3
648621-6 3-Major BT648621 SCTP: Multihome connections may not expire 15.1.0, 15.0.1.4, 14.1.2.1, 13.1.3.4, 12.1.5.2, 11.6.5.3
776073-1 4-Minor BT776073 OOM killer killing tmm in system low memory condition as process OOM score is high 15.1.0, 15.0.1.1, 14.1.2.1
760680-1 4-Minor K36350541, BT760680 TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed. 15.1.0, 15.0.1.1, 14.1.2.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759968-3 1-Blocking BT759968 Distinct vCMP guests are able to cluster with each other. 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3, 12.1.5
803845-2 2-Critical BT803845 When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown 15.1.0, 14.1.2.1
787825-2 2-Critical K58243048, BT787825 Database monitors debug logs have sensitive information printed in the log file 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
774913-1 2-Critical BT774913 IP-based bypass can fail if SSL ClientHello is not accepted 15.1.0, 15.0.1.3, 14.1.2.1
760078-1 2-Critical BT760078 Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. 15.0.0, 14.1.2.1
758714-1 2-Critical BT758714 Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. 15.0.0, 14.1.2.1
757578-2 2-Critical BT757578 RAM cache is not compatible with verify-accept 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.4, 12.1.5.2
757441-4 2-Critical BT757441 Specific sequence of packets causes Fast Open to be effectively disabled 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3
755585-1 2-Critical BT755585 mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction 15.0.0, 14.1.2.1, 13.1.3
747858-2 2-Critical BT747858 OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires 15.0.0, 14.1.2.1
746710-1 2-Critical BT746710 Use of HTTP::cookie after HTTP:disable causes TMM core 15.0.0, 14.1.2.1, 13.1.3
737985-2 2-Critical BT737985 BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. 15.0.0, 14.1.2.1
734551-3 2-Critical BT734551 L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server 15.0.0, 14.1.2.1
801497-2 3-Major BT801497 Virtual wire with LACP pinning to one link in trunk. 16.0.0, 15.1.1, 14.1.2.1
798105-1 3-Major BT798105 Node Connection Limit Not Honored 15.1.0, 15.0.1.4, 14.1.2.1
794581 3-Major BT794581 Transfer might stall for an object served from WAM cache 14.1.2.1
788325-2 3-Major K39794285, BT788325 Header continuation rule is applied to request/response line 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1
787433-3 3-Major BT787433 SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed 15.1.0, 14.1.2.1
784713-3 3-Major BT784713 When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct 15.1.0, 14.1.2.1
773821-1 3-Major BT773821 Certain plaintext traffic may cause SSLO to hang 15.1.0, 15.0.1.3, 14.1.2.1
773421-1 3-Major BT773421 Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 12.1.5.1
769801-1 3-Major BT769801 Internal tmm UDP filter does not set checksum 15.1.0, 15.0.1.3, 15.0.1.1, 14.1.2.1
761385-1 3-Major BT761385 Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. 15.0.0, 14.1.2.1
761381-1 3-Major BT761381 Incorrect MAC Address observed in L2 asymmetric virtual wire 15.0.0, 14.1.2.1
754525-1 3-Major BT754525 Disabled virtual server accepts and serves traffic after restart 15.1.0, 15.0.1.1, 14.1.2.1
748891-2 3-Major BT748891 Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. 15.0.0, 14.1.2.1
742237-4 3-Major BT742237 CPU spikes appear wider than actual in graphs 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5
719300-3 3-Major BT719300 ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address 15.0.0, 14.1.2.1
689361-4 3-Major BT689361 Configsync can change the status of a monitored pool member 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5.2
751586 4-Minor BT751586 Http2 virtual does not honour translate-address disabled 16.0.0, 15.1.4, 14.1.2.1, 13.1.3.4, 12.1.4.1
747585-3 4-Minor BT747585 TCP Analytics supports ANY protocol number 15.1.0, 14.1.2.1, 13.1.3.4, 12.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
783849-2 3-Major BT783849 DNSSEC Key Generations are not imported to secondary FIPS card 15.1.0, 14.1.2.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
781637-2 3-Major BT781637 ASM brute force counts unnecessary failed logins for NTLM 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3
781605-3 3-Major BT781605 Fix RFC issue with the multipart parser 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3, 12.1.6, 11.6.5.3
781069-2 3-Major BT781069 Bot Defense challenge blocks requests with long Referer headers 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3
773553-2 3-Major BT773553 ASM JSON parser false positive. 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3, 12.1.5
769997-1 3-Major BT769997 ASM removes double quotation characters on cookies 15.1.0, 15.0.1.1, 14.1.2.1
769981-2 3-Major BT769981 bd crashes in a specific scenario 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3
764373-3 3-Major BT764373 'Modified domain cookie' violation with multiple enforced domain cookies with different paths 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3
753711-1 3-Major BT753711 Copied policy does not retain signature staging 15.0.0, 14.1.2.1
751710-4 3-Major BT751710 False positive cookie hijacking violation 15.0.0, 14.1.2.1, 14.0.0.5, 13.1.1.5
746394-1 3-Major BT746394 With ASM CORS set to 'Disabled' it strips all CORS headers in response. 15.0.0, 14.1.2.1, 14.0.1.1
745802-1 3-Major BT745802 Brute Force CAPTCHA response page truncates last digit in the support id 15.0.0, 14.1.2.1, 14.0.0.5, 13.1.1.4
727107-4 3-Major BT727107 Request Logs are not stored locally due to shmem pipe blockage 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5
803445-3 4-Minor BT803445 When adding several mitigation exceptions, the previously configured actions revert to the default action 15.1.0, 15.0.1.1, 14.1.2.1
772473-3 4-Minor BT772473 Request reconstruct issue after challenge 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1
761088-1 4-Minor BT761088 Remove policy editing restriction in the GUI while auto-detect language is set 15.1.0, 15.0.1.1, 14.1.2.1
695878-2 4-Minor BT695878 Signature enforcement issue on specific requests 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3, 12.1.5, 11.5.6


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
761749-2 2-Critical BT761749 Security pages unavailable after switching RT mode on off few times 15.0.0, 14.1.2.1
797785-2 3-Major BT797785 AVR reports no ASM-Anomalies data. 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3.2
792265-3 3-Major BT792265 Traffic logs does not include the BIG-IQ tags 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3.2
773925-2 3-Major BT773925 Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files 15.1.0, 14.1.2.1
765785-3 3-Major BT765785 Monpd core upon "bigstart stop monpd" while Real Time reporting is running 15.0.0, 14.1.2.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811145-2 2-Critical BT811145 VMware View resources with SAML SSO are not working 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2
797541-1 2-Critical BT797541 NTLM Auth may fail when user's information contains SIDS array 15.1.0, 15.0.1.1, 14.1.2.1
784989-2 2-Critical BT784989 TMM may crash with panic message: Assertion 'cookie name exists' failed 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2
777173-2 2-Critical BT777173 Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2
821369 3-Major BT821369 Incomplete Action 'Deny' does not take effect for HTTP-Connect 14.1.2.1
788417-2 3-Major BT788417 Remote Desktop client on macOS may show resource auth token on credentials prompt 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2
787477-2 3-Major BT787477 Export fails from partitions with '-' as second character 15.1.0, 14.1.2.1, 13.1.3.2
786173-1 3-Major BT786173 UI becomes unresponsive when accessing Access active session information 15.1.0, 15.0.1.1, 14.1.2.1
783817-2 3-Major BT783817 UI becomes unresponsive when accessing Access active session information 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3
782569-1 3-Major BT782569 SWG limited session limits on SSLO deployments 15.1.0, 15.0.1.1, 14.1.2.1
775621-2 3-Major BT775621 urldb memory grows past the expected ~3.5GB 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3
769853-2 3-Major K24241590, BT769853 Access Profile option to restrict connections from a single client IP is not honored for native RDP resources 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1
756777-1 3-Major BT756777 VDI plugin might crash on process shutdown during RDG connections handling 15.0.0, 14.1.2.1
750823-1 3-Major BT750823 Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD 15.0.0, 14.1.2.1, 13.1.3
749161-2 3-Major BT749161 Problem sync policy contains non-ASCII characters 15.0.0, 14.1.2.1, 13.1.3
746768-4 3-Major BT746768 APMD leaks memory if access policy policy contains variable/resource assign policy items 15.0.0, 14.1.2.1, 13.1.1.4, 12.1.4.1
697590-2 3-Major BT697590 APM iRule ACCESS::session remove fails outside of Access events 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2
781445-1 4-Minor BT781445 Named or dnscached cannot bind to IPv6 address 15.1.0, 14.1.2.1
759579-1 4-Minor BT759579 Full Webtop: 'URL Entry' field is available again 15.1.0, 14.1.2.1
756019-1 4-Minor BT756019 OAuth JWT Issuer claim requires URI format 15.0.0, 14.1.2.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
811745-2 3-Major BT811745 Failover between clustered DIAMETER devices can cause mirror connections to be disconnected 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2
804313-2 3-Major BT804313 MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. 15.1.0, 15.0.1.2, 14.1.2.1, 13.1.3.4
761685-3 3-Major BT761685 Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1
750431-1 3-Major BT750431 Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout' 15.0.0, 14.1.2.1
748253-1 3-Major BT748253 Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection 15.0.0, 14.1.2.1, 13.1.3
786565-2 4-Minor BT786565 MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded 15.1.0, 15.0.1.1, 14.1.2.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
938149-3 3-Major BT938149 Port Block Update log message is missing the "Start time" field 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.1
800209-1 3-Major BT800209 The tmsh recursive list command includes DDoS GUI-specific data info 15.1.0, 14.1.2.1
780837-1 3-Major BT780837 Firewall rule list configuration causes config load failure 15.1.0, 15.0.1.4, 14.1.2.1
761234-2 3-Major BT761234 Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached 15.1.0, 15.0.1.1, 14.1.2.1
760355 4-Minor BT760355 Firewall rule to block ICMP/DHCP from 'required' to 'default' 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
760438-3 3-Major BT760438 PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions 15.0.0, 14.1.2.1, 13.1.3
759192-3 3-Major BT759192 TMM core during display of PEM session under some specific conditions 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3
756311-4 3-Major BT756311 High CPU during erroneous deletion 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3
753163-4 3-Major BT753163 PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days 15.0.0, 14.1.2.1, 13.1.3


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
804185-2 3-Major BT804185 Some WebSafe request signatures may not work as expected 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2
783565-2 3-Major BT783565 Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP 15.1.0, 15.0.1.1, 14.1.2.1
775013-2 3-Major BT775013 TIME EXCEEDED alert has insufficient data for analysis 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
803477-2 3-Major BT803477 BaDoS State file load failure when signature protection is off 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
759439-1 2-Critical BT759439 Unable to attach default SSL and FTP profiles to virtual server 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1
781313-1 3-Major BT781313 AVR dashboard displays incorrect client/server bytes-in/bytes-out stats 15.1.0, 15.0.1.3, 14.1.2.1



Cumulative fixes from BIG-IP v14.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
773649-6 CVE-2019-6656 K23876153, BT773649 APM Client Logging 15.1.0, 15.0.1.1, 14.1.2, 14.0.0.5, 13.1.3, 12.1.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
771705-1 3-Major BT771705 You may not be able to log into BIG-IP Cloud Edition if FSCK fails 15.1.0, 14.1.2
754875-1 3-Major BT754875 Enable FIPS 140-2 Level 1 Compliant Mode in PAYG VE images on first boot 15.1.0, 14.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
808129-1 2-Critical BT808129 Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS. 15.1.0, 15.0.1, 14.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
753485-1 2-Critical K50285521, BT753485 AVR global settings are being overridden by high availability (HA) peers 15.1.0, 15.0.1, 15.0.0, 14.1.2, 13.1.3


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757306-3 3-Major BT757306 SNMP MIBS for AFM NAT do not yet exist 15.1.0, 15.0.1, 14.1.2, 13.1.3


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
794285 1-Blocking K36191493, BT794285 BIG-IQ reading AFM configuration fails with status 400 15.1.0, 14.1.2



Cumulative fixes from BIG-IP v14.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
807477-10 CVE-2019-6650 K04280042, BT807477 ConfigSync Hardening 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10
797885-2 CVE-2019-6649 K05123525, BT797885 ConfigSync Hardening 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10
796469-6 CVE-2019-6649 K05123525, BT796469 ConfigSync Hardening 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10
810557-8 CVE-2019-6649 K05123525, BT810557 ASM ConfigSync Hardening 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10
809377-6 CVE-2019-6649 K05123525 AFM ConfigSync Hardening 15.0.1, 14.1.2, 14.0.1, 13.1.3
799617-2 CVE-2019-6649 K05123525, BT799617 ConfigSync Hardening 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10
799589-2 CVE-2019-6649 K05123525, BT799589 ConfigSync Hardening 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10
794389-6 CVE-2019-6651 K89509323, BT794389 iControl REST endpoint response inconsistency 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5
794413-2 CVE-2019-6471 K10092301, BT794413 BIND vulnerability CVE-2019-6471 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10
793937-1 CVE-2019-6664 K03126093, BT793937 Management Port Hardening 15.1.0, 15.0.1, 14.1.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
744937-8 3-Major K00724442, BT744937 BIG-IP DNS and GTM DNSSEC security exposure 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
798949-3 3-Major BT798949 Config-Sync fails when Config-Sync IP configured to management IP 15.1.0, 15.0.1, 14.1.2
760622-3 3-Major BT760622 Allow Device Certificate renewal from BIG-IP Configuration Utility 16.0.0, 15.1.0.5
760363-1 3-Major BT760363 Update Alias Address field with default placeholder text 13.1.3.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
811333-2 3-Major BT811333 Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile 15.1.0, 15.0.1, 14.1.2



Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
769361-2 CVE-2019-6630 K33444350, BT769361 TMM may crash while processing SSLO traffic 15.0.0, 14.1.0.6, 14.0.0.5
767401-1 CVE-2019-6629 K95434410, BT767401 TMM may crash while processing TLS traffic 15.0.0, 14.1.0.6
759343-6 CVE-2019-6668 K49827114, BT759343 MacOS Edge Client installer does not follow best security practices 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 12.1.5.1, 11.6.5.1
758909-1 CVE-2019-6628 K04730051, BT758909 TMM may crash will processing PEM traffic 15.0.0, 14.1.0.6, 14.0.0.5
758065-4 CVE-2019-6667 K82781208, BT758065 TMM may consume excessive resources while processing FIX traffic 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1
757084-2 CVE-2019-6627 K00432398, BT757084 Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled 15.0.0, 14.1.0.6
757023-2 CVE-2018-5743 K74009656, BT757023 BIND vulnerability CVE-2018-5743 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1
756538-4 CVE-2019-6645 K15759349, BT756538 Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1
754944-1 CVE-2019-6626 K00432398, BT754944 AVR reporting UI does not follow best practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4
754345-2 CVE-2019-6625 K79902360, BT754345 WebUI does not follow best security practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1
754103-1 CVE-2019-6644 K75532331, BT754103 iRulesLX NodeJS daemon does not follow best security practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.4.1
753975-2 CVE-2019-6666 K92411323, BT753975 TMM may crash while processing HTTP traffic with webacceleration profile 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.1.5
753776-2 CVE-2019-6624 K07127032, BT753776 TMM may consume excessive resources when processing UDP traffic 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
748502-1 CVE-2019-6623 K72335002, BT748502 TMM may crash when processing iSession traffic 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
737731-6 CVE-2019-6622 K44885536, BT737731 iControl REST input sanitization 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5.1
737574-6 CVE-2019-6621 K20541896, BT737574 iControl REST input sanitization 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5, 11.6.4, 11.5.9
737565-6 CVE-2019-6620 K20445457, BT737565 iControl REST input sanitization 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5, 11.6.5.1
726393-2 CVE-2019-6643 K36228121, BT726393 DHCPRELAY6 can lead to a tmm crash 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1
726327 CVE-2018-12120 K37111863, BT726327 NodeJS debugger accepts connections from any host 15.0.0, 14.1.0.6, 13.1.1.5
757455-2 CVE-2019-6647 K87920510, BT757455 Excessive resource consumption when processing REST requests 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1
753796-1 CVE-2019-6640 K40443301 SNMP does not follow best security practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.5.9
750460-1 CVE-2019-6639 K61002104, BT750460 Subscriber management configuration GUI 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
750298-1 CVE-2019-6638 K67825238, BT750298 iControl REST may fail while processing requests 15.0.0, 14.1.0.6, 14.0.0.5
750187-1 CVE-2019-6637 K29149494, BT750187 ASM REST may consume excessive resources 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
745533-6 CVE-2016-5325 K24444803, BT745533 NodeJS Vulnerability: CVE-2016-5325 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
745371-1 CVE-2019-6636 K68151373, BT745371 AFM GUI does not follow best security practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1
745257-1 CVE-2018-14634 K20934447, BT745257 Linux kernel vulnerability: CVE-2018-14634 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5, 11.6.4
742226-6 CVE-2019-6635 K11330536, BT742226 TMSH platform_check utility does not follow best security practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
710857-5 CVE-2019-6634 K64855220 iControl requests may cause excessive resource usage 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
702469-7 CVE-2019-6633 K73522927, BT702469 Appliance mode hardening in scp 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5, 11.6.5.1
673842-6 CVE-2019-6632 K01413496, BT673842 VCMP does not follow best security practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
773653-6 CVE-2019-6656 K23876153, BT773653 APM Client Logging 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1
773641-6 CVE-2019-6656 K23876153, BT773641 APM Client Logging 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1
773637-6 CVE-2019-6656 K23876153, BT773637 APM Client Logging 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1
773633-6 CVE-2019-6656 K23876153, BT773633 APM Client Logging 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1
773621-6 CVE-2019-6656 K23876153, BT773621 APM Client Logging 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
749704-2 4-Minor BT749704 GTPv2 Serving-Network field with mixed MNC digits 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
774445-1 1-Blocking K74921042, BT774445 BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3
789993-1 2-Critical BT789993 Failure when upgrading to 15.0.0 with config move and static management-ip. 15.1.0, 15.0.1.4, 14.1.0.6
773677-1 2-Critical K72255850, BT773677 BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase 15.0.0, 14.1.0.6
769809-4 2-Critical BT769809 The vCMP guests 'INOPERATIVE' after upgrade 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5
765801 2-Critical BT765801 WCCP service info field corrupted in upgrade to 14.1.0 final 14.1.0.6
760573-1 2-Critical K00730586, BT760573 TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0 15.0.0, 14.1.0.6
760508-1 2-Critical K91444000, BT760508 On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist 15.0.0, 14.1.0.6
760408-3 2-Critical BT760408 System Integrity Status: Invalid after BIOS update 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3
760164-1 2-Critical BT760164 BIG-IP VE Compression Offload HA action requires modification of db variable 15.1.0, 15.0.1.1, 14.1.0.6
757722-2 2-Critical BT757722 Unknown notify message types unsupported in IKEv2 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3
756402-2 2-Critical BT756402 Re-transmitted IPsec packets can have garbled contents 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3
756071-3 2-Critical BT756071 MCPD crash 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3
755254-1 2-Critical K54339562, BT755254 Remote auth: PAM_LDAP buffer too small errors 15.0.0, 14.1.0.6
753650-2 2-Critical BT753650 The BIG-IP system reports frequent kernel page allocation failures. 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3
750586-2 2-Critical BT750586 HSL may incorrectly handle pending TCP connections with elongated handshake time. 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5
743803-1 2-Critical BT743803 IKEv2 potential double free of object when async request queueing fails 15.1.0, 14.1.0.6, 14.0.0.3, 13.1.1.4, 12.1.5
741503-1 2-Critical BT741503 The BIG-IP system fails to load base config file when upgrading with static IPv4 15.0.0, 14.1.0.6
726487-4 2-Critical BT726487 MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.4, 12.1.5
648270-1 2-Critical BT648270 mcpd can crash if viewing a fast-growing log file through the GUI 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5.3, 11.6.5.2
766365-1 3-Major BT766365 Some trunks created on VE platform stay down even when the trunk's interfaces are up 15.0.0, 14.1.0.6
766329-2 3-Major BT766329 SCTP connections do not reflect some SCTP profile settings 15.1.0, 15.0.1.3, 14.1.0.6
765033 3-Major BT765033 Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions 14.1.0.6, 11.6.5.1
760597-1 3-Major BT760597 System integrity messages not logged 15.0.0, 14.1.0.6
760594 3-Major BT760594 On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details. 15.0.0, 14.1.0.6
758879 3-Major BT758879 BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot 15.0.0, 14.1.0.6
748206-1 3-Major BT748206 Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position 14.1.0.6, 13.1.1.4
748187-4 3-Major BT748187 'Transaction Not Found' Error on PATCH after Transaction has been Created 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.4
746657-1 3-Major BT746657 tmsh help for FQDN node or pool member shows incorrect default for fqdn interval 15.0.0, 14.1.0.6
745809-2 3-Major BT745809 The /var partition may become 100% full, requiring manual intervention to clear space 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4
740543-1 3-Major BT740543 System hostname not display in console 15.0.0, 14.1.0.6
725791-6 3-Major K44895409, BT725791 Potential HW/HSB issue detected 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5.2, 11.6.5.2
718405-2 3-Major BT718405 RSA signature PAYLOAD_AUTH mismatch with certificates 15.1.0, 14.1.0.6, 13.1.1.4
581921-5 3-Major K22327083, BT581921 Required files under /etc/ssh are not moved during a UCS restore 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
754500-2 4-Minor BT754500 GUI LTM Policy options disappearing 15.0.0, 14.1.0.6
726317-6 4-Minor BT726317 Improved debugging output for mcpd 15.0.0, 14.1.0.6, 13.1.3.4, 12.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759723-1 2-Critical BT759723 Abnormally terminated connections on server side may cause client side streams to stall 15.0.0, 14.1.0.6
758465-1 2-Critical BT758465 TMM may crash or iRule processing might be incorrect 15.0.0, 14.1.0.6
756356-2 2-Critical BT756356 External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long 15.0.0, 14.1.0.6
753912-4 2-Critical K44385170, BT753912 UDP flows may not be swept 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
752930-3 2-Critical BT752930 Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5
747727-1 2-Critical BT747727 HTTP Profile Request Header Insert Tcl error 15.0.0, 14.1.0.6
747239-1 2-Critical BT747239 TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection 15.0.0, 14.1.0.6
741048-1 2-Critical BT741048 iRule execution order could change after editing the scripts 15.0.0, 14.1.0.6
766293-1 3-Major BT766293 Monitor logging fails on v14.1.0.x releases 15.0.0, 14.1.0.6
760550-5 3-Major BT760550 Retransmitted TCP packet has FIN bit set 15.1.0, 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1
758311-1 3-Major BT758311 Policy Compilation may cause MCPD to crash 15.0.0, 14.1.0.6
757985-1 3-Major K79562045, BT757985 TMM memory leak 15.0.0, 14.1.0.6
757698-1 3-Major BT757698 TMM crashes in certain situations of which iRule execution interleaves client side and server side flows 15.0.0, 14.1.0.6
756270-4 3-Major BT756270 SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5, 11.6.4, 11.5.9
754985-1 3-Major BT754985 Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic 15.0.0, 14.1.0.6
752078-2 3-Major BT752078 Header Field Value String Corruption 15.0.0, 14.1.0.6, 13.1.1.4
749414-4 3-Major BT749414 Invalid monitor rule instance identifier error 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.2
747907-2 3-Major BT747907 Persistence records leak while the high availability (HA) mirror connection is down 15.1.0, 14.1.0.6, 13.1.3.2
742078-6 3-Major BT742078 Incoming SYNs are dropped and the connection does not time out. 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1
740959-4 3-Major BT740959 User with manager rights cannot delete FQDN node on non-Common partition 15.0.0, 14.1.0.6, 12.1.5
740345-3 3-Major BT740345 TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
696755-3 3-Major BT696755 HTTP/2 may truncate a response body when served from cache 16.1.0, 16.0.1.2, 15.1.3, 14.1.0.6, 13.1.0.8
696735-2 3-Major BT696735 TCP ToS Passthrough mode does not work correctly 15.1.0, 14.1.0.6
504522-4 3-Major BT504522 Trailing space present after 'tmsh ltm pool members monitor' attribute value 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.4, 12.1.5
747968-3 4-Minor BT747968 DNS64 stats not increasing when requests go through DNS cache resolver 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.4.1, 11.6.5.3


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
777937-3 1-Blocking BT777937 AWS ENA: packet drops due to bad checksum 15.1.0, 15.0.1, 14.1.0.6


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
759721-2 3-Major K03332436, BT759721 DNS GUI does not follow best practices 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3
749508-1 3-Major BT749508 LDNS and DNSSEC: Various OOM conditions need to be handled properly 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
749222-1 3-Major BT749222 dname compression offset overflow causes bad compression pointer 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
748902-5 3-Major BT748902 Incorrect handling of memory allocations while processing DNSSEC queries 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
746877-1 3-Major BT746877 Omitted check for success of memory allocation for DNSSEC resource record 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
744707-2 3-Major BT744707 Crash related to DNSSEC key rollover 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4, 12.1.4.1
723288-4 3-Major BT723288 DNS cache replication between TMMs does not always work for net dns-resolver 14.1.0.6, 14.0.0.5, 13.1.1.4, 12.1.4.1, 11.6.5.3
748177-1 4-Minor BT748177 Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.4.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
759360-2 2-Critical BT759360 Apply Policy fails due to policy corruption from previously enforced signature 15.0.0, 14.1.0.6, 13.1.1.5
749912-1 2-Critical BT749912 [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement 15.0.0, 14.1.0.6
723790-3 2-Critical BT723790 Idle asm_config_server handlers consumes a lot of memory 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5
765449-1 3-Major   Update availability status may be inaccurate 15.0.0, 14.1.0.6
763001-1 3-Major K70312000, BT763001 Web-socket enforcement might lead to a false negative 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3
761941-1 3-Major BT761941 ASM does not remove CSRT token query parameter before forwarding a request to the backend server 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3
761194-2 3-Major BT761194 param data type violation on an Integer parameter, if an integer value is sent via websocket JSON 15.0.0, 14.1.0.6
760878-3 3-Major BT760878 Incorrect enforcement of explicit global parameters 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5
759840-1 3-Major BT759840 False positive 'Null in request' violation or bare byte subviolations 15.0.0, 14.1.0.6
759483-1 3-Major BT759483 Message about HTTP status code which are set by default disappeared from the UI 15.0.0, 14.1.0.6, 14.0.0.5
758085-1 3-Major BT758085 CAPTCHA Custom Response fails when using certain characters 15.0.0, 14.1.0.6
756418-1 3-Major BT756418 Live Update does not authenticate remote users 15.0.0, 14.1.0.6
742558-1 3-Major BT742558 Request Log export document fails to show some UTF-8 characters 15.0.0, 14.1.0.6
687759-3 3-Major BT687759 bd crash 14.1.0.6, 14.0.0.5, 13.1.0.8, 12.1.3.6
774941-1 4-Minor BT774941 GUI misspelling in Bot Defense logging profile 15.0.0, 14.1.0.6
768761-2 4-Minor BT768761 Improved accept action description for suggestions to disable signature/enable metacharacter in policy 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3
766357-1 4-Minor BT766357 Two simultaneously manual installations can cause live-update inconsistency 15.0.0, 14.1.0.6
765413-1 4-Minor BT765413 ASM cluster syncs caused by PB ignored suggestions updates 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5
761921-1 4-Minor BT761921 avrd high CPU utilization due to perpetual connection attempts 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
761553-2 4-Minor BT761553 Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3
761549-2 4-Minor BT761549 Traffic Learning: Accept and Stage action is shown only in case entity is not in staging 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3
761231-2 4-Minor K79240502, BT761231 Bot Defense Search Engines getting blocked after configuring DNS correctly 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5
759462-1 4-Minor BT759462 Site names and vulnerabilities cannot be retrieved from WhiteHat server 15.0.0, 14.1.0.6
755005-1 4-Minor BT755005 Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5.1
750689-3 4-Minor BT750689 Request Log: Accept Request button available when not needed 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3
749184-2 4-Minor BT749184 Added description of subviolation for the suggestions that enabled/disabled them 15.1.0, 15.0.1.3, 14.1.0.6, 14.0.1.1, 13.1.3
747560-5 4-Minor BT747560 ASM REST: Unable to download Whitehat vulnerabilities 15.0.0, 14.1.0.6, 13.1.3, 12.1.5.1
769061-2 5-Cosmetic BT769061 Improved details for learning suggestions to enable violation/sub-violation 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.1.1, 13.1.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
763349-3 2-Critical BT763349 AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
756205-1 2-Critical BT756205 TMSTAT offbox statistics are not continuous 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
756102-2 2-Critical BT756102 TMM can crash with core on ABORT signal due to non-responsive AVR code 15.1.0, 15.0.1.1, 14.1.0.6, 13.1.3.2
771025-3 3-Major BT771025 AVR send domain names as an aggregate 15.1.0, 15.0.1.3, 14.1.0.6, 14.0.0.5, 13.1.3
764665-2 3-Major BT764665 AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
763005-3 3-Major BT763005 Aggregated Domain Names in DNS statistics are shown as random domain name 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
760356-2 3-Major BT760356 Users with Application Security Administrator role cannot delete Scheduled Reports 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
770557-3 2-Critical BT770557 Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one 15.0.0, 14.1.0.6, 14.0.0.5
769281-1 2-Critical BT769281 Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English 15.0.0, 14.1.0.6, 14.0.0.5
755447-1 2-Critical BT755447 SSLO does not deliver content generated/originated from inline device 15.0.0, 14.1.0.6
753370-3 2-Critical BT753370 RADIUS auth might not be working as configured when there is change in RADIUS auth config name. 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3
774633-2 3-Major BT774633 Memory leak in tmm when session db variables are not cleaned up 15.1.0, 15.0.1.1, 14.1.0.6
774213-1 3-Major BT774213 SWG session limits on SSLO deployments 15.1.0, 15.0.1.1, 14.1.0.6
760410-1 3-Major BT760410 Connection reset is seen when Category lookup agent is used in per-req policy 15.0.0, 14.1.0.6
760250 3-Major BT760250 'Unsupported SSO Method' error when requests sharing the same TCP session 15.0.0, 14.1.0.6
759868-1 3-Major BT759868 TMM crash observed while rendering internal pages (like blocked page) for per-request policy 15.0.0, 14.1.0.6
758764-2 3-Major BT758764 APMD Core when CRLDP Auth fails to download revoked certificate 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1
758701-1 3-Major BT758701 APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install 15.0.0, 14.1.0.6
757992-3 3-Major BT757992 RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
757360-1 3-Major BT757360 Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO 15.0.0, 14.1.0.6
755475-1 3-Major BT755475 Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
755047-1 3-Major BT755047 Category lookup returns wrong category on CONNECT traffic through SSLO 15.0.0, 14.1.0.6
754542-2 3-Major BT754542 TMM may crash when using RADIUS Accounting agent 15.0.0, 14.1.0.6, 13.1.3
752875-2 3-Major BT752875 tmm core while using service chaining for SSLO 15.0.0, 14.1.0.6, 14.0.1.1
751807-1 3-Major BT751807 SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel 15.0.0, 14.1.0.6
751424-1 3-Major BT751424 HTTP Connect Category Lookup not working properly 15.0.0, 14.1.0.6
749057-1 3-Major BT749057 VMware Horizon idle timeout is ignored when connecting via APM 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
745574-1 3-Major BT745574 URL is not removed from custom category when deleted 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4, 12.1.4
738430-3 3-Major BT738430 APM is not able to do compliance check on iOS devices running F5 Access VPN client 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
734291-1 3-Major BT734291 Logon page modification fails to sync to standby 14.1.0.6, 14.1.0, 13.1.1.5
695985-4 3-Major BT695985 Access HUD filter has URL length limit (4096 bytes) 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5
766761-2 4-Minor BT766761 Ant-server does not log requests that are excluded from scanning 14.1.0.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
766405-2 2-Critical BT766405 MRF SIP ALG with SNAT: Fix for potential crash on next-active device 15.1.0, 14.1.0.6, 13.1.3.4
754615-2 2-Critical BT754615 Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. 15.0.0, 14.1.0.6, 14.0.1.1
763157-2 3-Major BT763157 MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1
760370-2 3-Major BT760370 MRF SIP ALG with SNAT: Next active ingress queue filling 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1
759077-2 3-Major BT759077 MRF SIP filter queue sizes not configurable 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1, 13.1.3
755630-1 3-Major BT755630 MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes 15.0.0, 14.1.0.6, 14.0.1.1
752822-1 3-Major BT752822 SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5
751179-1 3-Major BT751179 MRF: Race condition may create to many outgoing connections to a peer 15.0.0, 14.1.0.6, 13.1.1.5, 11.6.5.2
746825-1 3-Major BT746825 MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls 15.1.0, 15.0.0, 14.1.0.6, 14.0.1.1
745947-2 3-Major BT745947 Add log events for MRF SIP registration/deregistration and media flow creation/deletion 15.0.0, 14.1.0.6
745590-1 3-Major BT745590 SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added 15.0.0, 14.1.0.6, 14.0.1.1
760930-2 4-Minor BT760930 MRF SIP ALG with SNAT: Added additional details to log events 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1
747909-5 4-Minor BT747909 GTPv2 MEI and Serving-Network fields decoded incorrectly 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5.3, 11.6.5.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
757524 1-Blocking BT757524 Data operation attempt on object that has not been loaded 14.1.0.6
757359-1 2-Critical BT757359 pccd crashes when deleting a nested Address List 15.0.0, 14.1.0.6, 13.1.3
754805 2-Critical K97981358, BT754805 Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured 15.0.0, 14.1.0.6
753028-2 3-Major BT753028 AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule 15.0.0, 14.1.0.6, 13.1.1.4
756477-2 5-Cosmetic BT756477 Drop Redirect tab incorrectly named as 'Redirect Drop' 15.0.0, 14.1.0.6


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
744516-4 2-Critical BT744516 TMM panics after a large number of LSN remote picks 15.0.0, 14.1.0.6, 13.1.1.4, 12.1.4


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
748121-3 2-Critical BT748121 admd livelock under CPU starvation 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4
653573-6 2-Critical BT653573 ADMd not cleaning up child rsync processes 15.0.0, 14.1.2.3, 14.1.0.6, 14.0.0.5, 13.1.1.4, 13.1.0
756877-1 3-Major BT756877 Virtual server created with Guided Configuration is not visible in Grafana 15.0.0, 14.1.0.6, 14.0.0.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
752803-1 2-Critical BT752803 CLASSIFICATION_DETECTED running reject can lead to a tmm core 15.0.0, 14.1.0.6, 13.1.3
752047-1 2-Critical BT752047 iRule running reject in CLASSIFICATION_DETECTED event can cause core 15.0.0, 14.1.0.6, 13.1.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
758818-2 2-Critical BT758818 While using explicit or transparent http type service on SSL Orchestrator, TMM cores. 15.0.0, 14.1.0.6, 14.0.1.1
756167-1 3-Major BT756167 No URL category data on SSL Orchestrator dashboard and on SSL Orchestrator statistics page after upgrade 15.0.0, 14.1.0.6
748252-2 3-Major BT748252 Connection reset seen with SSL bypass on a L2 wire setup 15.0.0, 14.1.0.6



Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
755817 3-Major BT755817 v14.1.0.5 includes Guided Configuration 4.1 14.1.0.5
751824-1 3-Major BT751824 Restore old 'merge' functionally with new tmsh verb 'replace' 15.0.0, 14.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
663819-1 3-Major BT663819 APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue) 15.0.0, 14.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
761173-1 2-Critical BT761173 tmm crash after extended whitelist modification 15.0.0, 14.1.0.5
751869-2 2-Critical BT751869 Possible tmm crash when using manual mode mitigation in DoS Profile 15.0.0, 14.1.0.5, 13.1.1.5
760393 3-Major BT760393 GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes 15.0.0, 14.1.0.5
750477-1 3-Major BT750477 LTM NAT does not forward ICMP traffic 15.0.0, 14.1.0.5
737035-2 3-Major BT737035 New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. 15.0.0, 14.1.0.5, 14.0.0.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
757088-1 2-Critical BT757088 TMM clock advances and cluster failover happens during webroot db nightly updates 15.0.0, 14.1.0.5, 13.1.1.5, 12.1.5
758536 3-Major BT758536 Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x 15.0.0, 14.1.0.5


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
737558-1 2-Critical BT737558 Protocol Inspection user interface elements are active but do not work 15.1.0, 14.1.0.5
774881 3-Major BT774881 Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed. 15.1.0, 14.1.0.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
760278 2-Critical BT760278 F5 SSL Orchestrator may fail to install an RPM software package on BIG-IP systems running point release versions 14.1.0.5



Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release


Functional Change Fixes

None



Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745783-1 3-Major BT745783 Anti-fraud: remote logging of login attempts 15.0.0, 14.1.0.3, 13.1.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
758667-1 2-Critical BT758667 BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs 15.0.0, 14.1.0.3
754541-2 2-Critical BT754541 Reconfiguring an iApp that uses a client SSL profile fails 15.0.0, 14.1.0.3
760222 3-Major BT760222 SCP fails unexpected when FIPS mode is enabled 15.0.0, 14.1.0.3, 14.0.0.5, 13.1.1.5
725625-1 3-Major BT725625 BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK 15.0.0, 14.1.0.3



Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
757025-1 CVE-2018-5744 K00040234, BT757025 BIND Update 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
756774-6 CVE-2019-6612 K24401914, BT756774 Aborted DNS queries to a cache may cause a TMM crash 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
750292-2 CVE-2019-6592 K54167061, BT750292 TMM may crash when processing TLS traffic 15.0.0, 14.1.0.2, 13.1.3.4, 12.1.5.3
749879-2 CVE-2019-6611 K47527163, BT749879 Possible interruption while processing VPN traffic 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
744035-6 CVE-2018-15332 K12130880, BT744035 APM Client Vulnerability: CVE-2018-15332 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4.1, 11.6.5.1
757027-1 CVE-2019-6465 K01713115, BT757027 BIND Update 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
757026-1 CVE-2018-5745 K25244852, BT757026 BIND Update 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
745713-4 CVE-2019-6619 K94563344, BT745713 TMM may crash when processing HTTP/2 traffic 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1
745387-1 CVE-2019-6618 K07702240, BT745387 Resource-admin user roles can no longer get bash access 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
745165-1 CVE-2019-6617 K38941195, BT745165 Users without Advanced Shell Access are not allowed SFTP access 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
737910-4 CVE-2019-6609 K18535734, BT737910 Security hardening on the following platforms 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4.1
724680-6 CVE-2018-0732 K21665601, BT724680 OpenSSL Vulnerability: CVE-2018-0732 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.2, 12.1.4, 11.6.3.3, 11.5.9
703835-5 CVE-2019-6616 K82814400, BT703835 When using SCP into BIG-IP systems, you must specify the target filename 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
702472-7 CVE-2019-6615 K87659521, BT702472 Appliance Mode Security Hardening 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9
698376-5 CVE-2019-6614 K46524395, BT698376 Non-admin users have limited bash commands and can only write to certain directories 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1
746131-4 CVE-2018-0737 K43429502, BT746131 OpenSSL RSA key generation vulnerability CVE-2018-0737 15.0.0, 14.1.0.2
713806-8 CVE-2018-0739 K08044291, BT713806 CVE-2018-0739: OpenSSL Vulnerability 15.0.0, 14.1.0.2
699977-3 CVE-2016-7055 K43570545, BT699977 CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX 15.0.0, 14.1.0.2
737423-2 CVE-2018-7569
CVE-2018-10373
CVE-2018-13033
K72122162, BT737423 Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 15.0.0, 14.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
755641-1 2-Critical BT755641 Unstable asm_config_server after upgrade, 'Event dispatcher aborted' 15.0.0, 14.1.0.2
744685-2 2-Critical BT744685 BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4
744188-1 2-Critical BT744188 First successful auth iControl REST requests will now be logged in audit and secure log files 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4
739432 3-Major BT739432 F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems 14.1.0.2
738108-1 3-Major BT738108 SCTP multi-homing INIT address parameter doesn't include association's primary address 15.0.0, 14.1.0.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
753642-1 2-Critical BT753642 iHealth may report false positive for Critical Malware 15.0.0, 14.1.0.2
752835-2 2-Critical K46971044, BT752835 Mitigate mcpd out of memory error with auto-sync enabled. 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1
750580-1 2-Critical BT750580 Installation using image2disk --format may fail after TMOS v14.1.0 is installed 15.0.0, 14.1.0.2
707013-3 2-Critical BT707013 vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5
668041-4 2-Critical K27535157, BT668041 Config load fails when an iRule comment ends with backslash in a config where there is also a policy. 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
621260-2 2-Critical BT621260 mcpd core on iControl REST reference to non-existing pool 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.5.1, 11.6.5.1
753564-1 3-Major BT753564 Attempt to change password using /bin/passwd fails 15.0.0, 14.1.0.2
751011-3 3-Major BT751011 ihealth.sh script and qkview locking mechanism not working 15.0.0, 14.1.0.2, 13.1.1.5
751009-3 3-Major BT751009 Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4
750661 3-Major BT750661 URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied. 15.0.0, 14.1.0.2
750447-3 3-Major BT750447 GUI VLAN list page loading slowly with 50 records per screen 15.0.0, 14.1.0.2, 13.1.1.5
749382-1 3-Major BT749382 Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater 15.0.0, 14.1.0.2
746873-1 3-Major BT746873 Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing 15.0.0, 14.1.0.2
745825-1 3-Major BT745825 The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading 15.0.0, 14.1.0.2, 13.1.3.2
737536-2 3-Major BT737536 Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
721585-1 3-Major BT721585 mcpd core processing ltm monitors with deep level of inheritance 15.0.0, 14.1.0.2
639619-7 3-Major BT639619 UCS may fail to load due to Master key decryption failure on EEPROM-less systems 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1, 11.6.4
751636-1 4-Minor BT751636 Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership 15.0.0, 14.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
754143-1 2-Critical K45456231, BT754143 TCP connection may hang after FIN 15.0.0, 14.1.0.2, 13.1.4.1
747617-2 2-Critical BT747617 TMM core when processing invalid timer 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.5.2
742184-3 2-Critical BT742184 TMM memory leak 15.0.0, 14.1.0.2, 13.1.3
738945-4 2-Critical BT738945 SSL persistence does not work when there are multiple handshakes present in a single record 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1
716714-4 2-Critical BT716714 OCSP should be configured to avoid TMM crash. 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4
750200-3 3-Major BT750200 DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5
749294-4 3-Major BT749294 TMM cores when query session index is out of boundary 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3.2, 12.1.5
744686-2 3-Major BT744686 Wrong certificate can be chosen during SSL handshake 15.0.0, 14.1.0.2
743900-1 3-Major BT743900 Custom DIAMETER monitor requests do not have their 'request' flag set 15.0.0, 14.1.0.2
739963-4 3-Major BT739963 TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.5
739349-3 3-Major BT739349 LRO segments might be erroneously VLAN-tagged. 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4
724327-2 3-Major BT724327 Changes to a cipher rule do not immediately have an effect 15.0.0, 14.1.0.2, 13.1.1.4
720219-3 3-Major K13109068, BT720219 HSL::log command can fail to pick new pool member if last picked member is 'checking' 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3, 12.1.5
717896-4 3-Major BT717896 Monitor instances deleted in peer unit after sync 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1
717100-1 3-Major BT717100 FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1
716167-2 3-Major BT716167 The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp 15.0.0, 14.1.0.2, 13.1.3.4
704450-5 3-Major BT704450 bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration 15.0.0, 14.1.0.2, 13.1.3.2, 12.1.5.2
703593-1 3-Major BT703593 TMSH tab completion for adding profiles to virtual servers is not working as expected 15.0.0, 14.1.0.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
756094-2 2-Critical BT756094 DNS express in restart loop, 'Error writing scratch database' in ltm log 15.0.0, 14.1.0.2, 13.1.1.5, 12.1.4.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752942-1 2-Critical BT752942 Live Update cannot be used by Administrator users other than 'admin' and 'root' 15.0.0, 14.1.0.2
750922-1 2-Critical BT750922 BD crash when content profile used for login page has no parse parameters set 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
749136-1 2-Critical BT749136 Disk partition /var/log is low on free disk space 15.0.0, 14.1.0.2
748321-1 2-Critical BT748321 bd crash with specific scenario 15.0.0, 14.1.0.2
744347-4 2-Critical BT744347 Protocol Security logging profiles cause slow ASM upgrade and apply policy 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4
721741-4 2-Critical BT721741 BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative 14.1.0.2, 14.1.0, 13.1.1.2, 12.1.3.7
754420-1 3-Major BT754420 Missing policy name in exported ASM request details 15.0.0, 14.1.0.2, 14.0.0.5
754066-1 3-Major BT754066 Newly added Systems are not added as part of installing a Server Technologies update file 15.0.0, 14.1.0.2
753295-1 3-Major BT753295 ASM REST: All signatures being returned for policy Signatures regardless of signature sets 15.0.0, 14.1.0.2
750973-1 3-Major BT750973 Import XML policy error 15.0.0, 14.1.0.2
750793-2 3-Major BT750793 Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition 15.0.0, 14.1.0.2, 14.0.0.5
750686-1 3-Major BT750686 ASE user cannot create or modify a bot signature. 15.0.0, 14.1.0.2
750683-1 3-Major BT750683 REST Backwards Compatibility: Cannot modify enforcementMode of host-name 15.0.0, 14.1.0.2
750668-1 3-Major BT750668 Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition 15.0.0, 14.1.0.2
750666-1 3-Major BT750666 Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common' 15.0.0, 14.1.0.2
750356-2 3-Major BT750356 Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
749500-1 3-Major BT749500 Improved visibility for Accept on Microservice action in Traffic Learning 15.0.0, 14.1.0.2
749109-3 3-Major BT749109 CSRF situation on BIGIP-ASM GUI 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5
748999-3 3-Major BT748999 invalid inactivity timeout suggestion for cookies 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
748848-2 3-Major BT748848 Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers 15.0.0, 14.1.0.2, 14.0.0.5
748409-2 3-Major BT748409 Illegal parameter violation when json parsing a parameter on a case-insensitive policy 15.0.0, 14.1.0.2, 14.0.0.5
747977-1 3-Major BT747977 File manually uploaded information is not synced correctly between blades 15.0.0, 14.1.0.2
747777-3 3-Major BT747777 Extractions are learned in manual learning mode 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
747550-3 3-Major BT747550 Error 'This Logout URL already exists!' when updating logout page via GUI 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
746750-1 3-Major BT746750 Search Engine get Device ID challenge when using the predefined profiles 15.0.0, 14.1.0.2
746298-1 3-Major BT746298 Server Technologies logos all appear as default icon 15.0.0, 14.1.0.2
745813-1 3-Major BT745813 Requests are reported to local log even if only Bot Defense remote log is configured 15.0.0, 14.1.0.2
745624-1 3-Major BT745624 Tooltips for OWASP Bot Categories and Anomalies were added 15.0.0, 14.1.0.2
745607-1 3-Major BT745607 Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly 15.0.0, 14.1.0.2
745531-2 3-Major BT745531 Puffin Browser gets blocked by Bot Defense 15.0.0, 14.1.0.2, 13.1.1.4
742852-1 3-Major BT742852 Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header 15.0.0, 14.1.0.2
739945-4 3-Major BT739945 JavaScript challenge on POST with 307 breaks application 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.4
738676-1 3-Major BT738676 Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests 15.0.0, 14.1.0.2
737866-2 3-Major BT737866 Rare condition memory corruption 15.0.0, 14.1.0.2
754365-5 4-Minor BT754365 Updated flags for countries that changed their flags since 2010 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1
721724-1 4-Minor BT721724 LONG_REQUEST notice print incorrect in BD log 14.1.0.2, 14.1.0


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
746941-2 2-Critical BT746941 Memory leak in avrd when BIG-IQ fails to receive stats information 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
753446-2 3-Major BT753446 avrd process crash during shutdown if connected to BIG-IQ 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5
749464-2 3-Major BT749464 Race condition while BIG-IQ updates common file 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
749461-2 3-Major BT749461 Race condition while modifying analytics global-settings 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
745027-2 3-Major BT745027 AVR is doing extra activity of DNS data collection even when it should not 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
744595-3 3-Major BT744595 DoS-related reports might not contain some of the activity that took place 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
744589-3 3-Major BT744589 Missing data for Firewall Events Statistics 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
715110-1 3-Major BT715110 AVR should report 'resolutions' in module GtmWideip 14.1.0.2, 13.1.0.8


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
752592-1 2-Critical BT752592 VMware Horizon PCoIP clients may fail to connect shortly after logout 15.0.0, 14.1.0.2, 13.1.1.5
754346-2 3-Major BT754346 Access policy was not found while creating configuration snapshot. 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
746771-3 3-Major BT746771 APMD recreates config snapshots for all access profiles every minute 15.0.0, 14.1.0.2, 13.1.1.4
745654-4 3-Major BT745654 Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4.1
743437-3 3-Major BT743437 Portal Access: Issue with long 'data:' URL 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
749603-1 3-Major BT749603 MRF SIP ALG: Potential to end wrong call when BYE received 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5
749227-1 3-Major BT749227 MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE 15.0.0, 14.1.0.2, 14.0.1.1
748043-2 3-Major BT748043 MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5
747187-2 3-Major BT747187 SIP falsely detects media flow collision when SDP is in both 183 and 200 response 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.5.2
745715-2 3-Major BT745715 MRF SIP ALG now supports reading SDP from a mime multipart payload 15.0.0, 14.1.0.2
745628-1 3-Major BT745628 MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3
745514-1 3-Major BT745514 MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3
745404-4 3-Major BT745404 MRF SIP ALG does not reparse SDP payload if replaced 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3, 12.1.5.2
744949-1 3-Major BT744949 MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5
744275-1 3-Major BT744275 BIG-IP system sends Product-Name AVP in CER with Mandatory bit set 15.0.0, 14.1.0.2, 13.1.3.4
742829-1 3-Major BT742829 SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
747104-1 1-Blocking K52868493, BT747104 LibSSH: CVE-2018-10933 15.0.0, 14.1.0.2, 13.1.1.4, 12.1.4.1
752363-2 2-Critical BT752363 Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled 15.0.0, 14.1.0.2, 13.1.3
749331-3 2-Critical BT749331 Global DNS DoS vector does not work in certain cases 15.0.0, 14.1.0.2
747922-3 2-Critical BT747922 With AFM enabled, during bootup, there is a small possibility of a tmm crash 15.0.0, 14.1.0.2, 13.1.3.2
748176-1 3-Major BT748176 BDoS Signature can wrongly match a DNS packet 15.0.0, 14.1.0.2
748081-1 3-Major BT748081 Memory leak in Behavioral DoS module 15.0.0, 14.1.0.2, 13.1.1.5
747926-2 3-Major BT747926 Rare TMM restart due to NULL pointer access during AFM ACL logging 15.0.0, 14.1.0.2, 13.1.1.4


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
726647-5 3-Major BT726647 PEM content insertion in a compressed response may truncate some data 15.0.0, 14.1.0.2, 14.0.0.3, 13.1.1.2, 12.1.4.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
752782-1 3-Major BT752782 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5
741449-3 4-Minor BT741449 alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4
738677-1 4-Minor BT738677 Configured name of wildcard parameter is not sent in data integrity alerts 15.0.0, 14.1.0.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
755378-1 2-Critical BT755378 HTTPS connection error from Chrome when BADOS TLS signatures configured 15.0.0, 14.1.0.2
727136-1 3-Major BT727136 One dataset contains large number of variations of TLS hello messages on Chrome 15.0.0, 14.1.0.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
745733-3 3-Major BT745733 TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup 15.0.0, 14.1.0.2, 13.1.3.5



Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
745629 2-Critical BT745629 Ordering Symantec and Comodo certificates from BIG-IP 14.1.0.1
713817-1 3-Major BT713817 BIG-IP images are available in Alibaba Cloud 15.0.0, 14.1.0.1
738891-1 4-Minor BT738891 TLS 1.3: Server SSL fails to increment key exchange method statistics 15.0.0, 14.1.0.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
746424 2-Critical BT746424 Patched Cloud-Init to support AliYun Datasource 15.0.0, 14.1.0.1
745851 3-Major BT745851 Changed Default Cloud-Init log level to INFO from DEBUG 15.0.0, 14.1.0.1
742251-1 4-Minor BT742251 Add Alibaba Cloud support to Qkview 15.0.0, 14.1.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
745774-1 3-Major BT745774 Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile 14.1.0.1, 14.1.0


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
749774-5 3-Major BT749774 EDNS0 client subnet behavior inconsistent when DNS Caching is enabled 15.0.0, 14.1.0.1, 14.0.0.4, 13.1.1.4, 12.1.4, 11.6.3.4, 11.5.8
749675-5 3-Major BT749675 DNS cache resolver may return a malformed truncated response with multiple OPT records 15.0.0, 14.1.0.1, 14.0.0.4, 13.1.1.4, 12.1.4, 11.6.3.4, 11.5.8

 

Cumulative fix details for BIG-IP v14.1.5.6 that are included in this release

999933-4 : TMM may crash while processing DNS traffic on certain platforms

Links to More Info: K28042514, BT999933


999901-4 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.

Links to More Info: K68816502, BT999901

Component: Local Traffic Manager

Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.

This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).

Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.

Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.

Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.

Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.

Fix:
TMM now loads LTM policies with external data-groups as expected.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


999125-3 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


999097-4 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


998781 : When large no of feed list URLs are configured, BIG-IP takes long time to sync IP list

Links to More Info: BT998781

Component: Advanced Firewall Manager

Symptoms:
If large numbers of feed URLs are configured in the IPI Policy, it takes a lot of time to fetch the IP lists from the feed server. BIG-IP system performance is significantly degraded.

Conditions:
-- security ip-intelligence policy
-- security ip-intelligence feed-list : add large number of URLs to the list

Impact:
It can take several minutes to multiple hours for the BIG-IP system to fetch updates from the feed server.

Workaround:
None

Fix:
After fix, Performance had improved significantly.

Fixed Versions:
14.1.5


998729 : Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries

Links to More Info: BT998729

Component: TMOS

Symptoms:
If there are hundreds of virtual addresses and hundreds of address entries spanning one or more address lists, mcpd might take seconds to reply to a query for virtual address statistics.

One of the more commonly visible signs of this is high CPU usage by mcpd if it's processing a large number of queries for virtual address statistics. It is also likely that snmpd responses will be severely delayed to SNMP agent requests.

Conditions:
-- Hundreds of virtual servers.
-- Hundreds of address entries spanning one or many address lists.
-- Running SNMP queries for virtual address statistics.

Impact:
-- High CPU usage by mcpd.
-- SNMP requests/polling timeouts occur because mcpd takes hundreds of milliseconds to respond.

Note: If the address lists that contain the entries are not used in traffic-matching-criteria (and therefore do not increase the size of the tmstat virtual_address_stat table), mcpd response time is in the tens of milliseconds.

Workaround:
None

Fix:
Improved performance for query for virtual address statistics when there are hundreds of virtual address and address lists entries.

Fixed Versions:
14.1.4.4


998221-4 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3


997929-4 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Links to More Info: BT997929

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4


997193-2 : TCP connections may fail when AFM global syncookies are in operation.

Links to More Info: K16101409, BT997193


997137-4 : CSRF token modification may allow WAF bypass on GET requests

Links to More Info: K80945213, BT997137

Component: Application Security Manager

Symptoms:
Under certain conditions a parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
The parameter is now processed as expected.

Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5


996593-3 : Password change through REST or GUI not allowed if the password is expired

Links to More Info: BT996593

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3


996381-4 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1


996233-3 : Tomcat may crash while processing TMUI requests

Links to More Info: K38893457, BT996233


996113-4 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


996001-2 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


995853-3 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Links to More Info: BT995853

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.

Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5


995629-2 : Loading UCS files may hang if ASM is provisioned

Links to More Info: BT995629

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1


995433-4 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT

Links to More Info: BT995433

Component: Advanced Firewall Manager

Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.

Conditions:
This is encountered when viewing PPTP log entries.

Impact:
IPV6 addresses in PPTP logs are truncated.

Workaround:
None

Fix:
The full IPv6 address is now logged in PPTP logs.

Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5


995029 : Configuration is not updated during auto-discovery

Links to More Info: BT995029

Component: Access Policy Manager

Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:

-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token

Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).

Impact:
JWT auto-discovery fails and the configuration is not updated.

Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.

Fix:
Fixed an issue with auto-discovery and JWKs.

Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2


994985-1 : CGNAT GUI shows blank page when applying SIP profile

Links to More Info: BT994985

Component: Carrier-Grade NAT

Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.

Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.

Impact:
The virtual server properties page does not display the configuration.

Workaround:
None.

Fix:
The GUI shows virtual server config page with all config values

Fixed Versions:
17.0.0, 15.1.4, 14.1.4.2


994801-4 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
tmsh does not follow best practices for SCP operations

Impact:
tmsh does not follow best practices for SCP operations

Workaround:
None

Fix:
The SCP file transfer system now follows current best practices.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1


994125-1 : NetHSM Sanity results are not reflecting in GUI test output box

Links to More Info: BT994125

Component: Local Traffic Manager

Symptoms:
Cannot see the netHSM sanity test results in GUI when selected hsm test.

Conditions:
NA

Impact:
Cannot see netHSM test results from GUI.

Workaround:
Use TMSH to see netHSM test results.

Fix:
Can test the selected HSM and partition and view the test results.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3


993981-4 : TMM may crash when ePVA is enabled

Links to More Info: K52340447, BT993981


993921-1 : TMM SIGSEGV

Links to More Info: BT993921

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use 'pool XXXX member XXXX' iRule command.

Fix:
This rarely occurring issue is now fixed.

Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5.1


993913-1 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4


993613-4 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


993517-4 : Loading an upgraded config can result in a file object error in some cases

Links to More Info: BT993517

Component: Local Traffic Manager

Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:

-- 0107134a:3: File object by name (DEFAULT) is missing.

If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.

Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).

Impact:
Other than the error message, there is no impact.

Workaround:
After the initial reboot, save the configuration.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


993489-4 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5


993457-3 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


992213-1 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2


992121-2 : REST "/mgmt/tm/services" endpoint is not accessible

Links to More Info: BT992121

Component: TMOS

Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.

Conditions:
When accessing /mgmt/tm/services through REST API

Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.

Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


992097-1 : Incorrect hostname is seen in logging files

Links to More Info: BT992097

Component: TMOS

Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".

Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.

Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.

Workaround:
None

Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5


992073-1 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Links to More Info: K93543114, BT992073


991037-1 : MR::message can cause tmm crash

Links to More Info: BT991037

Component: Service Provider

Symptoms:
The iRule command MR::message drop can occasionally trigger a memory corruption and tmm crash.

Conditions:
The iRule command MR::message drop is used.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.3


990849-3 : Loading UCS with platform-migrate option hangs and requires exiting from the command

Links to More Info: BT990849

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1


990461-2 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4


990333-4 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265, BT990333


989753-3 : In HA setup, standby fails to establish connection to server

Links to More Info: BT989753

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


989701-4 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


989637-4 : TMM may crash while processing SSL traffic

Links to More Info: K08476614, BT989637


989009-4 : BD daemon may crash while processing WebSocket traffic

Links to More Info: K05314769, BT989009


988549-4 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549


988533-3 : GRE-encapsulated MPLS packet support

Links to More Info: BT988533

Component: TMOS

Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).

Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.

Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.

Workaround:
None

Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.

Fixed Versions:
17.0.0, 15.1.4.1, 14.1.4.5


988005-3 : Zero active rules counters in GUI

Links to More Info: BT988005

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


987885-3 : Half-open unclean SSL termination might not close the connection properly

Links to More Info: BT987885

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


987341-3 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.

Links to More Info: BT987341

Component: Access Policy Manager

Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.

Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.

Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5


987113-2 : CMP state degraded while under heavy traffic

Links to More Info: BT987113

Component: TMOS

Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.

Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.

Impact:
System performance drops dramatically.

Workaround:
Lower traffic load.

Fix:
Fixed an inconsistent CMP state.

Fixed Versions:
17.1.0, 15.1.4, 14.1.5


987077-4 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.

Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6


985953-2 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


984765-4 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)

Links to More Info: BT984765

Component: Access Policy Manager

Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.

Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.

Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.

Workaround:
To resolve the issue temporarily, use either of the following:

-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.

-- Run the command:
bigstart restart nlad

The problem can reappear after a week, so you must repeat these steps each time the issue occurs.

Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4


984593-3 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


982869-3 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Links to More Info: BT982869

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1


982785-4 : Guided Configuration hardening

Links to More Info: K52322100


982777-11 : APM hardening

Links to More Info: K21317311, BT982777


982769-10 : Appliance mode hardening

Links to More Info: K68647001, BT982769


982757-6 : APM Access Guided Configuration hardening

Links to More Info: K53197140


982753-4 : Appliance mode hardening

Links to More Info: K68647001, BT982753


982745-3 : Appliance mode hardening

Links to More Info: K68647001, BT982745


982697-4 : ICMP hardening

Links to More Info: K41440465, BT982697


982341-4 : iControl REST endpoint hardening

Links to More Info: K53197140, BT982341


981785-2 : Incorrect incident severity in Event Correlation statistics

Links to More Info: BT981785

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3


981693-2 : TMM may consume excessive resources while processing IPSec ALG traffic

Links to More Info: K54892865, BT981693


981689-1 : TMM memory leak with IPsec ALG

Links to More Info: BT981689

Component: Carrier-Grade NAT

Symptoms:
TMM crash due to out of memory.

Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.

Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm memory leak related to IPsec ALG connections.

Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.2


981461-3 : Unspecified DNS responses cause TMM crash

Links to More Info: K45407662, BT981461


981385-4 : AVRD does not send HTTP events to BIG-IQ DCD

Links to More Info: BT981385

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4


981273-3 : APM webtop hardening

Links to More Info: K41997459, BT981273


981169-3 : F5 TMUI XSS vulnerability CVE-2021-22994

Links to More Info: K66851119, BT981169


980821-1 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Links to More Info: BT980821

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2


980809-3 : ASM REST Signature Rule Keywords Tool Hardening

Links to More Info: K41351250, BT980809


980325-4 : Chmand core due to memory leak from dossier requests.

Links to More Info: BT980325

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.

Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5


980125-4 : BD Daemon may crash while processing WebSocket traffic

Links to More Info: K42051445, BT980125


979877-6 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information

Links to More Info: K42910051, BT979877


978833-3 : Use of CRL-based Certificate Monitoring Causes Memory Leak

Links to More Info: BT978833

Component: Local Traffic Manager

Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.

Conditions:
CRL certificate validator is configured.

Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
None.

Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.

Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4


978393 : GUI screen shows blank screen while importing a certificate

Links to More Info: BT978393

Component: TMOS

Symptoms:
When you click the import button of an existing certificate, the screen goes blank.

Go to:
1. System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: existing_certificate.crt ::
2. Click the 'Import' button at the bottom of the page.

Conditions:
-- Device is upgraded from 13.1.x to 14.1.x.
-- Attempting to import a certificate that was created prior to the upgrade.

Impact:
You are unable to import from a certificate using the GUI.

Workaround:
There are three workarounds:

-- Use the GUI to download and reimport:
1. Download the cert and key.
2. Delete the cert and key from system.
3. Import it back.


-- Use the GUI to rename and save:
1. Rename the cert and key, removing extensions from the file.
2. Update the config file accordingly. The Import button works successfully.

-- Use tmsh to update the certs.

Fix:
Certificates can now be imported via the GUI after upgrade.

Fixed Versions:
14.1.4.1


977657-1 : SELinux errors when deploying a vCMP guest.

Links to More Info: BT977657

Component: TMOS

Symptoms:
An error occurs:
SELinux avc: denied { write } for pid=9292 comm="rpm" name="rpm".

Conditions:
The error occurs when the system is started back up after provisioning VCMP.

Impact:
SELinux avc is denied write permission for rpm_var_lib_t.

Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5


977053-3 : TMM crash on standby due to invalid MR router instance

Links to More Info: BT977053

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1


977005-2 : Network Firewall Policy rules-list showing incorrect 'Any' for source column

Links to More Info: BT977005

Component: Advanced Firewall Manager

Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.

Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.

Impact:
GUI shows 'Any' extra text under the source column

Workaround:
None

Fix:
The GUI no longer shows extra text

Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2


976925-3 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT976925


976669-3 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

Fix:
Critical files are not deleted during secondary blade reboot.

Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6


976525-2 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled

Links to More Info: BT976525

Component: Local Traffic Manager

Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.

Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.

Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.

Workaround:
Use either of the following workarounds:

-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable

-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.

Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.

Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5


976505-1 : Rotated restnoded logs will fail logintegrity verification.

Links to More Info: BT976505

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


976501-3 : Failed to establish VPN connection

Links to More Info: BT976501

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.

Fixed Versions:
16.1.0, 15.1.3, 14.1.4, 13.1.3.6


976365-1 : Traffic Classification hardening

Links to More Info: BT976365

Component: Traffic Classification Engine

Symptoms:
Traffic Classification IM packages do not follow current best practices.

Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user

Impact:
Traffic Classification IM packages do not follow current best practices.

Workaround:
No Workaround

Fix:
Traffic Classification IM packages now follow current best practices.

Fixed Versions:
16.1.0, 15.1.3.1, 14.1.4.3


975809-2 : Rotated restjavad logs fail logintegrity verification.

Links to More Info: BT975809

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


975593-2 : TMM may crash while processing IPSec traffic

Links to More Info: K06323049, BT975593


975589-2 : CVE-2020-8277 Node.js vulnerability

Links to More Info: K07944249, BT975589


975233-3 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Links to More Info: K52510511, BT975233


974881-1 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Links to More Info: BT974881

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.

Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2


974341-3 : REST API: File upload

Links to More Info: K08402414, BT974341


974205-2 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6


973661 : Two different 'Attack Signature' updates shown as 'Currently Installed'

Links to More Info: BT973661

Component: Application Security Manager

Symptoms:
After upgrade system to version 14.1.x the system shows 2 different 'Attack Signature' update packages as 'Currently Installed'

Conditions:
Upgrade from version 12.1.x to version 14.1.x.

Impact:
Additional BIG-IP system restart is required.

Workaround:
None

Fixed Versions:
14.1.4.6


973409-4 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


973333-3 : TMM buffer-overflow vulnerability CVE-2021-229