Applies To:
Show VersionsBIG-IP APM
- 14.1.5
BIG-IP Analytics
- 14.1.5
BIG-IP Link Controller
- 14.1.5
BIG-IP LTM
- 14.1.5
BIG-IP PEM
- 14.1.5
BIG-IP AFM
- 14.1.5
BIG-IP DNS
- 14.1.5
BIG-IP FPS
- 14.1.5
BIG-IP ASM
- 14.1.5
BIG-IP Release Information
Version: 14.1.5.6
Build: 6.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v14.1.5.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Known Issues in BIG-IP v14.1.x
Functional Change Fixes
None
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1283645-3 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 16.1.4, 15.1.9, 14.1.5.6 |
1324745-4 | 3-Major | An undisclosed TMUI endpoint may allow unexpected behavior | 14.1.5.6 |
Cumulative fixes from BIG-IP v14.1.5.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1285173-5 | CVE-2023-38138 | K000133474 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1265425-4 | CVE-2023-38423 | K000134535 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1189457-5 | CVE-2023-22372 | K000132522, BT1189457 | Hardening of client connection handling from Edge client. | 16.1.4, 15.1.9 |
1185421-2 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v14.1.5.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1213305-1 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208989-6 | CVE-2023-27378 | K000132726, BT1208989 | Improper value handling in DOS Profile properties page | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208001-5 | CVE-2023-22374 | K000130415, BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961-2 | CVE-2023-27378 | K000132726 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793-2 | CVE-2023-27378 | K000132726 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1196033-4 | CVE-2023-27378 | K000132726, BT1196033 | Improper value handling in DataSafe UI | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1106989-1 | CVE-2023-29163 | K20145107, BT1106989 | Certain configuration settings may lead to memory accumulation | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086293-6 | CVE-2023-22358 | K76964818, BT1086293 | Untrusted search path vulnerability in APM Windows Client installer processes | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086289-6 | CVE-2023-22358 | K76964818, BT1086289 | BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1207661-6 | CVE-2023-28406 | K000132768, BT1207661 | Datasafe UI hardening | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1096373-4 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v14.1.5.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982785-4 | CVE-2022-25946 | K52322100 | Guided Configuration hardening | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
982777-11 | CVE-2022-27230 | K21317311, BT982777 | APM hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982769-10 | CVE-2022-27806 | K68647001, BT982769 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982753-4 | CVE-2022-27806 | K68647001, BT982753 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982745-3 | CVE-2022-27806 | K68647001, BT982745 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
963625-5 | CVE-2022-27806 | K68647001, BT963625 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
959153-5 | CVE-2022-27806 | K68647001, BT959153 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
890917-4 | CVE-2023-22323 | K56412001, BT890917 | Performance may be reduced while processing SSL traffic | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1143073-2 | CVE-2022-41622 | K94221585, BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1107481-1 | CVE-2023-23555 | K24572686, BT1107481 | TMM restarting repeatedly after upgrade 15.1.5.1 | 15.1.8, 14.1.5.3 |
1107437-2 | CVE-2023-22839 | K37708118, BT1107437 | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1106161-4 | CVE-2022-41800 | K13325942, BT1106161 | Securing iControlRest API for appliance mode | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1105389-1 | CVE-2023-23552 | K17542533, BT1105389 | Incorrect HTTP request handling may lead to resource leak | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1085077-2 | CVE-2023-22340 | K34525368, BT1085077 | TMM may crash while processing SIP-ALG traffic | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
1083225-4 | CVE-2023-22842 | K08182564, BT1083225 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1047925-2 | CVE-2023-22341 | K20717585 | Tmm crash caused due to client request not handled properly on oauth | 14.1.5.3 |
1032553-2 | CVE-2023-22281 | K46048342, BT1032553 | Core when virtual server with destination NATing receives multicast | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
960845-4 | CVE-2021-23046 | K70652532, BT960845 | Secure properties were logged in restnoded logs | 16.1.0, 15.1.8, 14.1.5.3 |
1073005-4 | CVE-2023-22326 | K83284425, BT1073005 | iControl REST use of the dig command does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1065917-4 | CVE-2023-22418 | K95503300, BT1065917 | BIG-IP APM Virtual Server does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1113385-2 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1103369-4 | 3-Major | BT1103369 | DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1082581 | 2-Critical | BT1082581 | Apmd sees large memory growth due to CRLDP Cache handling | 17.1.0, 16.1.4, 15.1.9, 14.1.5.3 |
1174873-4 | 3-Major | BT1174873 | Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Cumulative fixes from BIG-IP v14.1.5.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1125385 | CVE-2022-41691 | K02694732, BT1125385 | BD crash with a specific request | 14.1.5.2 |
1106289-4 | CVE-2022-41624 | K43024307, BT1106289 | TMM may leak memory when processing sideband connections. | 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v14.1.5.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1093621-3 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
1076397-3 | CVE-2022-35735 | K13213418, BT1076397 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1066673-3 | CVE-2022-35728 | K55580033, BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1024029-4 | CVE-2022-35245 | K58235223, BT1024029 | TMM may crash when processing traffic with per-session APM Access Policy | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
979877-6 | CVE-2020-1971 | K42910051, BT979877 | CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information | 16.1.1, 15.1.4, 14.1.5.1 |
919357-6 | CVE-2022-41770 | K22505850, BT919357 | iControl REST hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
881809-4 | CVE-2022-41983 | K31523465, BT881809 | Client SSL and Server SSL profile hardening | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
740321-3 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084013-2 | CVE-2022-36795 | K52494562, BT1084013 | TMM does not follow TCP best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1073549-3 | CVE-2022-35735 | K13213418, BT1073549 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1006921-4 | CVE-2022-33962 | K80970653, BT1006921 | iRules Hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063641-2 | CVE-2022-33968 | K23465404, BT1063641 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063637-2 | CVE-2022-33968 | K23465404, BT1063637 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1036057-3 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1025261-1 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
957637-3 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
940225-3 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1108181-4 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1079817-3 | 2-Critical | BT1079817 | Java null pointer exception when saving UCS with iAppsLX installed★ | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
1076921-3 | 2-Critical | BT1076921 | Hostname in BootMarker logs and /var/log/ltm logs that are sourced from TMM are getting truncated | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
992121-2 | 3-Major | BT992121 | REST "/mgmt/tm/services" endpoint is not accessible | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
958833-3 | 3-Major | BT958833 | After mgmt ip change via GUI, brower is not redirected to new address | 16.1.0, 15.1.10, 14.1.5.1 |
886649-3 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
865225-4 | 3-Major | BT865225 | 100G modules may not work properly in i15000 and i15800 platforms | 16.1.0, 15.1.0.2, 14.1.5.1, 13.1.3.4 |
862693-2 | 3-Major | BT862693 | PAM_RHOST not set when authenticating BIG-IP using iControl REST | 16.0.0, 15.1.6.1, 14.1.5.1 |
1102849-1 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1091345-4 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1075729 | 3-Major | BT1075729 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 15.1.5.1, 14.1.5.1 |
1024661-1 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1080317-1 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
831161-3 | 2-Critical | BT831161 | An iRule before HTTP_REQUEST calling persist none can crash tmm | 15.1.0, 14.1.5.1 |
1074517-3 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1073609-2 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
780857-3 | 3-Major | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
748886-2 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1099229-2 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1091761-3 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1082225-2 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1074505-3 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1 |
1068445-3 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1053149-3 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1043805-1 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
1036169-2 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1017721-2 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1 |
1006157-5 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
987885-3 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
787905-4 | 4-Minor | BT787905 | Improve initializing TCP analytics for FastL4 | 15.1.0, 15.0.1.1, 14.1.5.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993921-1 | 2-Critical | BT993921 | TMM SIGSEGV | 16.1.0, 15.1.6.1, 14.1.5.1 |
1077701-3 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1091249-4 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071301-3 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071233-3 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084673-4 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1096477 | 2-Critical | BT1096477 | Parameter set as non-Base64 encoded value is treated as a Base64 encoded value | 14.1.5.1 |
886533-1 | 3-Major | BT886533 | Icap server connection adjustments | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1083913-3 | 3-Major | BT1083913 | Missing error check in ICAP handling | 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1030133-4 | 3-Major | BT1030133 | BD core on XML out of memory | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
948241-1 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
797821-1 | 4-Minor | BT797821 | Logging profiles on /Common cannot be configured with publishers on other folders | 15.1.0, 14.1.5.1 |
747905-4 | 4-Minor | BT747905 | 'Illegal Query String Length' violation displays wrong length | 15.0.0, 14.1.5.1, 14.0.1.1, 13.1.1.4 |
744226-1 | 4-Minor | BT744226 | DoSL7-related logs are not throttled | 15.0.0, 14.1.5.1 |
1073625-4 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1040513-2 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1014573-3 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1043217-3 | 3-Major | BT1043217 | NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1010597-3 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain★ | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1074465 | 3-Major | BT1074465 | TMM SIGSEGV crash | 14.1.5.1 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1090649-2 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1094177-2 | 1-Blocking | BT1094177 | Analytics iApp installation fails | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
Cumulative fixes from BIG-IP v14.1.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
996233-3 | CVE-2022-33947 | K38893457, BT996233 | Tomcat may crash while processing TMUI requests | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
972489-3 | CVE-2022-35243 | K11010341, BT972489 | BIG-IP Appliance Mode iControl hardening | 17.0.0, 16.1.3, 15.1.5.1, 14.1.5 |
937777-3 | CVE-2022-34655 | K93504311, BT937777 | HTTP::payload may cause the TMM to crash | 16.1.0, 16.0.1.1, 15.1.6.1, 14.1.5 |
1079505-1 | CVE-2022-33203 | K52534925, BT1079505 | TMM may consume excessive resources while processing SSL Orchestrator traffic | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1073841-3 | CVE-2022-34862 | K66510514, BT1073841 | URI normalization does not function as expected | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073357-4 | CVE-2022-34862 | K66510514, BT1073357 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1071593-2 | CVE-2022-32455 | K16852653, BT1071593 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1069629-2 | CVE-2022-32455 | K16852653, BT1069629 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1055737-3 | CVE-2022-35236 | K79933541, BT1055737 | TMM may consume excessive resources while processing HTTP/2 traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1032513-1 | CVE-2022-35240 | K28405643, BT1032513 | TMM may consume excessive resources while processing MRF traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
981273-3 | CVE-2021-23054 | K41997459, BT981273 | APM webtop hardening | 16.1.0, 15.1.4, 14.1.5, 13.1.5 |
968725-4 | CVE-2017-10661 | K04337834, BT968725 | Linux Kernel Vulnerability CVE-2017-10661 | 16.1.0, 15.1.5.1, 14.1.5 |
947057-3 | CVE-2022-34865 | K25046752, BT947057 | Traffic intelligence feeds to do not follow best practices | 16.1.0, 15.1.6.1, 14.1.5, 12.1.6 |
1081201-3 | CVE-2022-41694 | K64829234, BT1081201 | MCPD certification import hardening | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1081153-6 | CVE-2022-41813 | K93723284, BT1081153 | TMM may crash while processing administrative requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1063389-4 | CVE-2015-5191 | K84583382, BT1063389 | open-vm-tools vulnerability: CVE-2015-5191 | 17.0.0, 16.1.2.1, 14.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1078821-3 | 2-Critical | BT1078821 | Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
971217-3 | 3-Major | BT971217 | AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. | 16.1.0, 15.1.6.1, 14.1.5 |
874941-3 | 3-Major | BT874941 | HTTP authentication in the access policy times out after 60 seconds | 16.1.2.2, 15.1.6.1, 14.1.5 |
669046-4 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050969-4 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
992097-1 | 2-Critical | BT992097 | Incorrect hostname is seen in logging files | 16.1.0, 15.1.6.1, 14.1.5 |
987113-2 | 2-Critical | BT987113 | CMP state degraded while under heavy traffic | 17.1.0, 15.1.4, 14.1.5 |
943109-3 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1075905 | 2-Critical | BT1075905 | TCP connections may fail when hardware SYN Cookie is active | 17.1.0, 15.1.5.1, 14.1.5 |
977657-1 | 3-Major | BT977657 | SELinux errors when deploying a vCMP guest. | 16.1.0, 15.1.6.1, 14.1.5 |
943653-3 | 3-Major | BT943653 | Allow 32-bit processes to use larger area of virtual address space | 16.1.0, 15.1.6.1, 14.1.5 |
907549-3 | 3-Major | BT907549 | Memory leak in BWC::Measure | 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5 |
894133-3 | 3-Major | BT894133 | After ISO upgrade the SSL Orchestrator guided configuration user interface is not available.★ | 16.0.0, 15.1.5.1, 14.1.5 |
752994-1 | 3-Major | BT752994 | Many nested client SSL profiles can take a lot of time to process and cause MCP to be killed by sod | 15.0.0, 14.1.5 |
742753-4 | 3-Major | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
738881-3 | 3-Major | BT738881 | Qkview does not collect any data under certain conditions that cause a timeout | 15.0.0, 14.1.5, 13.1.3.4 |
724653-2 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1064461-2 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1063473-3 | 3-Major | BT1063473 | While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly | 17.1.0, 15.1.5.1, 14.1.5 |
1060009-2 | 3-Major | BT1060009 | Platform Agent may run out of file descriptors | 17.1.0, 15.1.6.1, 14.1.5 |
1072237-3 | 4-Minor | BT1072237 | Retrieval of policy action stats causes memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1062333-3 | 4-Minor | Linux kernel vulnerability: CVE-2019-19523 | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1034329-3 | 4-Minor | BT1034329 | SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
841469-4 | 2-Critical | BT841469 | Application traffic may fail after an internal interface failure on a VIPRION system. | 16.0.0, 15.1.2.1, 14.1.5, 13.1.3.4 |
1071449-2 | 2-Critical | BT1071449 | The statsd memory leak on platforms with license disabled processors. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1047581-1 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
993517-4 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
976525-2 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5 |
972517-3 | 3-Major | Appliance mode hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 | |
953601-2 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
936441-3 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
934697-2 | 3-Major | BT934697 | Route domain is not reachable (strict mode) | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
927713-5 | 3-Major | BT927713 | Clsh reboot hangs when executed from the primary blade. | 16.1.0, 15.1.5.1, 14.1.5 |
883049-4 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
813673-2 | 3-Major | BT813673 | The HTTP Explicit proxy does not work correctly with IPv6 clients connecting to IPv4 destinations over CONNECT to IPv4 targets. | 15.1.0, 14.1.5, 13.1.3.2 |
794385-2 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1083989-3 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1072953-1 | 3-Major | BT1072953 | Memory leak in traffic management interface. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1063453-3 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1042913-1 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1024225-2 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1004689-2 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1080341-2 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1064669-3 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1026005-3 | 4-Minor | BT1026005 | BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
968581-3 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1027657-2 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1076401-2 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1046785-4 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1069501-3 | 2-Critical | K22251611, BT1069501 | ASM may not match certain signatures | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1068237-3 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1000789-3 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
923221-1 | 3-Major | BT923221 | BD does not use all the CPU cores | 16.1.2.2, 15.1.6.1, 14.1.5 |
874185-3 | 3-Major | BT874185 | Incorrect Alarm/Block flags displayed for Signature with previously enforced rule | 14.1.5 |
1070073-1 | 3-Major | BT1070073 | ASM Signature Set accuracy filter is wrong on GUI. | 15.1.6.1, 14.1.5 |
1069133-2 | 3-Major | BT1069133 | ASMConfig memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1061617-2 | 3-Major | BT1061617 | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1056365-4 | 3-Major | BT1056365 | Bot Defense injection does not follow best SOP practice. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1033017-5 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1028473-3 | 3-Major | BT1028473 | URL sent with trailing slash might not be matched in ASM policy | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
842029-1 | 4-Minor | BT842029 | Unable to create policy: Inherited values may not be changed. | 16.0.0, 15.1.5.1, 14.1.5 |
1035361-5 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
987341-3 | 2-Critical | BT987341 | BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
858005-3 | 3-Major | BT858005 | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
470916-4 | 3-Major | BT470916 | Launching resources that are published on an apm webtop from multiple VMWare servers will fail when the Native View client is selected. | 16.0.0, 15.1.6.1, 14.1.5 |
1097821-4 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
1053309-3 | 3-Major | BT1053309 | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1082885-3 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic | 17.0.0, 16.1.2.2, 15.1.6, 14.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
998781 | 3-Major | BT998781 | When large no of feed list URLs are configured, BIG-IP takes long time to sync IP list | 14.1.5 |
964625-2 | 3-Major | BT964625 | Improper processing of firewall-rule metadata | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1076477 | 3-Major | BT1076477 | AFM allows deletion of a firewall policy even if it's being used in a route domain. | 17.0.0, 14.1.5 |
1012581-4 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1064217-3 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071181 | 3-Major | BT1071181 | Improving Signature Detection Accuracy | 16.1.2.2, 15.1.6.1, 14.1.5 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1072733-2 | 2-Critical | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1070677-2 | 3-Major | BT1070677 | Learning phase does not take traffic into account - dropping all. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
854129-4 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Cumulative fixes from BIG-IP v14.1.4.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
965853-1 | CVE-2022-28695 | K08510472, BT965853 | IM package file hardening★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
964489-3 | CVE-2022-28695 | K08510472, BT964489 | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1051561-3 | CVE-2022-1388 | K23605346, BT1051561 | BIG-IP iControl REST vulnerability CVE-2022-1388 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
993981-4 | CVE-2022-28705 | K52340447, BT993981 | TMM may crash when ePVA is enabled | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982697-4 | CVE-2022-26071 | K41440465, BT982697 | ICMP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
951257-1 | CVE-2022-26130 | K82034427, BT951257 | FTP active data channels are not established | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
946325-3 | CVE-2022-28716 | K25451853, BT946325 | PEM subscriber GUI hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
830361-4 | CVE-2012-6711 | K05122252, BT830361 | CVE-2012-6711 Bash Vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
818169-3 | CVE-2022-26372 | K23454411, BT818169 | TMM may consume excessive resources when processing DNS profiles with DNS queing enabled | 16.0.0, 15.1.0.2, 14.1.4.6, 13.1.5 |
1087201-4 | CVE-2022-0778 | K31323265, BT1087201 | OpenSSL Vulnerability: CVE-2022-0778 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078721-4 | CVE-2022-27189 | K16187341, BT1078721 | TMM may consume excessive resources while processing ICAP traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1067993-6 | CVE-2022-28714 | K54460845, BT1067993 | APM Windows Client installer hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059185-3 | CVE-2022-26415 | K81952114, BT1059185 | iControl REST Hardening | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1057801-4 | CVE-2022-28707 | K70300233, BT1057801 | TMUI does not follow current best practices | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056933-2 | CVE-2022-26370 | K51539421, BT1056933 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1051797-3 | CVE-2018-18281 | K36462841, BT1051797 | Linux kernel vulnerability: CVE-2018-18281 | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047053-1 | CVE-2022-28691 | K37155600, BT1047053 | TMM may consume excessive resources while processing RTSP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1045101-2 | CVE-2022-26890 | K03442392, BT1045101 | Bd may crash while processing ASM traffic | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5 |
1019161-5 | CVE-2022-29263 | K33552735, BT1019161 | Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1002565-4 | CVE-2021-23840 | K24624116, BT1002565 | OpenSSL vulnerability CVE-2021-23840 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
992073-1 | CVE-2022-27181 | K93543114, BT992073 | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982757-6 | CVE-2022-26835 | K53197140 | APM Access Guided Configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982341-4 | CVE-2022-26835 | K53197140, BT982341 | iControl REST endpoint hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
931677-4 | CVE-2022-29479 | K64124988, BT931677 | IPv6 hardening | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
919249-3 | CVE-2022-28859 | K47662005, BT919249 | NETHSM installation script hardening | 16.1.0, 15.1.5.1, 14.1.4.6 |
915981-2 | CVE-2022-26340 | K38271531, BT915981 | BIG-IP SCP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1071365-3 | CVE-2022-29474 | K59904248, BT1071365 | iControl SOAP WSDL hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1057809-4 | CVE-2022-27659 | K41877405, BT1057809 | Saved dashboard hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047089-4 | CVE-2022-29491 | K14229426, BT1047089 | TMM may terminate while processing TLS/DTLS traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1016657-4 | CVE-2022-26517 | K54082580, BT1016657 | TMM may crash while processing LSN traffic | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
1009049-6 | CVE-2022-27636 | K57110035, BT1009049 | browser based vpn did not follow best practices while logging.★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1000021-4 | CVE-2022-27182 | K31856317, BT1000021 | TMM may consume excessive resources while processing packet filters | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050537-3 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1046669-3 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033837-3 | 4-Minor | K23605346, BT1033837 | REST authentication tokens persist on reboot★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
976669-3 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6 |
957897-2 | 2-Critical | BT957897 | Unable to modify gateway-ICMP monitor fields in the GUI | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
944513-1 | 2-Critical | BT944513 | Apache configuration file hardening | 16.1.0, 15.1.4, 14.1.4.6 |
1048141-1 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
999125-3 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
956589-2 | 3-Major | BT956589 | The tmrouted daemon restarts and produces a core file | 16.1.0, 15.1.2.1, 14.1.4.6, 13.1.5 |
943577-3 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
919317-3 | 3-Major | BT919317 | NSM consumes 100% CPU processing nexthops for recursive ECMP routes | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
918409-4 | 3-Major | BT918409 | BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
901669-2 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
755976-3 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
405329-2 | 3-Major | The imish utility cores while checking help strings for OSPF6 vertex-threshold | 16.0.0, 15.1.0.5, 14.1.4.6 | |
1066285-1 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1056993-4 | 3-Major | BT1056993 | 404 error is raised on GUI when clicking "App IQ." | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047169-3 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1022637-3 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1020789-2 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1019085-2 | 3-Major | BT1019085 | Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.★ | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
1008269-4 | 3-Major | BT1008269 | Error: out of stack space | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
713614-4 | 4-Minor | BT713614 | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | 16.0.0, 15.1.0.5, 14.1.4.6, 13.1.5 |
528894-7 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1058677-3 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1046693-2 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045549-2 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1040821-2 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034589-3 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1031425-1 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1030645-2 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1024621-2 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1002809-2 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
946481-3 | 2-Critical | BT946481 | Virtual Edition FIPS not compatible with TLS 1.3 | 16.1.0, 15.1.5.1, 14.1.4.6 |
910213-4 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
757407-1 | 2-Critical | BT757407 | Error reading RRD file may induce processes to mutually wait for each other forever | 15.0.0, 14.1.4.6, 13.1.5 |
1064617-3 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
999901-4 | 3-Major | K68816502, BT999901 | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
987077-4 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure | 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6 |
967101-3 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
955617-6 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
939085-1 | 3-Major | BT939085 | /config/ssl/ssl.csr directory disappears after creating certificate archive | 16.1.0, 15.1.5.1, 14.1.4.6 |
912517-4 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
892485-1 | 3-Major | BT892485 | A wrong OCSP status cache may be looked up and re-used during SSL handshake. | 16.1.0, 15.1.5.1, 14.1.4.6 |
892073-1 | 3-Major | BT892073 | TLS1.3 LTM policy rule based on SSL SNI is not triggered | 16.0.0, 15.1.5.1, 14.1.4.6 |
838353-3 | 3-Major | BT838353 | MQTT monitor is not working in route domain. | 16.0.0, 15.1.5.1, 14.1.4.6 |
826349-2 | 3-Major | BT826349 | VXLAN tunnel might fail due to misbehaving NIC checksum offload | 15.1.0, 14.1.4.6 |
825245-2 | 3-Major | BT825245 | SSL::enable does not work for server side ssl | 16.0.0, 15.1.5.1, 14.1.4.6 |
803109-2 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
793929-1 | 3-Major | BT793929 | In-TMM monitor agent might crash during TMM shutdown | 15.1.0, 14.1.4.6 |
793669-1 | 3-Major | BT793669 | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
672963-3 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1058469-3 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1052929-2 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1043357-2 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043017-2 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1029897-3 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1023341-3 | 3-Major | HSM hardening | 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5 | |
1017533-1 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1016449-1 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1016049-3 | 3-Major | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008501-4 | 3-Major | BT1008501 | TMM core | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
838305-4 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
717806-3 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1026605-3 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1016441-2 | 4-Minor | RFC Enforcement Hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 | |
873249-3 | 5-Cosmetic | BT873249 | Switching from fast_merge to slow_merge can result in incorrect tmm stats | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
741862-1 | 2-Critical | BT741862 | DNS GUI may generate error or display names with special characters incorrectly. | 15.0.0, 14.1.4.6, 13.1.5 |
1062513-2 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1044425-4 | 3-Major | K85021277, BT1044425 | NSEC3 record improvements for NXDOMAIN | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1039205-1 | 3-Major | BT1039205 | DNSSEC key stored on netHSM fails to generate if the key name length is > 24 | 15.1.5.1, 14.1.4.6 |
1018613-4 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
753821-3 | 4-Minor | BT753821 | Log messages 'TCP RST from remote system' messages logged if GTM/DNS is licensed but not provisioned | 15.0.0, 14.1.4.6, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1079909-3 | 2-Critical | K82724554, BT1079909 | The bd generates a core file | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1069449-3 | 2-Critical | K39002226, BT1069449 | ASM attack signatures may not match cookies as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
965785-3 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
961509-4 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
926845-4 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
921697-4 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error.★ | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6 |
871881-1 | 3-Major | BT871881 | Apply Policy action is not synchronized after making bulk signature changes | 14.1.4.6, 13.1.5 |
818889-3 | 3-Major | BT818889 | False positive malformed json or xml violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1072197-3 | 3-Major | K94142349, BT1072197 | Issue with input normalization in WebSocket. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1067285-3 | 3-Major | BT1067285 | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1060933-3 | 3-Major | K49237345 | Issue with input normalization. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1051213-3 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1051209-3 | 3-Major | K53593534, BT1051209 | BD may not process certain HTTP payloads as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047389-1 | 3-Major | BT1047389 | Bot Defense challenge hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043385-2 | 3-Major | BT1043385 | No Signature detected If Authorization header is missing padding. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1038733-2 | 3-Major | BT1038733 | Attack signature not detected for unsupported authorization types. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1037457-3 | 3-Major | BT1037457 | High CPU during specific dos mitigation | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1030853-3 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1023993-2 | 3-Major | BT1023993 | Brute Force is not blocking requests, even when auth failure happens multiple times | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1012221-3 | 3-Major | BT1012221 | Message: childInheritanceStatus is not compatible with parentInheritanceStatus★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1011069-4 | 3-Major | BT1011069 | Group/User R/W permissions should be changed for .pid and .cfg files. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
973661 | 4-Minor | BT973661 | Two different 'Attack Signature' updates shown as 'Currently Installed'★ | 14.1.4.6 |
844045-2 | 4-Minor | BT844045 | ASM Response event logging for "Illegal response" violations. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1055453 | 4-Minor | BT1055453 | Blocking page trims the last digit of the Support ID. | 14.1.4.6, 13.1.5 |
1050697-2 | 4-Minor | BT1050697 | Traffic learning page counts Disabled signatures when they are ready to be enforced | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1038741-2 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1036521-4 | 4-Minor | BT1036521 | TMM crash in certain cases | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034941-3 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1020717-2 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1002385-4 | 4-Minor | K67397230, BT1002385 | Fixing issue with input normalization | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038913-2 | 3-Major | BT1038913 | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
868557-3 | 3-Major | BT868557 | Unable to initiate SWG database download from Admin UI when management network has no direct internet connectivity. | 14.1.4.6 |
423519-2 | 3-Major | K74302282, BT423519 | Bypass disabling the redirection controls configuration of APM RDP Resource. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1029397-2 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1007109-4 | 2-Critical | BT1007109 | Flowmap entry is deleted before updating its timeout to INDEFINITE | 16.1.0, 15.1.5.1, 14.1.4.6 |
957905-3 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1058645-3 | 2-Critical | BT1058645 | ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. | 17.0.0, 15.1.5.1, 14.1.4.6 |
808893-2 | 3-Major | BT808893 | DNS DoS profile vectors do not function correctly★ | 17.0.0, 15.1.0, 14.1.4.6 |
808889-2 | 3-Major | BT808889 | DoS vector or signature stays hardware-accelerated even when traffic rate is lower than mitigation threshold | 15.1.0, 14.1.4.6 |
1070033 | 3-Major | BT1070033 | Virtual server may not fully enter hardware SYN Cookie mode. | 17.0.0, 16.1.4, 14.1.4.6 |
1008265-4 | 3-Major | K92306170, BT1008265 | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
756457-2 | 4-Minor | BT756457 | tmsh command 'show security' returning a parsing error | 15.0.0, 14.1.4.6 |
1072057-3 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1069745 | 4-Minor | BT1069745 | GUI issues in Security->NetworkFirewall->Active Rules, rule movement to 101, 201 position. | 14.1.4.6 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
756595-1 | 1-Blocking | BT756595 | Traffic redirection to an internal virtual server may fail. | 15.0.0, 14.1.4.6, 13.1.5 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1019613-2 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
873617-3 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060409-4 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1052153-1 | 3-Major | BT1052153 | Signature downloads for traffic classification updates via proxy fail | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
940261-2 | 4-Minor | BT940261 | Support IPS package downloads via HTTP proxy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944121-3 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Cumulative fixes from BIG-IP v14.1.4.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
999933-4 | CVE-2022-23017 | K28042514, BT999933 | TMM may crash while processing DNS traffic on certain platforms | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
989701-4 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
989637-4 | CVE-2022-23015 | K08476614, BT989637 | TMM may crash while processing SSL traffic | 16.1.0, 15.1.4.1, 14.1.4.5 |
988549-4 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
910517 | CVE-2022-23012 | K26310765, BT910517 | TMM may crash while processing HTTP traffic | 15.1.4.1, 14.1.4.5 |
1032405-4 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028669-4 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028573-4 | CVE-2020-10878 | K40508224, BT1028573 | Perl vulnerability: CVE-2020-10878 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1028497-4 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1012365-3 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1007489-4 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
997193-2 | CVE-2022-23028 | K16101409, BT997193 | TCP connections may fail when AFM global syncookies are in operation. | 16.1.0, 15.1.5, 14.1.4.5, 13.1.5 |
975593-2 | CVE-2022-29473 | K06323049, BT975593 | TMM may crash while processing IPSec traffic | 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5 |
974341-3 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
941649-4 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
940185-3 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
823877-2 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
803965-2 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1009725-4 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
713754-1 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
930633-1 | 3-Major | BT930633 | Delay in using new route updates by existing connections on BIG-IP. | 16.1.0, 15.1.5.1, 14.1.4.5 |
1015133-2 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
985953-2 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1042993-1 | 1-Blocking | K19272127, BT1042993 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' | 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
1039049-1 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
831821-3 | 2-Critical | BT831821 | Corrupted DAG packets causes bcm56xxd core on VCMP host | 16.0.0, 15.1.4.1, 14.1.4.5 |
1043277-2 | 2-Critical | BT1043277 | 'No access' error page displays for APM policy export and apply options. | 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
1004929-4 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 17.0.0, 15.1.5, 14.1.4.5, 13.1.5 |
996001-2 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
958093-2 | 3-Major | BT958093 | IPv6 routes missing after BGP graceful restart | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
935801-3 | 3-Major | BT935801 | HSB diagnostics are not provided under certain types of failures | 16.1.0, 15.1.2, 14.1.4.5 |
922185-4 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
900933-2 | 3-Major | BT900933 | IPsec interoperability problem with ECP PFS | 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.5 |
881085-1 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1045421-3 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032077-3 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1026549-4 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1015093-4 | 3-Major | BT1015093 | The "iq" column is missing from the ndal_tx_stats table | 15.1.4.1, 14.1.4.5 |
1003257-3 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
988533-3 | 4-Minor | BT988533 | GRE-encapsulated MPLS packet support | 17.0.0, 15.1.4.1, 14.1.4.5 |
889813-1 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second | 17.0.0, 16.1.4, 15.1.10, 14.1.4.5 |
1030845-3 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1005433 | 1-Blocking | BT1005433 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 14.1.4.5, 13.1.5 |
862885-1 | 2-Critical | BT862885 | Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error | 16.1.0, 15.1.4.1, 14.1.4.5 |
788813-1 | 2-Critical | BT788813 | TMM crash when deleting virtual-wire config | 15.1.0, 14.1.4.5 |
750702-1 | 2-Critical | BT750702 | TMM crashes while making changes to virtual wire configuration | 15.1.0, 14.1.4.5 |
1040361-3 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5 |
1019081-2 | 2-Critical | K97045220, BT1019081 | HTTP/2 hardening | 16.1.0, 15.1.3.1, 14.1.4.5, 13.1.5 |
1009161 | 2-Critical | BT1009161 | SSL mirroring protect for null sessions | 15.1.5.1, 14.1.4.5 |
999097-4 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
963705-2 | 3-Major | BT963705 | Proxy ssl server response not forwarded | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
904041-4 | 3-Major | BT904041 | Ephemeral pool members may be incorrect when modified via various actions | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
872721-1 | 3-Major | BT872721 | SSL connection mirroring intermittent failure with TLS1.3 | 16.0.0, 15.1.5.1, 14.1.4.5 |
803629-2 | 3-Major | BT803629 | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4.5, 13.1.5 |
761477-7 | 3-Major | BT761477 | Client authentication performance when large CRL is used | 15.1.0, 14.1.4.5 |
1038629-3 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1034365-1 | 3-Major | BT1034365 | DTLS handshake fails with DTLS1.2 client version | 15.1.5, 14.1.4.5, 13.1.5 |
1020941-3 | 3-Major | BT1020941 | HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags | 16.1.0, 15.1.4, 14.1.4.5 |
1018577-2 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1017513-2 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
1015161-3 | 3-Major | BT1015161 | Ephemeral pool member may not be created when FQDN resolves to address that matches static node | 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5 |
1008017-1 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1008009-1 | 3-Major | BT1008009 | SSL mirroring null hs during session sync state | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
936557-3 | 4-Minor | BT936557 | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
890881-3 | 4-Minor | BT890881 | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | 16.1.0, 15.1.4.1, 14.1.4.5 |
1045913-4 | 4-Minor | BT1045913 | COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression | 15.1.5.1, 14.1.4.5 |
1018493-3 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1005109-1 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1002945-1 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
898929-2 | 5-Cosmetic | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1035853-4 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
1009037-4 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
863917-3 | 3-Major | BT863917 | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.5, 13.1.4.1 |
756470-5 | 3-Major | BT756470 | Additional logging added to detect when monitoring operations in the configuration exceeds capabilities. | 15.0.0, 14.1.4.5, 13.1.3.4 |
1024553-3 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out | 15.1.5, 14.1.4.5, 13.1.5 |
1021417-4 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1021061-2 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993613-4 | 2-Critical | BT993613 | Device fails to request full sync | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
912149-4 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
879841-3 | 2-Critical | BT879841 | Domain cookie same-site option is missing the "None" as value in GUI and rest | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
1019853-3 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1011061-1 | 2-Critical | K39002226, BT1011061 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
984593-3 | 3-Major | BT984593 | BD crash | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
948805-3 | 3-Major | BT948805 | False positive "Null in Request" | 16.1.0, 15.1.4.1, 14.1.4.5 |
907025-1 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
886865-2 | 3-Major | BT886865 | P3P header is added for all browsers, but required only for Internet Explorer | 16.1.0, 15.1.5, 14.1.4.5 |
885765-4 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
857633-2 | 3-Major | BT857633 | Attack Type (SSRF) appears incorrectly in REST result | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
842013-4 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
785873-2 | 3-Major | BT785873 | ASM should treat 'Authorization: Negotiate TlR' as NTLM | 15.1.0, 14.1.4.5, 13.1.5 |
731168-1 | 3-Major | BT731168 | BIG-IP may attempt to write to an out of bounds memory location, causing the bd daemon to crash. | 15.0.0, 14.1.4.5, 13.1.5 |
1042069-3 | 3-Major | Some signatures are not matched under specific conditions. | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5 | |
1017153-1 | 3-Major | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1005105-4 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 17.0.0, 16.1.1, 15.1.4, 14.1.4.5 |
1004069-2 | 3-Major | BT1004069 | Brute force attack is detected too soon | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
883673-1 | 4-Minor | BotDefense JavaScript browser verification can cause low score when using Google Lighthouse tool | 14.1.4.5 | |
1031029 | 4-Minor | BT1031029 | "Use of uninitialized value" warning observed during UCS restore. | 14.1.4.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
832805-1 | 3-Major | BT832805 | AVR should make sure file permissions are correct (tmstat_tables.xml) | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
787677-3 | 3-Major | BT787677 | AVRD stays at 100% CPU constantly on some systems | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
1035133-2 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
948113-4 | 4-Minor | BT948113 | User-defined report scheduling fails | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
883889-1 | 2-Critical | BT883889 | Tmm might crash when under memory pressure | 16.0.0, 15.1.5, 14.1.4.5 |
860617-2 | 2-Critical | BT860617 | Radius sever pool without attaching the load balancing algorithm will result into core | 16.0.0, 15.1.4.1, 14.1.4.5 |
1006893-1 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
993457-3 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
969317-2 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
956645-1 | 3-Major | BT956645 | Per-request policy execution may timeout. | 17.0.0, 16.1.4, 15.1.9, 14.1.4.5 |
941393 | 3-Major | BT941393 | Memory leak in SWG | 14.1.4.5 |
932213-1 | 3-Major | BT932213 | Local user db not synced to standby device when it is comes online after forced offline state | 16.1.0, 15.1.4.1, 14.1.4.5 |
924857-4 | 3-Major | BT924857 | Logout URL with parameters resets TCP connection | 16.1.0, 16.0.1.2, 15.1.2, 14.1.4.5 |
915509-3 | 3-Major | BT915509 | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | 16.1.0, 15.1.4.1, 14.1.4.5 |
853325-3 | 3-Major | BT853325 | TMM Crash while parsing form parameters by SSO. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.5 |
828761-3 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
827393-1 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
802381-2 | 3-Major | BT802381 | Localdb authentication fails | 15.1.0, 15.0.1.3, 14.1.4.5 |
738593-1 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
712857-3 | 3-Major | BT712857 | SWG-Explicit rejects large POST bodies during policy evaluation | 14.1.4.5, 14.1.0, 12.1.3.6 |
1045229-3 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1044121-1 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1021485-1 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1001337 | 3-Major | BT1001337 | Cannot read single sign-on configuration from GUI when logged in as guest | 15.1.4.1, 14.1.4.5 |
942965-1 | 4-Minor | BT942965 | Local users database can sometimes take more than 5 minutes to sync to the standby device | 16.1.0, 15.1.5, 14.1.4.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1007113-4 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1039329-3 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1025529-3 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
1003633-4 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1049229-3 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
995433-4 | 3-Major | BT995433 | IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT | 16.1.0, 15.1.4.1, 14.1.4.5 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
956013 | 3-Major | BT956013 | System reports{{validation_errors}} | 16.1.2.1, 15.1.5, 14.1.4.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
922665-1 | 3-Major | BT922665 | The admd process is terminated by watchdog on some heavy load configuration process | 16.1.0, 15.1.5, 14.1.4.5 |
1023437-4 | 3-Major | Buffer overflow during attack with large HTTP Headers | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1033829 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
686783-3 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032689-4 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 16.1.2, 15.1.4.1, 14.1.4.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
873545-1 | 3-Major | BT873545 | SSL Orchestrator Configuration GUI freezes after management IP change. | 15.1.10, 14.1.4.5 |
761314-2 | 3-Major | BT761314 | OSPF Hello does not work for L2 wire | 15.1.0, 14.1.4.5 |
Cumulative fixes from BIG-IP v14.1.4.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
981461-3 | CVE-2021-23032 | K45407662, BT981461 | Unspecified DNS responses cause TMM crash | 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5 |
966901-3 | CVE-2020-14364 | K09081535, BT966901 | CVE-2020-14364: Qemu Vulnerability | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
940317-3 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
937333-4 | CVE-2022-23013 | K29500533, BT937333 | Incomplete validation of input in unspecified forms | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
550928-4 | CVE-2022-23010 | K34360320, BT550928 | TMM may crash when processing HTTP traffic with a FastL4 virtual server | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1030689-3 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1017973-3 | CVE-2021-25215 | K96223611, BT1017973 | BIND Vulnerability CVE-2021-25215 | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1017965-3 | CVE-2021-25214 | K11426315, BT1017965 | BIND Vulnerability CVE-2021-25214 | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1009029 | CVE-2021-23035 | K70415522, BT1009029 | TMM may crash while processing HTTP requests | 14.1.4.4 |
975589-2 | CVE-2020-8277 | K07944249, BT975589 | CVE-2020-8277 Node.js vulnerability | 16.1.0, 15.1.4.1, 14.1.4.4 |
973409-4 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
962069-1 | CVE-2021-23047 | K79428827, BT962069 | Excessive resource consumption while processing OSCP requests via APM | 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5 |
954425-3 | CVE-2022-23031 | K61112120, BT954425 | Hardening of Live-Update | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
887965-3 | CVE-2022-23027 | K30573026, BT887965 | Virtual server may stop responding while processing TCP traffic | 16.0.0, 15.1.4, 14.1.4.4, 13.1.5 |
1013145-3 | CVE-2021-23052 | K32734107 | APM Hardening | 14.1.4.4, 13.1.5 |
1008561-5 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
1008077-4 | CVE-2022-23029 | K50343028, BT1008077 | TMM may crash while processing TCP traffic with a FastL4 VS | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
741869-1 | 2-Critical | BT741869 | Enable SysDb variable 'Connection.VgL2Transparent' prior to operating the BIG-IP in L2 transparent mode using VLAN groups. | 15.0.0, 14.1.4.4 |
923301-1 | 3-Major | BT923301 | ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
911141-4 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
866073-1 | 3-Major | BT866073 | Add option to exclude stats collection in qkview to avoid very large data files | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
754335-1 | 3-Major | BT754335 | Install ISO does not boot on BIG-IP VE★ | 16.1.0, 15.1.4.1, 14.1.4.4 |
752542-4 | 3-Major | BT752542 | Automatic eviction of PEM URLCAT cloud cache | 15.0.0, 14.1.4.4 |
751032-3 | 4-Minor | BT751032 | TCP receive window may open too slowly after zero-window | 16.0.0, 15.1.4, 14.1.4.4 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1002109-4 | 1-Blocking | BT1002109 | Xen binaries do not follow security best practices | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
998729 | 2-Critical | BT998729 | Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries | 14.1.4.4 |
980325-4 | 2-Critical | BT980325 | Chmand core due to memory leak from dossier requests. | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
942549-3 | 2-Critical | BT942549 | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | 16.1.0, 15.1.4.1, 14.1.4.4 |
831549-1 | 2-Critical | BT831549 | Marketing name does not display properly for BIG-IP i10010 (C127) | 14.1.4.4, 13.1.3.2 |
767013-3 | 2-Critical | BT767013 | Reboot when HSB is in a bad state observed through HSB sending continuous pause frames to the Broadcom Switch | 15.1.0, 14.1.4.4, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
749332-3 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4 |
730852-3 | 2-Critical | BT730852 | The tmrouted repeatedly crashes and produces core when new peer device is added | 16.1.0, 15.1.5.1, 14.1.4.4 |
718573-1 | 2-Critical | BT718573 | Internal SessionDB invalid state | 16.1.0, 15.1.5.1, 14.1.4.4 |
1034449 | 2-Critical | BT1034449 | Excessive CPU consumption by platform_agent. | 14.1.4.4 |
969105-1 | 3-Major | BT969105 | HA failover connections via the management address do not work on vCMP guests running on VIPRION | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
965205-3 | 3-Major | BT965205 | BIG-IP dashboard downloads unused widgets | 16.1.0, 15.1.4.1, 14.1.4.4 |
958465-3 | 3-Major | BT958465 | in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.4 |
956293-1 | 3-Major | BT956293 | High CPU from analytics-related REST calls - Dashboard TMUI | 16.1.0, 15.1.4, 14.1.4.4 |
950849-2 | 3-Major | BT950849 | B4450N blades report page allocation failure.★ | 16.1.0, 15.1.3.1, 14.1.4.4 |
947529-1 | 3-Major | BT947529 | Security tab in virtual server menu renders slowly | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
940885-3 | 3-Major | BT940885 | Add embedded SR-IOV support for Mellanox CX5 Ex adapter | 16.1.0, 15.1.4.1, 14.1.4.4 |
850193-2 | 3-Major | BT850193 | Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues | 16.0.0, 15.1.4, 14.1.4.4 |
827033-3 | 3-Major | BT827033 | Boot marker is being logged before shutdown logs | 16.0.0, 15.1.4, 14.1.4.4 |
809657-2 | 3-Major | BT809657 | HA Group score not computed correctly for an unmonitored pool when mcpd starts | 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
787881-2 | 3-Major | BT787881 | TMSH displays TSIG keys | 15.1.0, 14.1.4.4 |
755027-1 | 3-Major | BT755027 | Timer processing taking too long | 15.1.0, 14.1.4.4 |
741702-3 | 3-Major | BT741702 | TMM crash | 16.1.0, 15.1.5.1, 14.1.4.4 |
1024877-1 | 3-Major | BT1024877 | Systemd[]: systemd-ask-password-serial.service failed. | 16.1.0, 15.1.4.1, 14.1.4.4 |
1010393-3 | 3-Major | BT1010393 | Unable to relax AS-path attribute in multi-path selection | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1009949-1 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1008837-3 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4 |
898441-4 | 4-Minor | BT898441 | Enable logging of IKE keys | 16.1.0, 15.1.4, 14.1.4.4 |
884165-2 | 4-Minor | BT884165 | Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG | 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
851393-3 | 4-Minor | BT851393 | Tmipsecd leaves a zombie rm process running after starting up | 16.0.0, 15.1.0.5, 14.1.4.4 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
846217-1 | 2-Critical | BT846217 | Translucent vlan-groups set local bit in destination MAC address | 16.0.0, 15.1.2.1, 14.1.4.4 |
837617-3 | 2-Critical | BT837617 | Tmm may crash while processing a compression context | 16.0.0, 15.1.0.2, 14.1.4.4 |
745589-6 | 2-Critical | BT745589 | In very rare situations, some filters may cause data-corruption. | 15.0.0, 14.1.4.4 |
997929-4 | 3-Major | BT997929 | Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
978833-3 | 3-Major | BT978833 | Use of CRL-based Certificate Monitoring Causes Memory Leak | 16.1.0, 15.1.4.1, 14.1.4.4 |
969637-3 | 3-Major | BT969637 | Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★ | 16.1.0, 15.1.4, 14.1.4.4 |
956133-4 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading.★ | 17.0.0, 16.1.4, 15.1.4, 14.1.4.4 |
941481-3 | 3-Major | BT941481 | iRules LX - nodejs processes consuming excessive memory | 16.1.0, 15.1.4, 14.1.4.4 |
941257-2 | 3-Major | BT941257 | Occasional Nitrox3 ZIP engine hang | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
915773 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
912945-4 | 3-Major | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
910905-2 | 3-Major | BT910905 | TMM crash when processing virtual server traffic with TLS/SSL session cache enabled | 15.1.5.1, 14.1.4.4 |
818833-3 | 3-Major | BT818833 | TCP re-transmission during SYN Cookie activation results in high latency | 16.0.0, 15.1.4, 14.1.4.4 |
778841-2 | 3-Major | BT778841 | Traffic is not passing in virtual wire when Virtual server type is standard & IP profile is ipother | 16.0.0, 14.1.4.4 |
749608-2 | 3-Major | BT749608 | HTTP Persistence cookies erroneously sent when cookie persistence turned off | 15.0.0, 14.1.4.4 |
723112-5 | 3-Major | BT723112 | LTM policies does not work if a condition has more than 127 matches | 16.1.0, 15.1.4.1, 14.1.4.4 |
714372-3 | 3-Major | BT714372 | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.4.4 |
1015209-1 | 3-Major | BT1015209 | Memory may be leaked when handling chunked responses | 14.1.4.4 |
1015201-1 | 3-Major | BT1015201 | HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. | 15.1.5, 14.1.4.4 |
1004897-3 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4 |
936773-1 | 4-Minor | BT936773 | Improve logging for "double flow removal" TMM Oops | 16.1.0, 15.1.4.1, 14.1.4.4 |
753925-1 | 4-Minor | BT753925 | CLIENTSSL_CLIENTCERT iRule event may not be triggered on TLSv1.3 connections | 15.0.0, 14.1.4.4 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1030665 | 2-Critical | BT1030665 | Apmd crashes during shutdown under certain conditions | 14.1.4.4 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
995853-3 | 2-Critical | BT995853 | Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
850509-3 | 2-Critical | BT850509 | Zone Trusted Signature inadequately maintained, following change of master key | 16.0.0, 15.1.2, 14.1.4.4, 13.1.5 |
993489-4 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
864797-1 | 3-Major | BT864797 | Cached results for a record are sent following region modification | 16.1.0, 15.1.4, 14.1.4.4 |
847105-3 | 3-Major | BT847105 | The bigip_gtm.conf is reverted to default after rebooting with license expired★ | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
816277-2 | 4-Minor | BT816277 | Extremely long nameserver name causes GUI Error | 16.0.0, 14.1.4.4, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
997137-4 | 2-Critical | K80945213, BT997137 | CSRF token modification may allow WAF bypass on GET requests | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
996381-4 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
970329-4 | 2-Critical | K70134152, BT970329 | ASM hardening | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
965229-3 | 2-Critical | BT965229 | ASM Load hangs after upgrade★ | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
920197-2 | 2-Critical | BT920197 | Brute force mitigation can stop mitigating without a notification | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
964245-3 | 3-Major | BT964245 | ASM reports and enforces username always | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
962589-1 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
962497-4 | 3-Major | BT962497 | BD crash after ICAP response | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
955017-4 | 3-Major | BT955017 | Excessive CPU consumption by asm_config_event_handler | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
951133-1 | 3-Major | BT951133 | Live Update does not work properly after upgrade★ | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4 |
946081-3 | 3-Major | BT946081 | Getcrc tool help displays directory structure instead of version | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
932133-3 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
928717-1 | 3-Major | BT928717 | [ASM - AWS] - ASU fails to sync | 16.1.0, 15.1.4, 14.1.4.4 |
920149-2 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4 |
914277-4 | 3-Major | BT914277 | [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU | 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.4 |
904133-2 | 3-Major | BT904133 | Creating a user-defined signature via iControl REST occasionally fails with a 400 response code | 16.0.0, 15.1.4.1, 14.1.4.4 |
867825-2 | 3-Major | BT867825 | Export/Import on a parent policy leaves children in an inconsistent state | 16.0.0, 15.1.4, 14.1.4.4, 13.1.5 |
767057-2 | 3-Major | BT767057 | In a sync-only device group, inactive policy is synced to peer, ASM is removed from virtual server | 15.1.0, 14.1.4.4, 13.1.5 |
753715-1 | 3-Major | BT753715 | False positive JSON max array length violation | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
712336-1 | 3-Major | BT712336 | bd daemon restart loop | 15.0.0, 14.1.4.4, 13.1.5, 12.1.5.3 |
1022269-3 | 3-Major | BT1022269 | False positive RFC compliant violation | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1000741-4 | 3-Major | K67397230, BT1000741 | Fixing issue with input normalization | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
952509-1 | 4-Minor | BT952509 | Cross origin AJAX requests are blocked in case there is no Origin header | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
944441-3 | 4-Minor | BT944441 | BD_XML logs memory usage at TS_DEBUG level | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
941249-4 | 4-Minor | BT941249 | Improvement to getcrc tool to print cookie names when cookie attributes are involved | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
746167-1 | 4-Minor | BT746167 | Memory pressure from nsyncd | 15.0.0, 14.1.4.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932137-4 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
926341-3 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★ | 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5 |
922105-4 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
909161-4 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
1020705-3 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
789085-2 | 2-Critical | BT789085 | When executing the ACCESS::session iRule command under a serverside event, tmm may crash | 15.1.0, 14.1.4.4 |
766921-1 | 2-Critical | BT766921 | Localdbmgr process crashes and generates a core | 15.0.0, 14.1.4.4 |
1020349-1 | 2-Critical | BT1020349 | APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL | 16.1.0, 15.1.6.1, 14.1.4.4 |
984765-4 | 3-Major | BT984765 | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★ | 16.1.0, 15.1.4, 14.1.4.4 |
949477-2 | 3-Major | BT949477 | NTLM RPC exception: Failed to verify checksum of the packet | 16.1.0, 15.1.4.1, 14.1.4.4 |
946125-1 | 3-Major | BT946125 | Tmm restart adds 'Revoked' tokens to 'Active' token count | 16.1.0, 15.1.4, 14.1.4.4 |
849029-3 | 3-Major | BT849029 | No configurable setting for maximum entries in CRLDP cache | 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
844781-1 | 3-Major | BT844781 | [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4 |
844281-1 | 3-Major | BT844281 | [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4 |
803825-3 | 3-Major | BT803825 | WebSSO does not support large NTLM target info length | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4 |
744407-3 | 3-Major | BT744407 | While the client has been closed, iRule function should not try to check on a closed session | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4 |
1007629-2 | 3-Major | BT1007629 | APM policy configured with many ACL policies can create APM memory pressure | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1002557-3 | 3-Major | BT1002557 | Tcl free object list growth | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1001041-2 | 3-Major | BT1001041 | Reset cause 'Illegal argument' | 16.1.0, 15.1.4, 14.1.4.4 |
939877-2 | 4-Minor | BT939877 | OAuth refresh token not found | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993913-1 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
1012721-2 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5 |
996113-4 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
805821-4 | 3-Major | BT805821 | GTP log message contains no useful information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
919301-4 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913413-4 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913409-4 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913393-4 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
990461-2 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
744204-1 | 3-Major | BT744204 | PCCD may exhaust system memory when compiling | 15.0.0, 14.1.4.4 |
1012521-4 | 3-Major | BT1012521 | BIG-IP UI file permissions | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
926425 | 4-Minor | BT926425 | Hardware SYN Cookies may not deactivate after the SYN attack ends and valid TCP traffic starts | 14.1.4.4 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
913453-3 | 2-Critical | BT913453 | URL Categorization: wr_urldbd cores while processing urlcat-query | 16.1.0, 15.1.4, 14.1.4.4 |
760961-3 | 2-Critical | BT760961 | TMM crashes due to webroot database shared memory channel corruption when wr_urldbd daemon restarts | 15.0.0, 14.1.4.4, 13.1.1.5 |
958085-2 | 3-Major | BT958085 | IM installation fails with error: Spec file not found★ | 16.1.0, 15.1.4, 14.1.4.4 |
785605-2 | 3-Major | BT785605 | Traffic Intelligence Feed Lists are not usable if created on Standby unit in Traffic Group | 15.1.0, 14.1.4.4 |
974205-2 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
970829-4 | 2-Critical | K03310534, BT970829 | iSeries LCD incorrectly displays secure mode | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
929213-3 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
946185-4 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
822245-5 | 4-Minor | BT822245 | Large number of in-TMM monitors results in some monitors being marked down or delay in marking node down | 16.1.0, 15.1.4, 14.1.4.4 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
918317-3 | 3-Major | BT918317 | SSL Orchestrator resets subsequent requests when HTTP services are being used. | 16.1.0, 15.1.4, 14.1.4.4 |
Cumulative fixes from BIG-IP v14.1.4.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
989009-4 | CVE-2021-23033 | K05314769, BT989009 | BD daemon may crash while processing WebSocket traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
980125-4 | CVE-2021-23030 | K42051445, BT980125 | BD Daemon may crash while processing WebSocket traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
946377-3 | CVE-2021-23027 | K24301698, BT946377 | HSM WebUI Hardening | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
968349-1 | CVE-2021-23048 | K19012930, BT968349 | TMM crashes with unspecified message | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
950017-3 | CVE-2021-23045 | K94941221, BT950017 | TMM may crash while processing SCTP traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
819053-2 | CVE-2019-13232 | K80311892, BT819053 | CVE-2019-13232 unzip: overlapping of files in ZIP container | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
797797-3 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3 |
968733-5 | CVE-2018-1120 | K42202505, BT968733 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
939421-4 | CVE-2020-10029 | K38481791, BT939421 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
876937-1 | 3-Major | BT876937 | DNS Cache not functioning | 16.0.0, 15.1.4, 14.1.4.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
967905-3 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
1004517-3 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs | 17.1.0, 15.1.4, 14.1.4.3 |
1000973-2 | 2-Critical | BT1000973 | Unanticipated restart of TMM due to heartbeat failure | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
998221-4 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3 |
996593-3 | 3-Major | BT996593 | Password change through REST or GUI not allowed if the password is expired | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
994801-4 | 3-Major | SCP file transfer system | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 | |
908601-4 | 3-Major | BT908601 | System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
841277-5 | 3-Major | BT841277 | C4800 LCD fails to load after annunciator hot-swap | 16.0.0, 15.1.4, 14.1.4.3 |
804477-4 | 3-Major | BT804477 | Add HSB register logging when parts of the device becomes unresponsive | 15.1.0, 14.1.4.3, 13.1.3.4 |
1004417-1 | 4-Minor | BT1004417 | Provisioning error message during boot up★ | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1008525-1 | 2-Critical | BT1008525 | The partition text field becomes unusable when the user enters an invalid entry such as, "<, >, &, ", ', ', etc. | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
1007505 | 2-Critical | BT1007505 | TLS handshake times out if intermediate CA cert status cannot be determined | 14.1.4.3 |
1001509-1 | 2-Critical | K11162395, BT1001509 | Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates | 15.1.3, 14.1.4.3 |
994125-1 | 3-Major | BT994125 | NetHSM Sanity results are not reflecting in GUI test output box | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
882549-3 | 3-Major | BT882549 | Sock driver does not use multiple queues in unsupported environments | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
962433-3 | 4-Minor | BT962433 | HTTP::retry for a HEAD request fails to create new connection | 15.1.4, 14.1.4.3, 13.1.4.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1017645-3 | 2-Critical | BT1017645 | False positive HTTP compliance violation | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
981785-2 | 3-Major | BT981785 | Incorrect incident severity in Event Correlation statistics | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
833113-3 | 3-Major | BT833113 | Avrd core when sending large messages via https | 16.0.0, 15.1.4, 15.0.1.3, 14.1.4.3, 13.1.3.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
660913-3 | 2-Critical | BT660913 | For ActiveSync client type, browscap info provided is incorrect.★ | 15.0.0, 14.1.4.3, 13.1.3.4, 12.1.4.1 |
924521-1 | 3-Major | BT924521 | OneConnect does not work when WEBSSO is enabled/configured. | 16.1.0, 15.1.4, 14.1.4.3 |
470346-2 | 3-Major | BT470346 | Some IPv6 client connections get RST when connecting to APM virtual | 16.0.0, 15.1.4, 14.1.4.3, 13.1.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
991037-1 | 3-Major | BT991037 | MR::message can cause tmm crash | 14.1.4.3 |
788625-3 | 3-Major | BT788625 | A pool member is not marked up by the inband monitor even after successful connection to the pool member | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
874677 | 2-Critical | BT874677 | Traffic Classification auto signature update fails from GUI★ | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4.3 |
976365-1 | 3-Major | BT976365 | Traffic Classification hardening★ | 16.1.0, 15.1.3.1, 14.1.4.3 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
795329-2 | 3-Major | BT795329 | IM installation fails if 'auto-add-new-inspections' enabled on profile★ | 15.1.0, 15.0.1.1, 14.1.4.3 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
947925-4 | 3-Major | BT947925 | TMM may crash when executing L7 Protocol Lookup per-request policy agent | 16.1.0, 15.1.4, 14.1.4.3 |
Cumulative fixes from BIG-IP v14.1.4.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
962341-4 | CVE-2021-23028 | K00602225, BT962341 | BD crash while processing JSON content | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4 |
935433-4 | CVE-2021-23026 | K53854428, BT935433 | iControl SOAP | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
981693-2 | CVE-2022-23024 | K54892865, BT981693 | TMM may consume excessive resources while processing IPSec ALG traffic | 16.1.0, 15.1.4.1, 14.1.4.2, 13.1.5 |
965485-2 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
949889-2 | CVE-2019-3900 | K04107324, BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
942701-3 | CVE-2021-23044 | K35408374, BT942701 | TMM may consume excessive resources while processing HTTP traffic | 16.1.0, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
937365-4 | CVE-2021-23041 | K42526507, BT937365 | LTM UI does not follow best practices | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
907245-3 | CVE-2021-23040 | K94255403, BT907245 | AFM UI Hardening | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
906377-4 | CVE-2021-23038 | K61643620, BT906377 | iRulesLX hardening | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
803933-2 | CVE-2018-20843 | K51011533, BT803933 | Expat XML parser vulnerability CVE-2018-20843 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
1003557-4 | CVE-2021-23015 | K74151369, BT1003557 | Not following best practices in Guided Configuration Bundle Install worker | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1004833-1 | 1-Blocking | BT1004833 | NIST SP800-90B compliance | 17.0.0, 16.1.3, 15.1.4, 14.1.4.2 |
976505-1 | 3-Major | BT976505 | Rotated restnoded logs will fail logintegrity verification. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
975809-2 | 3-Major | BT975809 | Rotated restjavad logs fail logintegrity verification. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
959629-3 | 3-Major | BT959629 | Logintegrity script for restjavad/restnoded fails | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
958353-3 | 3-Major | BT958353 | Restarting the mcpd messaging service renders the PAYG VE license invalid. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
946089-1 | 3-Major | BT946089 | BIG-IP might send excessive multicast/broadcast traffic. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
932497-1 | 3-Major | BT932497 | Autoscale groups require multiple syncs of datasync-global-dg | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
913849 | 3-Major | BT913849 | Syslog-ng periodically logs nothing for 20 seconds | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
764873-2 | 3-Major | BT764873 | An accelerated flow may transmit packets to an unavailable pool member. | 15.1.0, 15.0.1.3, 14.1.4.2, 13.1.3.2 |
1009133 | 3-Major | BT1009133 | BIG-IP vCMP guests that have HA Groups configured to include trunk scoring may fail to upgrade properly★ | 14.1.4.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
945997-3 | 2-Critical | BT945997 | LTM policy applied to HTTP/2 traffic may crash TMM | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
980821-1 | 3-Major | BT980821 | Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2 |
895557-1 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2 |
773253-3 | 4-Minor | BT773253 | The BIG-IP may send VLAN failsafe probes from a disabled blade | 16.0.0, 15.1.2.1, 14.1.4.2, 13.1.4 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
918597-4 | 2-Critical | BT918597 | Under certain conditions, deleting a topology record can result in a crash. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
717306-1 | 2-Critical | BT717306 | Added ability to use VIP-targeting-VIP with DNS Cache server-side connections | 15.1.0, 14.1.4.2 |
973261-4 | 3-Major | BT973261 | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
912001-4 | 3-Major | BT912001 | TMM cores on secondary blades of the Chassis system. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
835209-1 | 3-Major | BT835209 | External monitors mark objects down | 16.0.0, 15.1.3, 14.1.4.2 |
746719-1 | 3-Major | BT746719 | SERVFAIL when attempting to view or edit NS resource records in zonerunner | 15.0.0, 14.1.4.2 |
857953-3 | 4-Minor | BT857953 | Non-functional disable/enable buttons present in GTM wide IP members page | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968421-4 | 2-Critical | K30291321, BT968421 | ASM attack signature doesn't matched | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4.2, 13.1.4.1, 12.1.6, 11.6.5.3 |
943913-4 | 2-Critical | K30150004, BT943913 | ASM attack signature does not match | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
854001-4 | 2-Critical | BT854001 | TMM might crash in case of trusted bot signature and API protected url | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
810497-2 | 2-Critical | BT810497 | Pabnagd cores during device group settings changes | 15.1.0, 14.1.4.2 |
950917-2 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1 |
928685-3 | 3-Major | K49549213, BT928685 | ASM Brute Force mitigation not triggered as expected | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
922261-4 | 3-Major | BT922261 | WebSocket server messages are logged even it is not configured | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
912089-3 | 3-Major | BT912089 | Some roles are missing necessary permission to perform Live Update | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
907337-4 | 3-Major | BT907337 | BD crash on specific scenario | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
888289-3 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
883853-1 | 3-Major | BT883853 | Bot Defense Profile with staged signatures prevents signature update★ | 16.0.0, 15.1.4, 14.1.4.2 |
881757-2 | 3-Major | BT881757 | Unnecessary HTML response parsing and response payload is not compressed | 16.1.0, 16.0.1.2, 15.1.1, 14.1.4.2 |
846181-1 | 3-Major | BT846181 | Request samples for some of the learning suggestions are not visible | 16.0.0, 15.1.4, 14.1.4.2 |
830341-1 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
792341-2 | 3-Major | BT792341 | Google Analytics shows incorrect stats. | 15.1.0, 14.1.4.2, 13.1.4.1 |
673272-4 | 3-Major | BT673272 | Search by "Signature ID is" does not return results for some signature IDs | 17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4 |
941929-1 | 4-Minor | BT941929 | Google Analytics shows incorrect stats, when Google link is redirected. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
911729-1 | 4-Minor | BT911729 | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | 17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
981385-4 | 3-Major | BT981385 | AVRD does not send HTTP events to BIG-IQ DCD | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4 |
932485-2 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
913085-4 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
995029 | 2-Critical | BT995029 | Configuration is not updated during auto-discovery | 16.1.0, 15.1.4, 14.1.4.2 |
783233-2 | 2-Critical | BT783233 | OAuth puts quotation marks around claim values that are not string type | 15.1.0, 14.1.4.2 |
894885 | 3-Major | BT894885 | [SAML] SSO crash while processing client SSL request | 16.1.0, 15.1.4, 14.1.4.2 |
866109-1 | 3-Major | BT866109 | JWK keys frequency does not support fewer than 60 minutes | 16.0.0, 15.1.4, 14.1.4.2, 13.1.4.1 |
757781-3 | 3-Major | BT757781 | Portal Access: cookie exchange may be broken sometimes | 15.1.0, 15.0.1.1, 14.1.4.2, 14.0.0.5, 13.1.1.5 |
738865-3 | 3-Major | BT738865 | MCPD might enter into loop during APM config validation | 16.0.0, 15.1.4, 14.1.4.2 |
828773-1 | 4-Minor | BT828773 | Incomplete response to an internal request by Portal Access | 14.1.4.2 |
766017-1 | 4-Minor | BT766017 | [APM][LocalDB] Local user database instance name length check inconsistencies★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4.2, 13.1.3.5, 12.1.5.3 |
747234-5 | 4-Minor | BT747234 | Macro policy does not find corresponding access-profile directly | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
974881-1 | 2-Critical | BT974881 | Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
868781-2 | 2-Critical | BT868781 | TMM crashes while processing MRF traffic | 16.0.0, 15.1.1, 14.1.4.2, 13.1.4.1 |
989753-3 | 3-Major | BT989753 | In HA setup, standby fails to establish connection to server | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
992213-1 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 17.0.0, 16.1.1, 15.1.4, 14.1.4.2 |
988005-3 | 3-Major | BT988005 | Zero active rules counters in GUI | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
783217-1 | 3-Major | BT783217 | Negative numbers of received packets in DoS-sampled log messages for bad actor and attacked destination attacks | 15.1.0, 14.1.4.2 |
751116-1 | 3-Major | BT751116 | DNS or Network protocol DoS attacks reported as mitigating when configured as monitoring | 15.0.0, 14.1.4.2, 13.1.3.4 |
716746-1 | 3-Major | BT716746 | Possible tmm restart when disabling single endpoint vector while attack is ongoing | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.0.7 |
685904-2 | 3-Major | BT685904 | Firewall Rule hit counts are not auto-updated after a Reset is done | 16.0.0, 15.1.4, 14.1.4.2 |
977005-2 | 4-Minor | BT977005 | Network Firewall Policy rules-list showing incorrect 'Any' for source column | 16.1.0, 15.1.4, 14.1.4.2 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
981689-1 | 2-Critical | BT981689 | TMM memory leak with IPsec ALG | 16.1.0, 15.1.4.1, 14.1.4.2 |
994985-1 | 3-Major | BT994985 | CGNAT GUI shows blank page when applying SIP profile | 17.0.0, 15.1.4, 14.1.4.2 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
893721-1 | 2-Critical | BT893721 | PEM-provisioned systems may suffer random tmm crashes after upgrading★ | 16.1.0, 15.1.4, 14.1.4.2 |
948573-2 | 3-Major | BT948573 | Wr_urldbd list of valid TLDs needs to be updated | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
846601-3 | 3-Major | BT846601 | Traffic classification does not update when an inactive slot becomes active after upgrade★ | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
912425-1 | 3-Major | BT912425 | Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
Cumulative fixes from BIG-IP v14.1.4.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
980809-3 | CVE-2021-23031 | K41351250, BT980809 | ASM REST Signature Rule Keywords Tool Hardening | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
990333-4 | CVE-2021-23016 | K75540265, BT990333 | APM may return unexpected content when processing HTTP requests | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
945109-4 | CVE-2015-9382 | K46641512, BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
1002561-1 | CVE-2021-23007 | K37451543, BT1002561 | TMM vulnerability CVE-2021-23007 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
933777-2 | 3-Major | BT933777 | Context use and syntax changes clarification | 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
704552-2 | 3-Major | BT704552 | Support for ONAP site licensing | 15.1.0, 14.1.4.1, 14.0.0.2, 13.1.0.7 |
918097-1 | 4-Minor | BT918097 | Cookies set in the URI on Safari | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
995629-2 | 2-Critical | BT995629 | Loading UCS files may hang if ASM is provisioned★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1 |
876957-2 | 2-Critical | BT876957 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 16.0.0, 15.1.1, 14.1.4.1 |
978393 | 3-Major | BT978393 | GUI screen shows blank screen while importing a certificate★ | 14.1.4.1 |
969213-2 | 3-Major | BT969213 | VMware: management IP cannot be customized via net.mgmt.addr property | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
922297-3 | 3-Major | BT922297 | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
914245-1 | 3-Major | BT914245 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
841649-2 | 3-Major | BT841649 | Hardware accelerated connection mismatch resulting in tmm core | 16.0.0, 15.1.2, 14.1.4.1 |
839121-1 | 3-Major | K74221031, BT839121 | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
829821-3 | 3-Major | BT829821 | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
692218-3 | 3-Major | BT692218 | Audit log messages sent from the primary blade to the secondaries should not be logged. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
675911-13 | 3-Major | K13272442, BT675911 | Different sections of the GUI can report incorrect CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
601220-3 | 3-Major | BT601220 | Multi-blade trunks seem to leak packets ingressed via one blade to a different blade | 15.1.0, 14.1.4.1 |
569859-5 | 3-Major | BT569859 | Password policy enforcement for root user when mcpd is not available | 16.0.0, 15.1.3, 14.1.4.1 |
879189-3 | 4-Minor | BT879189 | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
658943-2 | 4-Minor | BT658943 | Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants | 14.1.4.1 |
440599-1 | 4-Minor | BT440599 | Added DB Variable to configure 'difok' variable in password policy | 16.0.0, 14.1.4.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
908621-3 | 2-Critical | BT908621 | Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core | 16.0.0, 15.1.2, 14.1.4.1 |
738964-2 | 2-Critical | Instruction logger debugging enhancement | 16.1.0, 15.1.3, 14.1.4.1 | |
888517-3 | 3-Major | BT888517 | Busy polling leads to high CPU★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
878925-3 | 3-Major | BT878925 | SSL connection mirroring failover at end of TLS handshake | 16.0.0, 15.1.2, 14.1.4.1 |
760406-3 | 3-Major | BT760406 | HA connection might stall on Active device when the SSL session cache becomes out-of-sync. | 16.0.0, 15.1.5.1, 14.1.4.1 |
756812-2 | 3-Major | BT756812 | Nitrox 3 instruction/request logger may fail due to SELinux permission error | 16.1.0, 15.1.3, 14.1.4.1 |
756817-1 | 4-Minor | BT756817 | ZebOS addresses blocks do not reflect RFC5735 changes to reserved address blocks. | 15.1.0, 15.0.1.4, 14.1.4.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
971297-3 | 3-Major | BT971297 | DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
885201-3 | 4-Minor | BT885201 | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log | 16.1.0, 15.1.3, 14.1.4.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
956373-3 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1 |
947341-3 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1 |
929001-4 | 3-Major | K48321015, BT929001 | ASM form handling improvements | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
767077-1 | 3-Major | BT767077 | Loading truncated Live Update file (ASU) completes incorrectly or fails with odd error | 15.1.0, 14.1.4.1 |
824093-3 | 4-Minor | BT824093 | Parameters payload parser issue | 16.0.0, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
869049-2 | 3-Major | BT869049 | Charts discrepancy in AVR reports | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
883577-2 | 3-Major | BT883577 | ACCESS::session irule command does not work in HTTP_RESPONSE event | 16.1.0, 15.1.3, 14.1.4.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
750679-1 | 2-Critical | BT750679 | Tmm crash on standby device and Diameter stats issues | 15.0.0, 14.1.4.1 |
982869-3 | 3-Major | BT982869 | With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
977053-3 | 3-Major | BT977053 | TMM crash on standby due to invalid MR router instance | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
966701-3 | 3-Major | BT966701 | Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
851745-1 | 2-Critical | BT851745 | High cpu consumption due when enabling large number of virtual servers | 16.0.0, 15.1.2, 14.1.4.1 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
914293-1 | 3-Major | BT914293 | TMM SIGSEGV and crash | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
964577-1 | 4-Minor | BT964577 | IPS automatic IM download not working as expected | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Cumulative fixes from BIG-IP v14.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
975233-3 | CVE-2021-22992 | K52510511, BT975233 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
973333-3 | CVE-2021-22991 | K56715231, BT973333 | TMM buffer-overflow vulnerability CVE-2021-22991 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
955145-3 | CVE-2021-22986 | K03009991, BT955145 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
954381-3 | CVE-2021-22986 | K03009991, BT954381 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
953677-3 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT953677 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
951705-3 | CVE-2021-22986 | K03009991, BT951705 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
981169-3 | CVE-2021-22994 | K66851119, BT981169 | F5 TMUI XSS vulnerability CVE-2021-22994 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
959121-2 | CVE-2021-23015 | K74151369, BT959121 | Not following best practices in Guided Configuration Bundle Install worker | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
953729-3 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101, BT953729 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
949933-2 | CVE-2021-22980 | K29282483, BT949933 | BIG-IP APM CTU vulnerability CVE-2021-22980 | 16.1.0, 16.0.1.1, 15.1.4, 14.1.4, 13.1.3.6 |
931837-5 | CVE-2020-13817 | K55376430, BT931837 | NTP has predictable timestamps | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
882633-4 | CVE-2021-23008 | K51213246, BT882633 | Active Directory authentication does not follow current best practices | 16.1.0, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
976925-3 | CVE-2021-23002 | K71891773, BT976925 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
954429-3 | CVE-2021-23014 | K23203045, BT954429 | User authorization changes for live update | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
948769-4 | CVE-2021-23013 | K05300051, BT948769 | TMM panic with SCTP traffic | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3 |
946581-3 | CVE-2020-27713 | K37960100, BT946581 | TMM vulnerability CVE-2020-27713 | 14.1.4, 13.1.3.5 |
938233-3 | CVE-2021-23042 | K93231374 | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
937637-4 | CVE-2021-23002 | K71891773, BT937637 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
935401-4 | CVE-2021-23001 | K06440657, BT935401 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
932697-2 | CVE-2021-23000 | K34441555, BT932697 | BIG-IP TMM vulnerability CVE-2021-23000 | 14.1.4, 13.1.4, 12.1.5.3 |
903889 | CVE-2021-22999 | K02333782, BT903889 | BIG-IP HTTP/2 vulnerability CVE-2021-22999 | 14.1.4 |
877109-3 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4 |
825689-3 | CVE-2023-3470 | K000135449, BT825689 | Enhance FIPS crypto-user storage | 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6 |
743105-4 | CVE-2021-22998 | K31934524, BT743105 | BIG-IP SNAT vulnerability CVE-2021-22998 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
718189-7 | CVE-2021-23011 | K10751325, BT718189 | Unspecified IP traffic can cause low-memory conditions | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6, 11.6.5.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
912289-3 | 2-Critical | BT912289 | Cannot roll back after upgrading on certain platforms★ | 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6 |
776393-2 | 2-Critical | BT776393 | Restjavad restarts frequently due to insufficient memory with relatively large configurations | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
945265-3 | 3-Major | BT945265 | BGP may advertise default route with incorrect parameters | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
913829-3 | 3-Major | BT913829 | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
867793-3 | 3-Major | BT867793 | BIG-IP sending the wrong trap code for BGP peer state | 16.0.0, 15.1.2.1, 14.1.4 |
794417-1 | 3-Major | BT794417 | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★ | 16.1.3, 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
742860-3 | 3-Major | BT742860 | VE: Predictable NIC ordering based on PCI coordinates until ordering is saved. | 15.1.0, 14.1.4, 13.1.3.6 |
719338-2 | 4-Minor | BT719338 | Concurrent management SSH connections are unlimited | 16.1.0, 15.1.1, 14.1.4, 13.1.4 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
990849-3 | 2-Critical | BT990849 | Loading UCS with platform-migrate option hangs and requires exiting from the command★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1 |
940021-2 | 2-Critical | BT940021 | Syslog-ng hang may lead to unexpected reboot | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
932437-4 | 2-Critical | BT932437 | Loading SCF file does not restore files from tar file★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
915305-3 | 2-Critical | BT915305 | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4 |
908517-1 | 2-Critical | BT908517 | LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
888341-5 | 2-Critical | BT888341 | HA Group failover may fail to complete Active/Standby state transition | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
886693-2 | 2-Critical | BT886693 | System might become unresponsive after upgrading.★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
817085-4 | 2-Critical | BT817085 | Multicast Flood Can Cause the Host TMM to Restart | 15.1.0, 14.1.4, 12.1.5.3 |
811973-2 | 2-Critical | BT811973 | TMM may crash when shutting down | 15.1.0, 14.1.4 |
797221-1 | 2-Critical | BT797221 | BCM daemon can be killed by watchdog timeout during blade-to-blade failover | 15.1.0, 14.1.4 |
785017-1 | 2-Critical | BT785017 | Secondary blades go offline after new primary is elected | 16.1.0, 15.1.3, 14.1.4, 13.1.4 |
751991-1 | 2-Critical | BT751991 | BIOS update fails with "flashrom not safe for BIOS updates yet" log message | 15.0.0, 14.1.4 |
739507-1 | 2-Critical | BT739507 | Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check | 16.1.0, 15.1.0.5, 14.1.4, 13.1.1.2 |
739505-2 | 2-Critical | BT739505 | Automatic ISO digital signature checking not required when FIPS license active★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.1.2 |
973201 | 3-Major | BT973201 | F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★ | 16.1.0, 15.1.4, 14.1.4 |
967745-2 | 3-Major | BT967745 | Last resort pool error for the modify command for Wide IP | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4 |
963017-3 | 3-Major | BT963017 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed | 16.1.0, 15.1.3, 14.1.4 |
946745-3 | 3-Major | BT946745 | 'System Integrity: Invalid' after Engineering Hotfix installation | 16.1.0, 15.1.3, 14.1.4 |
943793 | 3-Major | BT943793 | Neurond continuously restarting. | 16.1.0, 15.1.5.1, 14.1.4 |
939541-3 | 3-Major | BT939541 | TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
930905-1 | 3-Major | BT930905 | Management route lost after reboot. | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
927941-3 | 3-Major | BT927941 | IPv6 static route BFD does not come up after OAMD restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
914081-3 | 3-Major | BT914081 | Engineering Hotfixes missing bug titles | 16.0.0, 15.1.3, 14.1.4 |
913433-1 | 3-Major | BT913433 | On blade failure, some trunked egress traffic is dropped. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
909197-5 | 3-Major | BT909197 | The mcpd process may become unresponsive | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4 |
904785-3 | 3-Major | BT904785 | Remotely authenticated users might not be able to log in over the serial console | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
896817-4 | 3-Major | BT896817 | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
896553-2 | 3-Major | BT896553 | On blade failure, some trunked egress traffic is dropped. | 16.0.0, 15.1.3, 14.1.4, 13.1.3.6 |
895837-1 | 3-Major | BT895837 | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
893949 | 3-Major | BT893949 | Support TCP directional offload for hardware-accelerated connections | 14.1.4 |
893885 | 3-Major | BT893885 | The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation | 16.1.0, 15.1.3, 14.1.4 |
891337-3 | 3-Major | BT891337 | 'save_master_key(master): Not ready to save yet' errors in the logs | 16.0.0, 15.1.3, 14.1.4 |
889029-4 | 3-Major | BT889029 | Unable to login if LDAP user does not have search permissions | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
879829-3 | 3-Major | BT879829 | HA daemon sod cannot bind to ports numbered lower than 1024 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
876805-1 | 3-Major | BT876805 | Modifying address-list resets the route advertisement on virtual servers. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
862937-2 | 3-Major | BT862937 | Running cpcfg after first boot can result in daemons stuck in restart loop★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
838901-2 | 3-Major | BT838901 | TMM receives invalid rx descriptor from HSB hardware | 16.0.0, 15.1.2, 14.1.4, 13.1.4 |
830413-4 | 3-Major | BT830413 | Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
820845-2 | 3-Major | BT820845 | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
814053-2 | 3-Major | BT814053 | Under heavy load, bcm56xxd can be killed by the watchdog | 15.1.0, 14.1.4 |
803237-4 | 3-Major | BT803237 | PVA does not validate interface MTU when setting MSS | 16.0.0, 15.1.3, 14.1.4 |
799001-3 | 3-Major | BT799001 | Sflow agent does not handle disconnect from SNMPD manager correctly | 16.1.0, 15.1.3, 14.1.4 |
787885-1 | 3-Major | BT787885 | The device status is falsely showing as forced offline on the network map while actual device status is not. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
759596-2 | 3-Major | BT759596 | Tcl errors in iRules 'table' command | 15.0.0, 14.1.4, 13.1.3.6, 12.1.5.3 |
754132-2 | 3-Major | BT754132 | A NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command | 15.0.0, 14.1.4, 13.1.3.6 |
751448-1 | 3-Major | BT751448 | TMM, ZebOS, and Linux routing table may lose dynamic routes on a tmm restart | 15.0.0, 14.1.4 |
751021-1 | 3-Major | BT751021 | One or more TMM instances may be left without dynamic routes. | 15.1.0, 14.1.4, 13.1.3.5 |
750194-4 | 3-Major | CVE-2018-18065: net-snmp security update | 15.0.0, 14.1.4, 13.1.3.5 | |
749007-2 | 3-Major | BT749007 | South Sudan is missing in the GTM region list | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
744252-2 | 3-Major | BT744252 | BGP route map community value: either component cannot be set to 65535 | 15.0.0, 14.1.4, 13.1.3.6 |
719555-5 | 3-Major | BT719555 | Interface listed as 'disable' after SFP insertion and enable | 16.0.0, 15.1.1, 14.1.4, 13.1.5 |
661640-1 | 3-Major | BT661640 | Improve fast failover of PIM-based multicast traffic when BIG-IP is deployed as an Active/Standby high availability (HA) pair. | 15.1.0, 14.1.4 |
615934-4 | 3-Major | BT615934 | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | 16.1.0, 15.1.3, 14.1.4, 13.1.3.5 |
966277-3 | 4-Minor | BT966277 | BFD down on multi-blade system | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
959889-1 | 4-Minor | BT959889 | Cannot update firewall rule with ip-protocol property as 'any' | 16.1.0, 15.1.3, 14.1.4 |
947865-3 | 4-Minor | BT947865 | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | 16.1.0, 15.1.3, 14.1.4 |
774617-1 | 4-Minor | BT774617 | SNMP daemon reports integer truncation error for values greater than 32 bits | 16.0.0, 15.1.0.4, 14.1.4 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
926929-2 | 1-Blocking | BT926929 | RFC Compliance Enforcement lacks configuration availability | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4, 13.1.4 |
910653-3 | 2-Critical | BT910653 | iRule parking in clientside/serverside command may cause tmm restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
889209-1 | 2-Critical | BT889209 | Sflow receiver configuration may lead to egress traffic dropped after TMM starts. | 16.0.0, 15.1.1, 14.1.4 |
882157-2 | 2-Critical | BT882157 | One thread of pkcs11d consumes 100% without any traffic. | 16.0.0, 15.1.3, 14.1.4 |
876801-3 | 2-Critical | BT876801 | Tmm crash: invalid route type | 16.0.0, 15.1.2, 14.1.4, 13.1.4 |
812525-3 | 2-Critical | K27551003, BT812525 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
968641-1 | 3-Major | BT968641 | Fix for zero LACP priority | 16.0.1.2, 15.1.3, 14.1.4 |
965537 | 3-Major | BT965537 | SSL filter does not re-initialize when OCSP validator is modified | 14.1.4 |
953845-4 | 3-Major | BT953845 | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
944641-3 | 3-Major | BT944641 | HTTP2 send RST_STREAM when exceeding max streams | 16.1.0, 16.0.1.1, 15.1.4, 14.1.4 |
940209-1 | 3-Major | BT940209 | Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. | 15.1.2, 14.1.4 |
932033-1 | 3-Major | BT932033 | Chunked response may have DATA frame with END_STREAM prematurely | 15.1.2, 14.1.4 |
928857-3 | 3-Major | BT928857 | Use of OCSP responder may leak X509 store instances | 16.1.0, 15.1.3, 14.1.4 |
928805-3 | 3-Major | BT928805 | Use of OCSP responder may cause memory leakage | 16.1.0, 15.1.3, 14.1.4 |
928789-3 | 3-Major | BT928789 | Use of OCSP responder may leak SSL handshake instances | 16.1.0, 15.1.3, 14.1.4 |
921881-4 | 3-Major | BT921881 | Use of IPFIX log destination can result in increased CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
892941-4 | 3-Major | K20105555, BT892941 | F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4 |
889601-1 | 3-Major | K14903688, BT889601 | OCSP revocation not properly checked | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
889165-1 | 3-Major | BT889165 | "http_process_state_cx_wait" errors in log and connection reset | 16.1.0, 15.1.3, 14.1.4 |
868209-1 | 3-Major | BT868209 | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | 16.1.0, 15.1.2.1, 14.1.4 |
858701-3 | 3-Major | BT858701 | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
858301-3 | 3-Major | K27551003, BT858301 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2 |
858297-3 | 3-Major | K27551003, BT858297 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2 |
858289-3 | 3-Major | K27551003, BT858289 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
858285-3 | 3-Major | K27551003, BT858285 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
845333-3 | 3-Major | BT845333 | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
818109-3 | 3-Major | BT818109 | Certain plaintext traffic may cause SSL Orchestrator to hang | 16.0.0, 15.1.2.1, 14.1.4 |
795501-3 | 3-Major | BT795501 | Possible SSL crash during config sync | 15.1.0, 14.1.4 |
790845-2 | 3-Major | BT790845 | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | 16.0.0, 15.1.2, 14.1.4, 13.1.3.5 |
785877-2 | 3-Major | BT785877 | VLAN groups do not bridge non-link-local multicast traffic. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
767341-3 | 3-Major | BT767341 | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
758099-1 | 3-Major | BT758099 | TMM may crash in busy environment when handling HTTP responses | 15.0.0, 14.1.4 |
757442-2 | 3-Major | BT757442 | A missed SYN cookie check causes crash at the standby TMM in HA mirroring system | 15.0.0, 14.1.4, 13.1.3 |
753383-4 | 3-Major | BT753383 | Deadlock While Attaching NDAL Devices | 15.1.0, 14.1.4 |
719304-1 | 3-Major | BT719304 | Inconsistent node ICMP monitor operation for IPv6 nodes | 15.0.0, 14.1.4, 13.1.3 |
714642-4 | 3-Major | BT714642 | Ephemeral pool-member state on the standby is down | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6 |
962177-3 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1 |
804157-1 | 4-Minor | BT804157 | ICMP replies are forwarded with incorrect checksums causing them to be dropped | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
772297-2 | 4-Minor | BT772297 | LLDP-related option is reset to default for secondary blade's interface when the secondary blade is booted without a binary db or is a new blade | 15.1.0, 14.1.4 |
748333-4 | 4-Minor | BT748333 | DHCP Relay does not retain client source IP address for chained relay mode | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
743253-3 | 4-Minor | BT743253 | TSO in software re-segments L3 fragments. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
738032-1 | 4-Minor | BT738032 | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
960749-3 | 1-Blocking | BT960749 | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3 |
933405-3 | 1-Blocking | K34257075, BT933405 | Zonerunner GUI hangs when attempting to list Resource Records | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4 |
960437-3 | 2-Critical | BT960437 | The BIG-IP system may initially fail to resolve some DNS queries | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3 |
905557-6 | 2-Critical | BT905557 | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | 16.0.0, 15.1.2, 14.1.4, 13.1.5 |
921625-4 | 3-Major | BT921625 | The certs extend function does not work for GTM/DNS sync group | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
891093-3 | 3-Major | BT891093 | iqsyncer does not handle stale pidfile | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
858973-3 | 3-Major | BT858973 | DNS request matches less specific WideIP when adding new wildcard wideips | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
885869-4 | 4-Minor | BT885869 | Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime | 16.0.0, 15.1.5.1, 14.1.4 |
853585-2 | 4-Minor | BT853585 | REST Wide IP object presents an inconsistent lastResortPool value | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.6 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
846057-2 | 2-Critical | BT846057 | UCS backup archive may include unnecessary files | 16.0.0, 15.1.3, 14.1.4, 13.1.4 |
960369-3 | 3-Major | BT960369 | Negative value suggested in Traffic Learning as max value | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
941621-3 | 3-Major | K91414704, BT941621 | Brute Force breaks server's Post-Redirect-Get flow | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4 |
929077-1 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4 |
921677-4 | 3-Major | BT921677 | Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
904053-4 | 3-Major | BT904053 | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6 |
867373-2 | 3-Major | BT867373 | Methods Missing From ASM Policy | 16.0.0, 15.1.3, 14.1.4 |
864677-3 | 3-Major | BT864677 | ASM causes high mcpd CPU usage | 16.0.0, 15.1.3, 14.1.4 |
964897-4 | 4-Minor | BT964897 | Live Update - Indication of "Update Available" when there is no available update | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4 |
935293-3 | 4-Minor | BT935293 | 'Detected Violation' Field for event logs not showing | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5 |
922785-4 | 4-Minor | BT922785 | Live Update scheduled installation is not installing on set schedule | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4 |
767941-1 | 4-Minor | BT767941 | Gracefully handle policy builder errors | 15.1.0, 14.1.4, 13.1.3.6 |
758336-3 | 4-Minor | BT758336 | Incorrect recommendation in Online Help of Proactive Bot Defense | 16.1.0, 15.1.2.1, 14.1.4, 13.1.1.5, 12.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
965581 | 2-Critical | BT965581 | Statistics are not reported to BIG-IQ | 17.1.0, 15.1.4, 14.1.4 |
949593-2 | 3-Major | BT949593 | Unable to load config if AVR widgets were created under '[All]' partition★ | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
743826-1 | 3-Major | BT743826 | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) | 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
648242-4 | 3-Major | K73521040, BT648242 | Administrator users unable to access all partition via TMSH for AVR reports | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 14.0.0.5, 13.1.0.8, 12.1.3.2 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
894565-2 | 2-Critical | BT894565 | Autodosd.default crash with SIGFPE | 16.0.0, 15.1.3, 14.1.4 |
976501-3 | 3-Major | BT976501 | Failed to establish VPN connection | 16.1.0, 15.1.3, 14.1.4, 13.1.3.6 |
952557-1 | 3-Major | BT952557 | Azure B2C Provider OAuth URLs are updated for B2Clogin.com | 16.1.0, 15.1.3, 14.1.4 |
925573-3 | 3-Major | BT925573 | SIGSEGV: receiving a sessiondb callback response after the flow is aborted | 15.1.3, 14.1.4 |
916969-2 | 3-Major | BT916969 | Support of Microsoft Identity 2.0 platform | 16.1.0, 15.1.3, 14.1.4 |
892937-4 | 3-Major | K20105555, BT892937 | F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) | 16.1.0, 16.0.1, 15.1.1, 14.1.4 |
850277-3 | 3-Major | BT850277 | Memory leak when using OAuth | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4, 13.1.3.4 |
774301-4 | 3-Major | BT774301 | Verification of SAML Requests/Responses digest fails when SAML content uses exclusive XML canonicalization and it contains InclusiveNamespaces with #default in PrefixList | 15.1.0, 15.0.1.3, 14.1.4, 12.1.5 |
709126-1 | 3-Major | BT709126 | Localdb authentication may fail | 15.0.0, 14.1.4 |
833049-2 | 4-Minor | BT833049 | Category lookup tool in GUI may not match actual traffic categorization | 16.0.0, 15.1.2, 14.1.4, 13.1.3.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
952545-3 | 3-Major | BT952545 | 'Current Sessions' statistics of HTTP2 pool may be incorrect | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
939529-3 | 3-Major | BT939529 | Branch parameter not parsed properly when topmost via header received with comma separated values | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
913373-3 | 3-Major | BT913373 | No connection error after failover with MRF, and no connection mirroring | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
969509-3 | 3-Major | BT969509 | Possible memory corruption due to DOS vector reset | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
965617-1 | 3-Major | BT965617 | HSB mitigation is not applied on BDoS signature with stress-based mitigation mode | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
963237-1 | 3-Major | BT963237 | Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
910417-3 | 3-Major | BT910417 | TMM core may be seen when reattaching a vector to a DoS profile | 16.1.0, 16.0.1.2, 15.1.2, 14.1.4 |
903561-2 | 3-Major | BT903561 | Autodosd returns small bad destination detection value when the actual traffic is high | 16.0.0, 15.1.3, 14.1.4 |
887017-2 | 3-Major | BT887017 | The dwbld daemon consumes a large amount of memory | 16.0.0, 15.1.3, 14.1.4 |
840809-1 | 3-Major | BT840809 | If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged | 16.0.0, 15.1.2, 14.1.4 |
837233-1 | 3-Major | BT837233 | Application Security Administrator user role cannot use GUI to manage DoS profile | 16.0.0, 15.1.3, 14.1.4 |
819321-1 | 3-Major | BT819321 | DoS stats table shows drops count on tcp-half-open global vector for packets dropped by ltm syn cookie | 15.1.0, 14.1.4 |
789857-1 | 3-Major | BT789857 | "TCP half open' reports drops made by LTM syn-cookies mitigation. | 15.1.1, 14.1.4 |
773773-2 | 3-Major | BT773773 | DoS auto-threshold detection values are not reloaded correctly after a reboot. | 15.1.0, 14.1.4 |
760497-1 | 3-Major | BT760497 | Invalid configuration parameters are visible when Dos Vector is in "Auto Detection/Multiplier Based Mitigation" | 15.0.0, 14.1.4 |
759004-2 | 3-Major | BT759004 | Autodosd history files not loaded correctly after software upgrade★ | 15.1.0, 14.1.4 |
753141-2 | 3-Major | BT753141 | Hardware returning incorrect type of entry when notifying software might cause tmm crash | 15.0.0, 14.1.4 |
686043-1 | 3-Major | BT686043 | dos.maxicmpframesize and dos.maxicmp6framesize sys db variables does not work for fragmented ICMP packets | 15.1.0, 14.1.4 |
967889-2 | 4-Minor | BT967889 | Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) | 16.1.0, 15.1.3, 14.1.4 |
748561-1 | 4-Minor | BT748561 | Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context | 16.0.0, 15.1.3, 14.1.4 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
845313 | 2-Critical | BT845313 | Tmm crash under heavy load | 16.0.0, 15.1.2.1, 14.1.4 |
941169-1 | 3-Major | BT941169 | Subscriber Management is not working properly with IPv6 prefix flows. | 16.1.0, 15.1.2.1, 14.1.4 |
875401-3 | 3-Major | BT875401 | PEM subcriber lookup can fail for internet side new connections | 16.0.0, 15.1.2.1, 14.1.4 |
842989-7 | 3-Major | BT842989 | PEM: tmm could core when running iRules on overloaded systems | 16.1.0, 15.1.2, 14.1.4 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
928553-1 | 2-Critical | BT928553 | LSN64 with hairpinning can lead to a tmm core in rare circumstances | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
966681-2 | 3-Major | BT966681 | NAT translation failures while using SP-DAG in a multi-blade chassis | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
943889-1 | 2-Critical | BT943889 | Reopening the publisher after a failed publishing attempt | 14.1.4, 13.1.3.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932737-1 | 2-Critical | BT932737 | DNS & BADOS high-speed logger messages are mixed | 16.0.1.2, 15.1.3, 14.1.4 |
922597-1 | 3-Major | BT922597 | BADOS default sensitivity of 50 creates false positive attack on some sites | 16.1.0, 15.1.3, 14.1.4 |
915489-1 | 4-Minor | BT915489 | LTM Virtual Server Health is not affected by iRule Requests dropped | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
768085-3 | 4-Minor | BT768085 | Error in python script /usr/libexec/iAppsLX_save_pre line 79 | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
964585-4 | 3-Major | BT964585 | "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
825501-1 | 3-Major | BT825501 | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Cumulative fixes from BIG-IP v14.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
950077-3 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT950077 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
943125-3 | CVE-2021-23010 | K18570111, BT943125 | ASM bd may crash while processing WebSocket traffic | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
941449-4 | CVE-2021-22993 | K55237223, BT941449 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
935029-1 | CVE-2020-27720 | K04048104, BT935029 | TMM may crash while processing IPv6 NAT traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
932065-3 | CVE-2021-22978 | K87502622, BT932065 | iControl REST vulnerability CVE-2021-22978 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
931513-2 | CVE-2021-22977 | K14693346, BT931513 | TMM vulnerability CVE-2021-22977 | 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1, 13.1.3.6 |
928321-3 | CVE-2020-27719 | K19166530, BT928321 | K19166530: XSS vulnerability CVE-2020-27719 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
921337-3 | CVE-2021-22976 | K88230177, BT921337 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
917509-5 | CVE-2020-27718 | K58102101, BT917509 | BIG-IP ASM vulnerability CVE-2020-27718 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
916821-4 | CVE-2021-22974 | K68652018, BT916821 | iControl REST vulnerability CVE-2021-22974 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
908673-3 | CVE-2020-27717 | K43850230, BT908673 | TMM may crash while processing DNS traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
904165-3 | CVE-2020-27716 | K51574311, BT904165 | BIG-IP APM vulnerability CVE-2020-27716 | 16.0.0, 15.1.1, 14.1.3.1, 13.1.5 |
882189-5 | CVE-2020-5897 | K20346072, BT882189 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
882185-5 | CVE-2020-5897 | K20346072, BT882185 | BIG-IP Edge Client Windows ActiveX | 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
881317-4 | CVE-2020-5896 | K15478554, BT881317 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
881293-5 | CVE-2020-5896 | K15478554, BT881293 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
754855-2 | CVE-2020-27714 | K60344652, BT754855 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile | 16.0.0, 15.1.1, 14.1.3.1, 13.1.4 |
939845-3 | CVE-2021-23004 | K31025212, BT939845 | BIG-IP MPTCP vulnerability CVE-2021-23004 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
939841-3 | CVE-2021-23003 | K43470422, BT939841 | BIG-IP MPTCP vulnerability CVE-2021-23003 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
928037-3 | CVE-2020-27729 | K15310332, BT928037 | APM Hardening | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
919841-1 | CVE-2020-27728 | K45143221, BT919841 | AVRD may crash while processing Bot Defense traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
912969-4 | CVE-2020-27727 | K50343630, BT912969 | iAppsLX REST vulnerability CVE-2020-27727 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
905125-3 | CVE-2020-27726 | K30343902, BT905125 | Security hardening for APM Webtop | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
904937-4 | CVE-2020-27725 | K25595031, BT904937 | Excessive resource consumption in zxfrd | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
898949-3 | CVE-2020-27724 | K04518313, BT898949 | APM may consume excessive resources while processing VPN traffic | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
881445-5 | CVE-2020-5898 | K69154630, BT881445 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
880361-3 | CVE-2021-22973 | K13323323, BT880361 | iRules LX vulnerability CVE-2021-22973 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
842829-3 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 | K04367730, BT842829 | Multiple tcpdump vulnerabilities | 16.0.0, 15.1.3, 14.1.3.1, 13.1.4.1 |
842717-4 | CVE-2020-5855 | K55102004, BT842717 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
832757-5 | CVE-2017-18551 | K48073202, BT832757 | Linux kernel vulnerability CVE-2017-18551 | 15.1.3, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
831777-3 | CVE-2020-27723 | K42933418, BT831777 | Tmm crash in Ping access use case | 15.1.0, 14.1.3.1, 13.1.3.5 |
811965-2 | CVE-2020-27722 | K73657294, BT811965 | Some VDI use cases can cause excessive resource consumption | 15.1.0, 15.0.1.4, 14.1.3.1, 13.1.3.5 |
778049-4 | CVE-2018-13405 | K00854051, BT778049 | Linux Kernel Vulnerability: CVE-2018-13405 | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5 |
693360-4 | CVE-2020-27721 | K52035247, BT693360 | A virtual server status changes to yellow while still available | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
639773-1 | CVE-2021-22983 | K76518456 | BIG-IP AFM vulnerability CVE-2021-22983 | 16.0.1, 15.1.1, 14.1.3.1 |
852929-7 | CVE-2020-5920 | K25160703, BT852929 | AFM WebUI Hardening | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
825413-2 | CVE-2021-23053 | K36942191, BT825413 | ASM may consume excessive resources when matching signatures | 16.0.0, 15.1.3, 14.1.3.1, 13.1.3.6 |
818213-2 | CVE-2019-10639 | K32804955, BT818213 | CVE-2019-10639: KASLR bypass using connectionless protocols | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
773693-5 | CVE-2020-5892 | K15838353, BT773693 | CVE-2020-5892: APM Client Vulnerability | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 11.6.5.2 |
834533-2 | CVE-2019-15916 | K57418558, BT834533 | Linux kernel vulnerability CVE-2019-15916 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
920961-3 | 3-Major | BT920961 | Devices incorrectly report 'In Sync' after an incremental sync | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
756139-1 | 3-Major | BT756139 | Inconsistent logging of hostname files when hostname contains periods | 16.0.1.1, 15.1.2, 14.1.3.1 |
921421-1 | 4-Minor | BT921421 | iRule support to get/set UDP's Maximum Buffer Packets | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
809553 | 1-Blocking | BT809553 | ONAP Licensing - Cipher negotiation fails | 15.1.0, 14.1.3.1 |
957337-4 | 2-Critical | BT957337 | Tab complete in 'mgmt' tree is broken | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
954025 | 2-Critical | BT954025 | "switchboot -b HD1.1" fails to reboot chassis | 14.1.3.1 |
933409-4 | 2-Critical | BT933409 | Tomcat upgrade via Engineering Hotfix causes live-update files removal★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
927033-1 | 2-Critical | BT927033 | Installer fails to calculate disk size of destination volume★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
910201-1 | 2-Critical | BT910201 | OSPF - SPF/IA calculation scheduling might get stuck infinitely | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
896217-4 | 2-Critical | BT896217 | BIG-IP GUI unresponsive | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
860517-3 | 2-Critical | BT860517 | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
829277-1 | 2-Critical | BT829277 | A Large /config folder can cause memory exhaustion during live-install★ | 16.0.0, 15.1.2.1, 14.1.3.1 |
796601-4 | 2-Critical | BT796601 | Invalid parameter in errdefsd while processing hostname db_variable | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
787285 | 2-Critical | BT787285 | Configuration fails to load after install of v14.1.0 or v14.1.2 on BIG-IP 800★ | 14.1.3.1 |
770989 | 2-Critical | BT770989 | Observed '/shared/lib/rpm' RPM database corruption on B4450 blades and iSeries platforms installing 14.1.x.★ | 14.1.3.1, 13.1.3.5 |
769817-3 | 2-Critical | BT769817 | BFD fails to propagate sessions state change during blade restart | 15.1.0, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.1 |
706521-4 | 2-Critical | K21404407, BT706521 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
934941-3 | 3-Major | BT934941 | Platform FIPS power-up self test failures not logged to console | 16.1.0, 15.1.3, 14.1.3.1 |
930741-1 | 3-Major | BT930741 | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | 16.1.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
920301-2 | 3-Major | BT920301 | Unnecessarily high number of JavaScript Obfuscator instances when device is busy | 15.1.2, 14.1.3.1 |
915825-4 | 3-Major | BT915825 | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | 16.1.0, 15.1.1, 14.1.3.1, 13.1.3.5 |
915497-3 | 3-Major | BT915497 | New Traffic Class Page shows multiple question marks. | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.3.1 |
911809-1 | 3-Major | BT911809 | TMM might crash when sending out oversize packets. | 16.0.0, 15.1.2, 14.1.3.1 |
908021-2 | 3-Major | BT908021 | Management and VLAN MAC addresses are identical | 16.1.0, 15.1.3, 14.1.3.1, 13.1.3.5 |
904845-3 | 3-Major | BT904845 | VMware guest OS customization works only partially in a dual stack environment. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
902401-3 | 3-Major | BT902401 | OSPFd SIGSEGV core when 'ospf clear' is done on remote device | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
898705-3 | 3-Major | BT898705 | IPv6 static BFD configuration is truncated or missing | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
898461-4 | 3-Major | BT898461 | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1 |
889041-1 | 3-Major | BT889041 | Failover scripts fail to access resolv.conf due to permission issues | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
886689-4 | 3-Major | BT886689 | Generic Message profile cannot be used in SCTP virtual | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1 |
867181-3 | 3-Major | BT867181 | ixlv: double tagging is not working | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
865241-3 | 3-Major | BT865241 | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
865177-2 | 3-Major | BT865177 | Cert-LDAP returning only first entry in the sequence that matches san-other oid | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1 |
860317-1 | 3-Major | BT860317 | JavaScript Obfuscator can hang indefinitely | 16.0.0, 15.1.2, 14.1.3.1 |
851733-1 | 3-Major | BT851733 | Tcpdump messages (warning, error) are sent to stdout instead of stderr | 16.0.0, 14.1.3.1 |
850777-1 | 3-Major | BT850777 | BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config | 16.0.0, 15.1.1, 14.1.3.1 |
846441-1 | 3-Major | BT846441 | Flow-control is reset to default for secondary blade's interface | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
846137-3 | 3-Major | BT846137 | The icrd returns incorrect route names in some cases | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
843597-3 | 3-Major | BT843597 | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
829193-2 | 3-Major | BT829193 | REST system unavailable due to disk corruption | 16.0.0, 15.1.0.4, 14.1.3.1, 13.1.3.6 |
826905-1 | 3-Major | BT826905 | Host traffic via IPv6 route pool uses incorrect source address | 16.0.0, 15.1.2, 14.1.3.1 |
806073-3 | 3-Major | BT806073 | MySQL monitor fails to connect to MySQL Server v8.0 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1 |
795649-3 | 3-Major | BT795649 | Loading UCS from one iSeries model to another causes FPGA to fail to load | 16.0.0, 15.1.0.3, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
788577-4 | 3-Major | BT788577 | BFD sessions may be reset after CMP state change | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
783113-4 | 3-Major | BT783113 | BGP sessions remain down upon new primary slot election | 15.1.0, 15.0.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.2 |
767737-2 | 3-Major | BT767737 | Timing issues during startup may make an HA peer stay in the inoperative state | 16.0.0, 15.1.2.1, 14.1.3.1, 13.1.3.5 |
755197-3 | 3-Major | BT755197 | UCS creation might fail during frequent config save transactions | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
754971-2 | 3-Major | BT754971 | OSPF inter-process redistribution might break OSPF route redistribution of various types. | 15.0.0, 14.1.3.1, 13.1.3.5 |
751584-1 | 3-Major | BT751584 | Custom MIB actions can be blocked by SELINUX permissions | 15.0.0, 14.1.3.1 |
740589-1 | 3-Major | BT740589 | MCPD crashes with core after 'tmsh edit /sys syslog all-properties' | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
737098-2 | 3-Major | BT737098 | ASM Sync does not work when the configsync IP address is an IPv6 address | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
652502-3 | 3-Major | BT652502 | SNMP queries return 'No Such Object available' error for LTM OIDs | 15.0.0, 14.1.3.1, 13.1.1.4 |
933461-3 | 4-Minor | BT933461 | BGP multi-path candidate selection does not work properly in all cases. | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
924429-3 | 4-Minor | BT924429 | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
892677-4 | 4-Minor | BT892677 | Loading config file with imish adds the newline character | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
882713-1 | 4-Minor | BT882713 | BGP SNMP trap has the wrong sysUpTime value | 16.0.0, 15.1.2, 14.1.3.1 |
864757-2 | 4-Minor | BT864757 | Traps that were disabled are enabled after configuration save | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
722230-3 | 4-Minor | BT722230 | Cannot delete FQDN template node if another FQDN node resolves to same IP address | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.4, 12.1.5.2 |
591732-5 | 4-Minor | BT591732 | Local password policy not enforced when auth source is set to a remote type. | 15.1.0, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.1 |
583084-8 | 4-Minor | K15101680, BT583084 | iControl produces 404 error while creating records successfully | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
849085-3 | 5-Cosmetic | BT849085 | Lines with only asterisks filling message and user.log file | 16.0.0, 15.1.1, 14.1.3.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
941089 | 2-Critical | BT941089 | TMM core when using Multipath TCP | 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
911041-2 | 2-Critical | BT911041 | Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.3.1 |
891849-2 | 2-Critical | BT891849 | Running iRule commands while suspending iRule commands that are running can lead to a crash | 16.1.0, 14.1.3.1 |
879409-2 | 2-Critical | BT879409 | TMM core with mirroring traffic due to unexpected interface name length | 16.0.0, 15.1.1, 14.1.3.1 |
851857-3 | 2-Critical | BT851857 | HTTP 100 Continue handling does not work when it arrives in multiple packets | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5 |
851345-2 | 2-Critical | BT851345 | The TMM may crash in certain rare scenarios involving HTTP/2 | 16.0.0, 15.1.2, 14.1.3.1 |
850873-1 | 2-Critical | BT850873 | LTM global SNAT sets TTL to 255 on egress. | 16.0.0, 15.1.2, 14.1.3.1 |
824881-2 | 2-Critical | BT824881 | A rare TMM crash cause by the fix for ID 816625 | 15.1.0, 15.0.1.1, 14.1.3.1 |
811161-1 | 2-Critical | BT811161 | Tmm crash SIGSEGV - virtual_address_update() in ../mcp/db_vip.c:1992 | 15.1.0, 14.1.3.1 |
766509-1 | 2-Critical | BT766509 | Strict internal checking might cause tmm crash | 15.0.0, 14.1.3.1 |
705768-1 | 2-Critical | BT705768 | The dynconfd process may core and restart with multiple DNS name servers configured | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
951033-2 | 3-Major | BT951033 | Virtual server resets all the connections for rstcause 'VIP disabled (administrative)' | 15.1.0, 14.1.3.1, 13.1.3.5 |
949145-4 | 3-Major | BT949145 | Improve TCP's response to partial ACKs during loss recovery | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
948757-3 | 3-Major | BT948757 | A snat-translation address responds to ARP requests but not to ICMP ECHO requests. | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1 |
915689-4 | 3-Major | BT915689 | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
915605-1 | 3-Major | K56251674, BT915605 | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
913249-4 | 3-Major | BT913249 | Restore missing UDP statistics | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
901929-4 | 3-Major | BT901929 | GARPs not sent on virtual server creation | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
892385-2 | 3-Major | BT892385 | HTTP does not process WebSocket payload when received with server HTTP response | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5 |
879413-3 | 3-Major | BT879413 | Statsd fails to start if one or more of its *.info files becomes corrupted | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
862597-5 | 3-Major | BT862597 | Improve MPTCP's SYN/ACK retransmission handling | 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5 |
860005-3 | 3-Major | BT860005 | Ephemeral nodes/pool members may be created for wrong FQDN name | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
857845-6 | 3-Major | BT857845 | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
851477-3 | 3-Major | BT851477 | Memory allocation failures during proxy initialization are ignored leading to TMM cores | 16.0.0, 15.1.1, 14.1.3.1 |
851045-3 | 3-Major | BT851045 | LTM database monitor may hang when monitored DB server goes down | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
850145-3 | 3-Major | BT850145 | Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed | 16.0.0, 15.1.2, 14.1.3.1 |
823921-2 | 3-Major | BT823921 | FTP profile causes memory leak | 15.1.0, 14.1.3.1 |
820333-3 | 3-Major | BT820333 | LACP working member state may be inconsistent when blade is forced offline | 16.0.0, 15.1.2, 14.1.3.1 |
819329-2 | 3-Major | BT819329 | Specific FIPS device errors will not trigger failover | 16.1.0, 16.0.1.2, 15.1.4, 14.1.3.1, 13.1.5 |
818853-3 | 3-Major | BT818853 | Duplicate MAC entries in FDB | 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5 |
809701-2 | 3-Major | BT809701 | Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist | 16.0.0, 15.1.2, 15.0.1.3, 14.1.3.1 |
805017-2 | 3-Major | BT805017 | DB monitor marks pool member down if no send/recv strings are configured | 15.1.0, 15.0.1.3, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
803233-3 | 3-Major | BT803233 | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
796993-1 | 3-Major | BT796993 | Ephemeral FQDN pool members status changes are not logged in /var/log/ltm logs | 15.1.0, 14.1.3.1, 13.1.3.4, 12.1.5.3 |
787853-2 | 3-Major | BT787853 | BIG-IP responds incorrectly to ICMP echo requests when virtual server flaps. | 15.1.0, 14.1.3.1 |
786517-3 | 3-Major | BT786517 | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.5 |
783617-1 | 3-Major | BT783617 | Virtual server resets connections when all pool members are marked disabled | 15.1.0, 14.1.3.1, 13.1.3.5 |
776229-2 | 3-Major | BT776229 | iRule 'pool' command no longer accepts pool members with ports that have a value of zero | 15.1.0, 14.1.3.1, 13.1.3.4 |
759480-3 | 3-Major | BT759480 | HTTP::respond or HTTP::redirect in LB_FAILED may result in TMM crash | 15.0.0, 14.1.3.1, 13.1.3.4, 12.1.5 |
759056-2 | 3-Major | BT759056 | stpd memory leak on secondary blades in a multi-blade system | 15.0.0, 14.1.3.1, 13.1.3.6 |
753805-3 | 3-Major | BT753805 | BIG-IP system failed to advertise virtual address even after the virtual address was in Available state. | 15.0.0, 14.1.3.1, 13.1.3.4, 12.1.5.3 |
753594-2 | 3-Major | BT753594 | In-TMM monitors may have duplicate instances or stop monitoring | 15.0.0, 14.1.3.1, 13.1.3 |
750278-4 | 3-Major | K25165813, BT750278 | A sub-second timeout for the SSL alert-timeout option may be desirable in certain cases | 15.1.0, 15.0.1.3, 14.1.3.1 |
745682-1 | 3-Major | BT745682 | Failed to parse X-Forwarded-For header in HTTP requests | 15.0.0, 14.1.3.1, 13.1.3.6 |
724824-3 | 3-Major | BT724824 | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
722707-2 | 3-Major | BT722707 | mysql monitor debug logs incorrectly report responses from 'DB' when packets dropped by firewall | 15.0.0, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
720440-4 | 3-Major | BT720440 | Radius monitor marks pool members down after 6 seconds | 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
718790-1 | 3-Major | BT718790 | Virtual server reports unavailable and resets connection erroneously. | 15.1.0, 14.1.3.1 |
710930-3 | 3-Major | BT710930 | Enabling BigDB key bigd.tmm may cause SSL monitors to fail | 15.1.0, 14.1.3.1, 13.1.3.5 |
935593-3 | 4-Minor | BT935593 | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5 |
932937-3 | 4-Minor | BT932937 | HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
895153-2 | 4-Minor | BT895153 | HTTP::has_responded returns incorrect values when using HTTP/2 | 15.1.2, 14.1.3.1 |
895141 | 4-Minor | BT895141 | HTTP::has_responded returns incorrect values when using HTTP/2 | 14.1.3.1 |
822025-2 | 4-Minor | BT822025 | HTTP response not forwarded to client during an early response | 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
808409-3 | 4-Minor | BT808409 | Unable to specify if giaddr will be modified in DHCP relay chain | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
801705-4 | 4-Minor | BT801705 | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | 16.0.0, 15.1.5.1, 14.1.3.1, 13.1.3.6 |
781225-2 | 4-Minor | BT781225 | HTTP profile Response Size stats incorrect for keep-alive connections | 15.1.0, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
726983-2 | 4-Minor | BT726983 | Inserting multi-line HTTP header not handled correctly | 15.0.0, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
859717-3 | 5-Cosmetic | BT859717 | ICMP-limit-related warning messages in /var/log/ltm | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
919553-3 | 2-Critical | BT919553 | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
837637-2 | 2-Critical | K02038650, BT837637 | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
788465-2 | 2-Critical | BT788465 | DNS cache idx synced across HA group could cause tmm crash | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
926593-3 | 3-Major | BT926593 | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
852101-3 | 3-Major | BT852101 | Monitor fails. | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
844689-3 | 3-Major | BT844689 | Possible temporary CPU usage increase with unusually large named.conf file | 16.0.0, 15.1.2, 14.1.3.1 |
781829-1 | 3-Major | BT781829 | GTM TCP monitor does not check the RECV string if server response string not ending with \n | 15.1.0, 14.1.3.1, 13.1.3.5 |
644192-4 | 3-Major | K23022557, BT644192 | Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5, 11.6.5.3 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
940249-3 | 2-Critical | BT940249 | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6, 11.6.5.3 |
927617-3 | 2-Critical | BT927617 | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
941853-2 | 3-Major | BT941853 | Logging Profiles do not disassociate from virtual server when multiple changes are made | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
940897-2 | 3-Major | BT940897 | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6 |
893061-1 | 3-Major | BT893061 | Out of memory for restjavad | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
884425-1 | 3-Major | BT884425 | Creation of new allowed HTTP URL is not possible | 16.0.0, 15.1.3, 14.1.3.1 |
868053-1 | 3-Major | BT868053 | Live Update service indicates update available when the latest update was already installed | 16.0.0, 15.1.3, 14.1.3.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
910097-3 | 2-Critical | BT910097 | Changing per-request policy while tmm is under traffic load may drop heartbeats | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
896709-2 | 2-Critical | BT896709 | Add support for Restart Desktop for webtop in VMware VDI | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6 |
760130-3 | 2-Critical | BT760130 | [APM] Memory leak when PingAccess encounters error after sending traffic data to PingAccess SDK | 15.0.0, 14.1.3.1, 13.1.3 |
748572-2 | 2-Critical | BT748572 | Occasionally ramcache might crash when data is sent without the corresponding event. | 15.0.0, 14.1.3.1 |
924929-1 | 3-Major | BT924929 | Logging improvements for VDI plugin | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6 |
914649-2 | 3-Major | BT914649 | Support USB redirection through VVC (VMware virtual channel) with BlastX | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
771961-1 | 3-Major | BT771961 | While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core | 16.0.0, 15.1.1, 14.1.3.1 |
760629-3 | 3-Major | BT760629 | Remove Obsolete APM keys in BigDB | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
759356-2 | 3-Major | BT759356 | Access session data cache might leak if there are multiple TMMs | 15.1.0, 14.1.3.1 |
747020-1 | 3-Major | BT747020 | Requests that evaluate to same subsession can be processed concurrently | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
739570-3 | 3-Major | BT739570 | Unable to install EPSEC package★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
904373-1 | 3-Major | BT904373 | MRF GenericMessage: Implement limit to message queues size | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1 |
891385-4 | 3-Major | BT891385 | Add support for URI protocol type "urn" in MRF SIP load balancing | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
924349-1 | 4-Minor | DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
938165-2 | 2-Critical | BT938165 | TMM Core after attempted update of IP geolocation database file | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
747225-1 | 2-Critical | BT747225 | PCCD may get into crash-loop after BIG-IP upgrade or after BIG-IP restart | 15.0.0, 14.1.3.1 |
872645 | 3-Major | BT872645 | Protected Object Aggregate stats are causing elevated CPU usage | 16.0.0, 15.1.1, 14.1.3.1 |
813301 | 3-Major | BT813301 | LSN_PB_UPDATE logs are not generated when subscriber info changes | 15.1.0, 14.1.3.1 |
781425 | 3-Major | BT781425 | Firewall rule list configuration causes config load failure | 15.1.0, 14.1.3.1 |
920361-4 | 4-Minor | BT920361 | Standby device name sent in Traffic Statistics syslog/Splunk messages | 16.1.0, 15.1.1, 14.1.3.1 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
783289-1 | 2-Critical | BT783289 | PEM actions not applied in VE bigTCP. | 15.1.0, 14.1.3.1, 13.1.3.5 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
815001-1 | 2-Critical | BT815001 | TMM Crash with inbound traffic during high availability (HA) failover | 15.1.0, 14.1.3.1 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
940401-3 | 5-Cosmetic | BT940401 | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944785-1 | 3-Major | BT944785 | Admd restarting constantly. Out of memory due to loading malformed state file | 16.1.0, 16.0.1.2, 15.1.2, 14.1.3.1 |
923125-1 | 3-Major | BT923125 | Huge amount of admd processes caused oom | 16.1.0, 15.1.2, 14.1.3.1 |
818465-2 | 3-Major | BT818465 | Unnecessary memory allocation in AVR module | 15.1.0, 14.1.3.1 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
767613-2 | 3-Major | BT767613 | Restjavad can keep partially downloaded files open indefinitely | 15.1.0, 14.1.3.1, 13.1.3.5 |
Cumulative fixes from BIG-IP v14.1.3 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
928029 | 2-Critical | BT928029 | Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis | 17.1.0, 15.1.4, 14.1.3 |
905849 | 3-Major | BT905849 | FastL4 UDP flows might not get offloaded to hardware | 14.1.3 |
829317-6 | 3-Major | BT829317 | Memory leak in icrd_child due to concurrent REST usage | 16.0.0, 15.1.0.2, 14.1.3.1, 14.1.3, 13.1.4 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
943101 | 2-Critical | BT943101 | Tmm crash in cipher group delete. | 17.1.0, 15.1.4, 14.1.3 |
934461 | 2-Critical | BT934461 | Connection error with server with TLS1.3 single-dh-use. | 17.1.0, 15.1.4, 14.1.3 |
915957 | 2-Critical | BT915957 | The wocplugin may get into a restart loop when AAM is provisioned | 15.1.2, 14.1.3 |
939209-3 | 3-Major | BT939209 | FIPS 140-2 SP800-56Arev3 compliance | 16.1.0, 14.1.3 |
930385 | 3-Major | BT930385 | SSL filter does not re-initialize when an OCSP object is modified | 17.1.0, 15.1.4, 14.1.3 |
921721-2 | 3-Major | BT921721 | FIPS 140-2 SP800-56Arev3 compliance | 16.1.0, 15.1.3, 14.1.3 |
809597-3 | 3-Major | BT809597 | Memory leak in icrd_child observed during REST usage | 16.0.0, 15.1.0.2, 14.1.3, 13.1.4 |
629787-1 | 3-Major | BT629787 | vCMP hypervisor version mismatch may cause connection mirroring problems. | 15.1.0, 14.1.3 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
934393 | 1-Blocking | BT934393 | APM authentication fails due to delay in sessionDB readiness | 17.1.0, 15.1.4, 14.1.3 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
697331-3 | 3-Major | BT697331 | Some TMOS tools for querying various DBs fail when only a single TMM is running | 16.0.0, 15.1.1, 14.1.3.1, 14.1.3 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
892621-2 | 3-Major | BT892621 | Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software | 16.0.0, 15.1.0.4, 14.1.3 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
927993-4 | 1-Blocking | K97501254, BT927993 | Built-in SSL Orchestrator RPM installation failure | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 14.1.3, 13.1.3.6, 12.1.5.3 |
Cumulative fixes from BIG-IP v14.1.2.8 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
935721-4 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291, BT935721 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | 16.1.0, 16.0.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
933741-4 | CVE-2021-22979 | K63497634, BT933741 | BIG-IP FPS XSS vulnerability CVE-2021-22979 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
911761-4 | CVE-2020-5948 | K42696541, BT911761 | F5 TMUI XSS vulnerability CVE-2020-5948 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
879745-1 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
917469-4 | CVE-2020-5946 | K53821711, BT917469 | TMM may crash while processing FPS traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
910017-4 | CVE-2020-5945 | K21540525, BT910017 | Security hardening for the TMUI Interface page | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
907201-1 | CVE-2021-23039 | K66782293, BT907201 | TMM may crash when processing IPSec traffic | 16.1.0, 16.0.1.2, 15.1.3, 14.1.2.8, 13.1.5 |
889557-2 | CVE-2019-11358 | K20455158, BT889557 | jQuery Vulnerability CVE-2019-11358 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.6, 11.6.5.3 |
870273-3 | CVE-2020-5936 | K44020030, BT870273 | TMM may consume excessive resources when processing SSL traffic | 16.0.0, 15.1.1, 14.1.2.8, 13.1.5, 12.1.5.2 |
856961-2 | CVE-2018-12207 | K17269881, BT856961 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8, 13.1.3.5 |
751036-1 | CVE-2020-27721 | K52035247, BT751036 | Virtual server status stays unavailable even after all the over-the-rate-limit connections are gone | 15.1.0, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
818177-4 | CVE-2019-12295 | K06725231, BT818177 | CVE-2019-12295 Wireshark Vulnerability | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
717276-7 | CVE-2020-5930 | K20622530, BT717276 | TMM Route Metrics Hardening | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4, 12.1.5.3, 11.6.5.3 |
858537-3 | CVE-2019-1010204 | K05032915, BT858537 | CVE-2019-1010204: Binutilis Vulnerability | 16.0.0, 15.1.1, 14.1.2.8 |
822377-2 | CVE-2019-10092 | K30442259, BT822377 | CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability | 16.1.0, 15.1.1, 14.1.2.8 |
767269-2 | CVE-2018-16884 | K21430012 | Linux kernel vulnerability: CVE-2018-16884 | 16.0.0, 15.1.0.5, 14.1.2.8 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
890229-3 | 3-Major | BT890229 | Source port preserve setting is not honored | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
747013-3 | 3-Major | BT747013 | Add OCSP server support to IKEv2 negotiation for IPsec peer authentication | 15.1.0, 14.1.2.8 |
617929-2 | 3-Major | BT617929 | Support non-default route domains | 15.1.0, 15.0.1.3, 14.1.2.8, 13.1.3.4 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
920481 | 2-Critical | BT920481 | REST GET on /mgmt/tm/sys/file/ssl-key returns bad/wrong passphrase | 14.1.2.8 |
871561-3 | 2-Critical | BT871561 | Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
860349-1 | 2-Critical | BT860349 | Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication | 16.0.0, 15.1.3, 14.1.2.8 |
856713-1 | 2-Critical | BT856713 | IPsec crash during rekey | 16.1.0, 16.0.1.2, 15.1.9, 14.1.2.8 |
854493-3 | 2-Critical | BT854493 | Kernel page allocation failures messages in kern.log | 16.0.0, 15.1.0.2, 14.1.2.8 |
842865-1 | 2-Critical | BT842865 | Add support for Auto MAC configuration (ixlv) | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8 |
841953-5 | 2-Critical | BT841953 | A tunnel can be expired when going offline, causing tmm crash | 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3 |
841333-5 | 2-Critical | BT841333 | TMM may crash when tunnel used after returning from offline | 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3 |
818253-1 | 2-Critical | BT818253 | Generate signature files for logs | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
817709-2 | 2-Critical | BT817709 | IPsec: TMM cored with SIGFPE in racoon2 | 16.1.0, 15.1.0.2, 14.1.2.8, 13.1.5 |
811149-1 | 2-Critical | BT811149 | Remotely-authenticated users are unable to authenticate through the serial console | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.8 |
807453-1 | 2-Critical | BT807453 | IPsec works inefficiently with a second blade in one chassis | 15.1.0, 14.1.2.8 |
777229-1 | 2-Critical | BT777229 | IPsec improvements to internal pfkey messaging between TMMs on multi-blade | 15.1.0, 14.1.2.8 |
774361-2 | 2-Critical | BT774361 | IPsec High Availability sync during multiple failover via RFC6311 messages | 15.1.0, 14.1.2.8 |
769357-1 | 2-Critical | IPsec debug logging needs more organization and is missing HA-related logging | 15.1.0, 14.1.2.8 | |
755716-1 | 2-Critical | BT755716 | IPsec connection can fail if connflow expiration happens before IKE encryption | 15.1.0, 14.1.2.8 |
749249-1 | 2-Critical | BT749249 | IPsec tunnels fail to establish and 100% cpu on multi-blade BIG-IP | 15.1.0, 14.1.2.8 |
741676-2 | 2-Critical | BT741676 | Intermittent crash switching between tunnel mode and interface mode | 15.1.0, 14.1.2.8, 13.1.5 |
593536-7 | 2-Critical | K64445052, BT593536 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations | 16.0.0, 15.1.1, 14.1.2.8 |
924493-4 | 3-Major | BT924493 | VMware EULA has been updated | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
904705-3 | 3-Major | BT904705 | Cannot clone Azure marketplace instances. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
888497-4 | 3-Major | BT888497 | Cacheable HTTP Response | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
887089-3 | 3-Major | BT887089 | Upgrade can fail when filenames contain spaces | 16.1.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
880625-2 | 3-Major | BT880625 | Check-host-attr enabled in LDAP system-auth creates unusable config | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
880165-1 | 3-Major | BT880165 | Auto classification signature update fails | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
858197-1 | 3-Major | BT858197 | Merged crash when memory exhausted | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.5 |
856953-2 | 3-Major | BT856953 | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | 16.0.0, 15.1.4.1, 14.1.2.8, 13.1.5 |
844085-3 | 3-Major | BT844085 | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
838297-1 | 3-Major | BT838297 | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | 16.0.0, 15.1.1, 14.1.2.8 |
828789-3 | 3-Major | BT828789 | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | 15.1.1, 14.1.2.8 |
820213-2 | 3-Major | BT820213 | 'Application Service List' empty after UCS restore | 15.1.0, 14.1.2.8 |
814585-3 | 3-Major | BT814585 | PPTP profile option not available when creating or modifying virtual servers in GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
810381-4 | 3-Major | BT810381 | The SNMP max message size check is being incorrectly applied. | 16.0.0, 15.1.0.4, 14.1.2.8, 13.1.3.5 |
807337-3 | 3-Major | BT807337 | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
804537-1 | 3-Major | BT804537 | Check SAs in context callbacks | 15.1.0, 14.1.2.8 |
802889 | 3-Major | BT802889 | Problems establishing HA connections on chassis platforms | 15.1.0, 14.1.3, 14.1.2.8 |
797829-5 | 3-Major | BT797829 | The BIG-IP system may fail to deploy new or reconfigure existing iApps | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5 |
783753-1 | 3-Major | BT783753 | Increase vCPU amount guests can use on i11800-DS platforms. | 15.1.0, 14.1.2.8 |
761753-2 | 3-Major | BT761753 | BIG-IP system incorrectly flags UDP checksum as failed on x520 NICs | 15.1.0, 14.1.2.8 |
759564-4 | 3-Major | BT759564 | GUI not available after upgrade | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
758517-1 | 3-Major | BT758517 | Callback for Diffie Hellman crypto is missing defensive coding | 15.1.0, 14.1.2.8 |
758516-1 | 3-Major | BT758516 | IKEv2 auth encryption is missing defensive coding that checks object validity | 15.1.0, 14.1.2.8 |
757862-1 | 3-Major | BT757862 | IKEv2 debug logging an uninitialized variable leading to core | 15.1.0, 14.1.2.8 |
748443-1 | 3-Major | BT748443 | HiGig MAC recovery mechanism may fail continuously at runtime | 15.0.0, 14.1.2.8 |
746704-2 | 3-Major | BT746704 | Syslog-ng Memory Leak | 15.0.0, 14.1.2.8, 13.1.3.5 |
745261-2 | 3-Major | BT745261 | The TMM process may crash in some tunnel cases | 15.0.0, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
726416-3 | 3-Major | BT726416 | Physical disk HD1 not found for logical disk create | 15.1.0, 14.1.2.8 |
489572-4 | 3-Major | K60934489, BT489572 | Sync fails if file object is created and deleted before sync to peer BIG-IP | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
431503-3 | 3-Major | K14838, BT431503 | TMSH crashes in rare initial tunnel configurations | 15.1.1, 14.1.2.8, 13.1.3.5, 11.5.0 |
919745-4 | 4-Minor | BT919745 | CSV files downloaded from the Dashboard have the first row with all 'NaN | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
918209-1 | 4-Minor | BT918209 | GUI Network Map icons color scheme is not section 508 compliant | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
914761-1 | 4-Minor | BT914761 | Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
906889-1 | 4-Minor | BT906889 | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
902417-4 | 4-Minor | BT902417 | Configuration error caused by Drafts folder in a deleted custom partition★ | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
890277-2 | 4-Minor | BT890277 | Full config sync to a device group operation takes a long time when there are a large number of partitions. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
779857-1 | 4-Minor | BT779857 | Misleading GUI error when installing a new version in another partition★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
777237-1 | 4-Minor | IPsec high availability (HA) for failover confused by runtime changes in blade count | 15.1.0, 14.1.2.8 | |
751103-4 | 4-Minor | BT751103 | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
714176-3 | 5-Cosmetic | BT714176 | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
858429 | 2-Critical | BT858429 | BIG-IP system sends ICMP packets on both virtual wire interfaces. | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.8 |
851581-1 | 2-Critical | BT851581 | Server-side detach may crash TMM | 16.0.0, 15.1.1, 14.1.2.8 |
839749-2 | 2-Critical | BT839749 | Virtual server with specific address list might fail to create via GUI | 16.0.0, 15.1.0.5, 15.0.1.1, 14.1.2.8 |
813561-3 | 2-Critical | BT813561 | MCPD crashes when assigning an iRule that uses a proc | 15.1.0, 15.0.1.3, 14.1.2.8, 13.1.3.4 |
726518-3 | 2-Critical | BT726518 | Tmsh show command terminated with CTRL-C can cause TMM to crash. | 16.0.0, 15.1.2, 14.1.2.8, 13.1.3.6 |
915281-1 | 3-Major | BT915281 | Do not rearm TCP Keep Alive timer under certain conditions | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
816881-1 | 3-Major | BT816881 | Serverside conection may use wrong VLAN when virtual wire is configured | 16.0.0, 15.1.1, 14.1.2.8 |
810445-2 | 3-Major | BT810445 | PEM: ftp-data not classified or reported | 15.1.0, 14.1.2.8, 13.1.3.5 |
800101-1 | 3-Major | BT800101 | BIG-IP chassis system may send out duplicated UDP packets to the server side | 15.1.0, 14.1.2.8 |
788753-4 | 3-Major | BT788753 | GATEWAY_ICMP monitor marks node down with wrong error code | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4 |
785701-1 | 3-Major | BT785701 | Changes to a Web Acceleration profile are not instantly applied to virtual servers using the profile | 15.1.0, 14.1.2.8 |
785481-2 | 3-Major | BT785481 | A tm.rejectunmatched value of 'false' will prevent connection resets in cases where the connection limit has been reached | 15.1.0, 15.0.1.1, 14.1.2.8, 12.1.5.3 |
781753-3 | 3-Major | BT781753 | WebSocket traffic is transmitted with unknown opcodes | 15.1.0, 14.1.2.8, 13.1.3.2 |
766169-2 | 3-Major | BT766169 | Replacing all VLAN interfaces resets VLAN MTU to a default value | 15.1.0, 14.1.2.8, 13.1.3.5, 12.1.5.2 |
758437-6 | 3-Major | BT758437 | SYN w/ data disrupts stat collection in Fast L4 | 15.0.0, 14.1.2.8, 13.1.3.5 |
758436-4 | 3-Major | BT758436 | Optimistic ACKs degrade Fast L4 statistics | 15.0.0, 14.1.2.8, 13.1.3.5 |
745663-3 | 3-Major | BT745663 | During traffic forwarding, nexthop data may be missed at large packet split | 15.1.0, 14.1.2.8, 13.1.3.5 |
726734-4 | 3-Major | BT726734 | DAGv2 port lookup stringent may fail | 15.0.0, 14.1.2.8, 13.1.3.2 |
814037-4 | 4-Minor | BT814037 | No virtual server name in Hardware Syncookie activation logs. | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
783125-2 | 2-Critical | BT783125 | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
800265-2 | 3-Major | BT800265 | Undefined subroutine in bigip_add_appliance_helper message | 16.0.0, 14.1.2.8 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
911629 | 2-Critical | BT911629 | Manual upload of LiveUpdate image file results in NULL response | 17.1.0, 15.0.1.4, 14.1.2.8 |
918933-3 | 3-Major | K88162221, BT918933 | The BIG-IP ASM system may not properly perform signature checks on cookies | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
901061-4 | 3-Major | BT901061 | Safari browser might be blocked when using Bot Defense profile and related domains. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
888285-3 | 3-Major | K18304067, BT888285 | Sensitive positional parameter not masked in 'Referer' header value | 16.0.0, 15.1.1, 14.1.2.8 |
848445-3 | 3-Major | K86285055, BT848445 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
919001-1 | 4-Minor | BT919001 | Live Update: Update Available notification is shown twice in rare conditions | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8 |
879777 | 4-Minor | BT879777 | Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge | 16.0.0, 15.1.1, 14.1.2.8 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
908065-4 | 3-Major | BT908065 | Logrotation for /var/log/avr blocked by files with .1 suffix | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
866613-1 | 4-Minor | BT866613 | Missing MaxMemory Attribute | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
891505-1 | 2-Critical | BT891505 | TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. | 16.0.0, 15.1.4, 14.1.2.8 |
579219-3 | 2-Critical | BT579219 | Access keys missing from SessionDB after multi-blade reboot. | 16.0.0, 15.1.1, 14.1.2.8, 13.1.5 |
706782-3 | 3-Major | BT706782 | Inefficient APM processing in large configurations. | 17.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.8 |
679751-1 | 4-Minor | BT679751 | Authorization header can cause a connection reset | 16.1.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
602396-1 | 4-Minor | BT602396 | EPSEC Upload Package Button Is Greyed Out | 15.1.0, 14.1.2.8 |
478450-2 | 4-Minor | BT478450 | Improve log details when "Detection invalid host header ()" is logged | 15.1.0, 14.1.2.8 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
763121-3 | 2-Critical | BT763121 | Utilizing the AFM Packet Tester tool while a TCP Half Open attack is underway can crash TMM. | 15.0.0, 14.1.2.8, 13.1.3 |
870385-3 | 3-Major | BT870385 | TMM may restart under very heavy traffic load | 16.0.0, 15.1.2.1, 14.1.2.8 |
811157-2 | 3-Major | BT811157 | Global Staged Default Action is logged for ICMP traffic targeted to BIG-IP itself | 15.1.0, 14.1.2.8 |
757555-2 | 3-Major | BT757555 | Network DoS Logging Profile does not work with other logging profiles together | 15.0.0, 14.1.2.8 |
757279-1 | 3-Major | BT757279 | LDAP authenticated Firewall Manager role cannot edit firewall policies | 15.1.0.5, 14.1.2.8, 13.1.1.5 |
746483-2 | 3-Major | BT746483 | The autodosd process consumes a lot of memory and continuously restarts. | 15.0.0, 14.1.2.8 |
703165-4 | 3-Major | BT703165 | shared memory leakage | 15.0.0, 14.1.2.8, 13.1.3.5 |
803149-1 | 4-Minor | BT803149 | Flow Inspector cannot filter on IP address with non-default route_domain | 15.1.0, 14.1.2.8 |
906885 | 5-Cosmetic | BT906885 | Spelling mistake on AFM GUI Flow Inspector screen | 16.1.0, 15.1.2.1, 14.1.2.8 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
741213-2 | 3-Major | BT741213 | Modifying disabled PEM policy causes coredump | 15.1.0, 14.1.2.8 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
837269 | 3-Major | BT837269 | Processing ICMP unreachable packets causes FWNAT/CGNAT persistence issues with UDP traffic | 16.0.0, 15.1.0, 14.1.2.8 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
876581-4 | 3-Major | BT876581 | JavaScript engine file is empty if the original HTML page cached for too long | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
891729-4 | 4-Minor | BT891729 | Errors in datasyncd.log★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
797277-2 | 3-Major | BT797277 | URL categorization fails when multiple segments present in URL path and belong to different categories. | 15.1.0, 14.1.2.8 |
761273-2 | 3-Major | BT761273 | wr_urldbd creates sparse log files by writing from the previous position after logrotate. | 15.1.0, 14.1.2.8, 13.1.1.5 |
Cumulative fixes from BIG-IP v14.1.2.7 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
912221-2 | CVE-2020-12662 CVE-2020-12663 |
K37661551, BT912221 | CVE-2020-12662 & CVE-2020-12663 | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
900905-1 | CVE-2020-5926 | K42830212, BT900905 | TMM may crash while processing SIP data | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
891457-4 | CVE-2020-5939 | K75111593, BT891457 | NIC driver may fail while transmitting data | 16.1.0, 16.0.1, 15.1.0.4, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
888417-4 | CVE-2020-8840 | K15320518, BT888417 | Apache Vulnerability: CVE-2020-8840 | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
846917-3 | CVE-2019-10744 | K47105354, BT846917 | lodash Vulnerability: CVE-2019-10744 | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
841577-4 | CVE-2020-5922 | K20606443, BT841577 | iControl REST hardening | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
839453-4 | CVE-2019-10744 | K47105354, BT839453 | lodash library vulnerability CVE-2019-10744 | 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5, 12.1.5.2 |
788057-5 | CVE-2020-5921 | K00103216, BT788057 | MCPD may crash while processing syncookies | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2, 11.6.5.3 |
917005-4 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
909837-2 | CVE-2020-5950 | K05204103, BT909837 | TMM may consume excessive resources when AFM is provisioned | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
888489-4 | CVE-2020-5927 | K55873574, BT888489 | ASM UI hardening | 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
886085-3 | CVE-2020-5925 | K45421311, BT886085 | BIG-IP TMM vulnerability CVE-2020-5925 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
832885-3 | CVE-2020-5923 | K05975972, BT832885 | Self-IP hardening | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
816413-2 | CVE-2019-1125 | K31085564, BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
888493-4 | CVE-2020-5928 | K40843345, BT888493 | ASM GUI Hardening | 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2 |
839145-2 | CVE-2019-10744 | K47105354, BT839145 | CVE-2019-10744: lodash vulnerability | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
816233-3 | 2-Critical | BT816233 | Session and authentication cookies should use larger character set | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
724556-3 | 2-Critical | BT724556 | icrd_child spawns more than maximum allowed times (zombie processes) | 15.0.0, 14.1.2.7, 13.1.3.2, 12.1.5.3 |
858189-1 | 3-Major | BT858189 | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.2 |
802977-2 | 3-Major | BT802977 | PEM iRule crashes when more than 10 policies are tried to be set for a subscriber | 15.1.0, 14.1.2.7 |
691499-3 | 3-Major | BT691499 | GTP::ie primitives in iRule to be certified | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
745465-1 | 4-Minor | BT745465 | The tcpdump file does not provide the correct extension | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
864513-3 | 1-Blocking | K48234609, BT864513 | ASM policies may not load after upgrading to 14.x or later from a previous major version★ | 16.0.0, 15.1.1, 14.1.2.7 |
891477 | 2-Critical | BT891477 | No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
829677-1 | 2-Critical | BT829677 | .tmp files in /var/config/rest/ may cause /var directory exhaustion | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.5 |
811701-1 | 2-Critical | BT811701 | AWS instance using xnet driver not receiving packets on an interface. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7 |
810593-2 | 2-Critical | K10963690, BT810593 | Unencoded sym-unit-key causes guests to go 'INOPERATIVE' after upgrade★ | 15.1.0, 14.1.2.7, 13.1.3.5 |
805417-1 | 2-Critical | BT805417 | Unable to enable LDAP system auth profile debug logging | 16.0.0, 15.1.1, 14.1.2.7 |
769581-1 | 2-Critical | BT769581 | Timeout when sending many large iControl REST requests | 15.1.0, 14.1.2.7, 14.0.0.5, 13.1.3.5 |
758604-2 | 2-Critical | BT758604 | Deleting a port from a single-port trunk does not work. | 15.0.0, 14.1.2.7 |
891721-1 | 3-Major | BT891721 | Anti-Fraud Profile URLs with query strings do not load successfully | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
871657-2 | 3-Major | BT871657 | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
867013-1 | 3-Major | BT867013 | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5 |
842189-2 | 3-Major | BT842189 | Tunnels removed when going offline are not restored when going back online | 16.0.0, 15.1.2.1, 14.1.2.7, 13.1.3.6, 12.1.5.3 |
821309-3 | 3-Major | BT821309 | After an initial boot, mcpd has a defunct child "systemctl" process | 16.0.0, 15.1.0.5, 14.1.2.7 |
812929-2 | 3-Major | BT812929 | mcpd may core when resetting a DSC connection | 15.1.0, 15.0.1.4, 14.1.2.7 |
811053-2 | 3-Major | BT811053 | REBOOT REQUIRED prompt appears after failover and clsh reboot | 16.0.0, 15.1.2, 14.1.2.7 |
810821-1 | 3-Major | BT810821 | Management interface flaps after rebooting the device. | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5 |
807005-1 | 3-Major | BT807005 | Save-on-auto-sync is not working as expected with large configuration objects | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
806985 | 3-Major | BT806985 | Engineering Hotfix installation may fail when Engineering Hotfix contains updated nash-initrd package★ | 15.1.0, 14.1.2.7 |
802685-3 | 3-Major | BT802685 | Unable to configure performance HTTP virtual server via GUI | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
793121-3 | 3-Major | BT793121 | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.2 |
788949-3 | 3-Major | BT788949 | MySQL Password Initialization Loses Already Written Password | 15.1.0, 14.1.2.7 |
760950-4 | 3-Major | BT760950 | Incorrect advertised next-hop in BGP for a traffic group in Active-Active deployment | 15.0.0, 14.1.2.7, 13.1.5, 12.1.5.3 |
756153-3 | 3-Major | BT756153 | Add diskmonitor support for MySQL /var/lib/mysql | 15.1.0, 14.1.2.7, 13.1.3, 12.1.4.1 |
753860-3 | 3-Major | BT753860 | Virtual server config changes causing incorrect route injection. | 15.1.0, 14.1.2.7, 13.1.3.4 |
720610-2 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3 |
701529-2 | 3-Major | BT701529 | Configuration may not load or not accept vlan or tunnel names as "default" or "all" | 15.1.0, 14.1.2.7, 13.1.3.4 |
688399-2 | 3-Major | BT688399 | HSB failure results in continuous TMM restarts | 15.1.0, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.3 |
683135-1 | 3-Major | BT683135 | Hardware syncookies number for virtual server stats is unrealistically high | 15.1.0, 14.1.2.7, 13.1.3.2 |
605675-4 | 3-Major | BT605675 | Sync requests can be generated faster than they can be handled | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3, 11.6.5.2 |
831293-3 | 4-Minor | BT831293 | SNMP address-related GET requests slow to respond. | 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
804309-2 | 4-Minor | BT804309 | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
755018-2 | 4-Minor | BT755018 | Egress traffic processing may be stopped on one or more VE trunk interfaces | 15.1.0, 15.0.1.1, 14.1.2.7, 13.1.3.2 |
743815-2 | 4-Minor | BT743815 | vCMP guest observes connflow reset when a CMP state change occurs. | 15.0.0, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
484683-2 | 4-Minor | BT484683 | Certificate_summary is not created at peer when the chain certificate is synced to high availability (HA) peer. | 15.0.0, 14.1.2.7, 13.1.3.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
842937-4 | 2-Critical | BT842937 | TMM crash due to failed assertion 'valid node' | 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.3 |
751589-1 | 2-Critical | BT751589 | In BIG-IP VE, some IP rules may not be created during the first boot up. | 15.0.0, 14.1.2.7 |
893281-1 | 3-Major | BT893281 | Possible ssl stall on closed client handshake | 16.1.0, 15.1.0.5, 14.1.2.7 |
852873 | 3-Major | BT852873 | Proprietary Multicast PVST+ packets are forwarded instead of dropped | 16.0.0, 15.1.0.2, 14.1.2.7 |
848777-1 | 3-Major | BT848777 | Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. | 16.0.0, 15.1.0.4, 14.1.2.7 |
828601-3 | 3-Major | BT828601 | IPv6 Management route is preferred over IPv6 tmm route | 16.0.0, 15.1.0.3, 14.1.2.7, 13.1.3.5 |
813701-3 | 3-Major | BT813701 | Proxy ARP failure | 16.0.0, 15.1.0.5, 14.1.2.7 |
810533-4 | 3-Major | BT810533 | SSL Handshakes may fail with valid SNI when SNI required is true but no Server Name is specified in the profile | 16.0.0, 14.1.2.7 |
802245-1 | 3-Major | BT802245 | When HTTP/2 is negotiated, if the provided cipher suite list cannot be matched, then the last one will be selected. | 15.1.0, 14.1.2.7 |
790205-3 | 3-Major | BT790205 | Adding a more-specific route to a child route domain that overrides the default route in the default route domain can cause TMM to core | 15.1.0, 15.0.1.1, 14.1.2.7, 14.0.1.1, 13.1.3, 12.1.5.3 |
781041-1 | 3-Major | BT781041 | SIP monitor in non default route domain is not working. | 15.1.0, 14.1.2.7 |
778517-1 | 3-Major | K91052217, BT778517 | Large number of in-TMM monitors results in delayed processing | 15.1.0, 14.1.2.7, 13.1.3.4 |
760050-2 | 3-Major | BT760050 | "cwnd too low" warning message seen in logs | 16.0.0, 15.1.4, 14.1.2.7, 13.1.4.1 |
758599-1 | 3-Major | BT758599 | IPv6 Management route is preferred over IPv6 tmm route | 16.0.0, 15.1.0.3, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
758041-3 | 3-Major | BT758041 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. | 16.0.0, 15.1.4.1, 14.1.2.7, 13.1.3.5 |
757446-2 | 3-Major | BT757446 | Invoking the HTTP::respond iRule command when the HTTP2 profile is present can cause stalled or malformed responses. | 15.0.0, 14.1.2.7, 13.1.5 |
756494-3 | 3-Major | BT756494 | For in-tmm monitoring: multiple instances of the same agent are running on the Standby device | 15.0.0, 14.1.2.7, 13.1.3.4 |
752530-1 | 3-Major | BT752530 | TCP Analytics: Fast L4 TCP Analytics reports incorrect goodput. | 15.0.0, 14.1.2.7, 13.1.4.1 |
752334-1 | 3-Major | BT752334 | Out-of-order packet arrival may cause incorrect Fast L4 goodput calculation | 15.0.0, 14.1.2.7, 13.1.4.1 |
750473-4 | 3-Major | BT750473 | VA status change while 'disabled' are not taken into account after being 'enabled' again | 15.0.0, 14.1.2.7, 12.1.5.3, 11.6.5.2 |
746922-6 | 3-Major | BT746922 | When there is more than one route domain in a parent-child relationship, outdated routing entry selected from the parent route domain may not be invalidated on routing table changes in child route domain. | 15.0.0, 14.1.2.7, 14.0.1.1, 13.1.3, 12.1.4.1 |
714502-2 | 3-Major | BT714502 | bigd restarts after loading a UCS for the first time | 16.0.0, 15.1.0.5, 14.1.2.7 |
686059-4 | 3-Major | BT686059 | FDB entries for existing VLANs may be flushed when creating a new VLAN. | 15.1.0, 14.1.2.7, 13.1.3.4, 12.1.5.3 |
608952-3 | 3-Major | BT608952 | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | 16.0.0, 15.1.5, 14.1.2.7, 13.1.3.6, 12.1.5.3 |
522241-1 | 3-Major | BT522241 | Using tmsh to display the number of elements in a DNS cache may cause high CPU utilization, and the tmsh command may not complete | 15.0.0, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
918169-2 | 2-Critical | BT918169 | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.6 |
744743-1 | 2-Critical | BT744743 | Rolling DNSSEC Keys may stop generating after BIG-IP restart | 15.1.0, 14.1.2.7 |
803645-3 | 3-Major | BT803645 | GTMD daemon crashes | 15.1.0, 14.1.2.7, 13.1.3.3 |
789421-2 | 3-Major | BT789421 | Resource-administrator cannot create GTM server object through GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
778365-2 | 3-Major | BT778365 | dns-dot & dns-rev metrics collection set RTT values even though LDNS has no DNS service | 15.1.0, 14.1.2.7, 13.1.3.4 |
774481-2 | 3-Major | BT774481 | DNS Virtual Server creation problem with Dependency List | 15.1.0, 14.1.2.7, 13.1.3.4 |
769385-1 | 3-Major | BT769385 | GTM sync of DNSSEC keys between devices with internal FIPS cards fails with log message | 15.1.0, 14.1.2.7, 14.0.0.5 |
758772-3 | 3-Major | BT758772 | DNS Cache RRSET Evictions Stat not increasing | 15.1.0, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
757464-1 | 3-Major | BT757464 | DNS Validating Resolver Cache 'Key' Cache records not deleted correctly when using TMSH command to delete the record | 15.1.0, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
746348-2 | 3-Major | BT746348 | On rare occasions, gtmd fails to process probe responses originating from the same system. | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
712335-3 | 4-Minor | BT712335 | GTMD may intermittently crash under unusual conditions. | 15.1.0, 14.1.2.7, 13.1.4, 12.1.6 |
774257-2 | 5-Cosmetic | BT774257 | tmsh show gtm pool and tmsh show gtm wideip print duplicate object types | 16.0.0, 15.1.0.5, 14.1.2.7 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
904593-2 | 2-Critical | BT904593 | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | 16.1.0, 15.1.0.5, 14.1.2.7 |
868641-1 | 2-Critical | BT868641 | Possible TMM crash when disabling bot profile for the entire connection | 16.0.0, 15.1.1, 14.1.2.7 |
865461-3 | 2-Critical | BT865461 | BD crash on specific scenario | 16.0.0, 15.1.0.5, 14.1.2.7 |
843801-1 | 2-Critical | BT843801 | Like-named previous Signature Update installations block Live Update usage after upgrade★ | 16.0.0, 15.1.1, 14.1.2.7 |
813409-1 | 2-Critical | BT813409 | BD crash under certain circumstances | 15.1.0, 14.1.2.7 |
803813-2 | 2-Critical | BT803813 | TMM may experience high latency when processing WebSocket traffic | 15.1.0, 14.1.2.7, 13.1.3.4 |
903357-3 | 3-Major | BT903357 | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.7 |
900797-4 | 3-Major | BT900797 | Brute Force Protection (BFP) hash table entry cleanup | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
900793-2 | 3-Major | K32055534, BT900793 | APM Brute Force Protection resources do not scale automatically | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
900789-4 | 3-Major | BT900789 | Alert before Brute Force Protection (BFP) hash are fully utilized | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
898825-4 | 3-Major | BT898825 | Attack signatures are enforced on excluded headers under some conditions | 14.1.2.7 |
898741-4 | 3-Major | BT898741 | Missing critical files causes FIPS-140 system to halt upon boot | 16.1.0, 15.1.1, 14.1.2.7 |
892653-2 | 3-Major | BT892653 | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
880789-1 | 3-Major | BT880789 | ASMConfig Handler undergoes frequent restarts | 16.0.0, 15.1.0.5, 14.1.2.7 |
880753-1 | 3-Major | K38157961, BT880753 | Possible issues when using DoSL7 and Bot Defense profile on the same virtual server | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.7 |
874753-1 | 3-Major | BT874753 | Filtering by Bot Categories on Bot Requests Log shows 0 events | 16.0.0, 15.1.0.5, 14.1.2.7 |
868721-3 | 3-Major | BT868721 | Transactions are held for a long time on specific server related conditions | 16.0.0, 15.1.0.5, 14.1.2.7 |
863609-2 | 3-Major | BT863609 | Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies | 16.0.0, 15.1.0.5, 14.1.2.7 |
850677-2 | 3-Major | BT850677 | Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy | 16.0.0, 15.1.0.5, 14.1.2.7 |
833685-3 | 3-Major | BT833685 | Idle async handlers can remain loaded for a long time doing nothing | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
809125-2 | 3-Major | BT809125 | CSRF false positive | 16.0.0, 15.1.0.5, 14.1.2.7, 12.1.5.1 |
802873-1 | 3-Major | BT802873 | Manual changes to policy imported as XML may introduce corruption for Login Pages | 16.0.0, 15.1.4, 14.1.2.7 |
799749-1 | 3-Major | BT799749 | Asm logrotate fails to rotate | 16.0.0, 15.1.0.5, 14.1.2.7 |
793149-3 | 3-Major | BT793149 | Adding the Strict-transport-Policy header to internal responses | 15.1.0, 14.1.2.7, 12.1.5.1 |
785529-1 | 3-Major | BT785529 | ASM unable to handle ICAP responses which length is greater then 10K | 15.1.0, 14.1.2.7, 11.6.5.2 |
783165-3 | 3-Major | BT783165 | Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile | 16.0.0, 15.1.0.5, 14.1.2.7 |
772165-1 | 3-Major | BT772165 | Sync Failed due to Bot Defense profile not found. | 15.0.0, 14.1.2.7 |
759449-1 | 3-Major | BT759449 | Unable to modify the application language with 'Copy ASM Policy' | 15.0.0, 14.1.2.7 |
751430-1 | 3-Major | BT751430 | Unnecessary reporting of errors with complex denial-of-service policies | 15.0.0, 14.1.2.7 |
745324-1 | 3-Major | BT745324 | MCP crash or blocked for a long time when loading configuration | 15.0.0, 14.1.2.7 |
742549-2 | 3-Major | BT742549 | Cannot create non-ASCII entities in non-UTF ASM policy using REST | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.6 |
726401-1 | 3-Major | BT726401 | ASM cannot complete initial startup with modified management interface on VE | 15.1.0, 14.1.2.7 |
722337-1 | 3-Major | BT722337 | Always show violations in request log when post request is large | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
640842-3 | 3-Major | BT640842 | ASM end user using mobile might be blocked when CSRF is enabled | 16.0.0, 15.1.0.5, 14.1.2.7 |
896285-4 | 4-Minor | BT896285 | No parent entity in suggestion to add predefined-filetype as allowed filetype | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7 |
882769-3 | 4-Minor | BT882769 | Request Log: wrong filter applied when searching by Response contains or Response does not contain | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5 |
852613-1 | 4-Minor | Connection Mirroring and ASM Policy not supported on the same virtual server | 14.1.2.7 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
902485-2 | 3-Major | BT902485 | Incorrect pool member concurrent connection value | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
838685-2 | 3-Major | BT838685 | DoS report exist in per-widget but not under individual virtual | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
838861-2 | 2-Critical | BT838861 | TMM might crash once after upgrading SSL Orchestrator★ | 16.0.0, 15.1.1, 14.1.2.7 |
895313 | 3-Major | BT895313 | Enable manage config setting may fail after upgrade of AGC to version 7.0 on BIG-IP 14.1.0 or 14.1.2 | 14.1.2.7 |
831517-1 | 3-Major | BT831517 | TMM may crash when Network Access tunnel is used | 16.0.0, 15.1.3, 14.1.2.7 |
799149-2 | 3-Major | BT799149 | Authentication fails with empty password | 14.1.2.7, 13.1.3.2 |
750631-2 | 3-Major | BT750631 | There may be a latency between session termination and deletion of its associated IP address mapping | 15.0.0, 14.1.2.7, 13.1.3 |
600985-1 | 3-Major | BT600985 | Network access tunnel data stalls | 15.0.0, 14.1.2.7, 13.1.3 |
719589-2 | 4-Minor | BT719589 | GUI and CLI category lookup test tool returning different categories compared to the actual data-plane traffic | 15.1.0, 14.1.2.7, 13.1.3.2 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
814097-2 | 2-Critical | BT814097 | Using Generic Message router to convert a SIP message from TCP to UDP fails to fire SERVER_CONNECTED iRule event. | 15.1.0, 14.1.2.7, 13.1.3.4, 11.6.5.2 |
898997-4 | 3-Major | BT898997 | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | 16.1.0, 16.0.1, 15.1.1, 14.1.2.7 |
842625-3 | 3-Major | BT842625 | SIP message routing remembers a 'no connection' failure state forever | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.4 |
825013-3 | 3-Major | BT825013 | GENERICMESSAGE::message's src and dst may get cleared in certain scenarios | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.7 |
815529-2 | 3-Major | BT815529 | MRF outbound messages are dropped in per-peer mode | 15.1.0, 14.1.2.7, 13.1.3.4 |
803809-2 | 3-Major | BT803809 | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.4 |
782353-6 | 3-Major | BT782353 | SIP MRF via header shows TCP Transport when TLS is enabled | 15.1.0, 14.1.2.7, 13.1.3.4 |
754658-2 | 3-Major | BT754658 | Improved matching of response messages uses end-to-end ID | 15.0.0, 14.1.2.7, 13.1.3.4 |
754617-2 | 3-Major | BT754617 | iRule 'DIAMETER::avp read' command does not work with 'source' option | 14.1.2.7, 13.1.3.4 |
746731-1 | 3-Major | BT746731 | BIG-IP system sends Firmware-Revision AVP in CER with Mandatory bit set | 15.0.0, 14.1.2.7, 13.1.3.4 |
696348-3 | 3-Major | BT696348 | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
788513-2 | 4-Minor | BT788513 | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
786981-3 | 4-Minor | BT786981 | Pending GTP iRule operation maybe aborted when connection is expired | 15.1.0, 14.1.2.7, 13.1.3.4 |
793005-3 | 5-Cosmetic | BT793005 | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
802421 | 2-Critical | BT802421 | The /var partition may become 100% full requiring manual intervention to clear space | 16.0.0, 15.1.0.5, 14.1.2.7 |
755721-1 | 3-Major | BT755721 | A UDP DNS packet may incorrectly match a BDoS signature if such a packet was queued up due to ingress shaper | 15.0.0, 14.1.2.7 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
753014-4 | 3-Major | BT753014 | PEM iRule action with RULE_INIT event fails to attach to PEM policy | 15.0.0, 14.1.2.7, 13.1.3.2, 12.1.5.3 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
888625-2 | 3-Major | BT888625 | CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks | 16.0.0, 15.1.0.3, 14.1.2.7 |
806825 | 3-Major | BT806825 | Align the behavior of NAT44 and NAT64 when translate-address is disabled under Virtual Configuration with LTM Pool and LSN Pool | 15.1.0, 14.1.2.7 |
761517-1 | 4-Minor | BT761517 | nat64 and ltm pool conflict | 15.1.0, 14.1.2.7 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
787965-1 | 3-Major | BT787965 | URLCAT by URI does not work if it contains port number | 15.1.0, 14.1.2.7 |
754257-2 | 3-Major | BT754257 | URL lookup queries not working | 15.0.0, 14.1.2.7, 12.1.5 |
Cumulative fixes from BIG-IP v14.1.2.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
900757-4 | CVE-2020-5902 | K52145254, BT900757 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4 |
895525-4 | CVE-2020-5902 | K52145254, BT895525 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
909237-4 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
909233-4 | CVE-2020-8616 | K97810133, BT909233 | DNS Hardening | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
905905-3 | CVE-2020-5904 | K31301245, BT905905 | TMUI CSRF vulnerability CVE-2020-5904 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
895993-4 | CVE-2020-5902 | K52145254, BT895993 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
895981-4 | CVE-2020-5902 | K52145254, BT895981 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
895881-3 | CVE-2020-5903 | K43638305, BT895881 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
726407 | CVE-2017-6001 | K24578092, BT726407 | CVE-2017-6001: Race condition in kernel/events/core.c | 14.1.2.6 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
742628-3 | 3-Major | BT742628 | A tmsh session initiation adds increased control plane pressure | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
897229 | 3-Major | BT897229 | TLS session ticket resumption SNI check | 14.1.2.6 |
Cumulative fixes from BIG-IP v14.1.2.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
883717-3 | CVE-2020-5914 | K37466356, BT883717 | BD crash on specific server cookie scenario | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
879025-4 | CVE-2020-5913 | K72752002, BT879025 | When processing TLS traffic, LTM may not enforce certificate chain restrictions | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5, 12.1.5.2 |
866013 | CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 |
K78234183, BT866013 | Linux Kernel Vulnerabilities: CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 | 14.1.2.5 |
852445-3 | CVE-2019-6477 | K15840535, BT852445 | Big-IP : CVE-2019-6477 BIND Vulnerability | 16.0.0, 14.1.2.5, 13.1.3.4, 12.1.5.1, 11.6.5.2 |
838677-3 | CVE-2019-10744 | K47105354, BT838677 | lodash library vulnerability CVE-2019-10744 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
837773-2 | CVE-2020-5912 | K12936322, BT837773 | Restjavad Storage and Configuration Hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
834257-3 | CVE-2020-5931 | K25400442, BT834257 | TMM may crash when processing HTTP traffic | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.6 |
830401-3 | CVE-2020-5877 | K54200228, BT830401 | TMM may crash while processing TCP traffic with iRules | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
819197-4 | CVE-2019-13135 | K20336394, BT819197 | BIGIP: CVE-2019-13135 ImageMagick vulnerability | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
819189-3 | CVE-2019-13136 | K03512441, BT819189 | BIGIP: CVE-2019-13136 ImageMagick vulnerability | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
814953-3 | CVE-2020-5940 | K43310520, BT814953 | TMUI dashboard hardening | 16.1.0, 16.0.1, 15.1.1, 14.1.2.5 |
805837-2 | CVE-2019-6657 | K22441651, BT805837 | REST does not follow current design best practices | 15.1.0, 15.0.1.1, 14.1.2.5, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2 |
802261-2 | CVE-2020-5875 | K65372933, BT802261 | TMM may crash while processing SSL traffic via an HTTP/2 full-proxy | 15.1.0, 15.0.1.1, 14.1.2.5 |
794561-1 | CVE-2020-5874 | K46901953, BT794561 | TMM may crash while processing JWT/OpenID traffic. | 15.1.0, 15.0.1.3, 14.1.2.5, 14.0.1.1, 13.1.4.1 |
780601-2 | CVE-2020-5873 | K03585731, BT780601 | SCP file transfer hardening | 15.1.0, 15.0.1.1, 14.1.2.5, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
769589-2 | CVE-2019-6974 | K11186236, BT769589 | CVE-2019-6974: Linux Kernel Vulnerability | 15.1.0, 14.1.2.5, 13.1.3.2 |
767373-1 | CVE-2019-8331 CVE-2018-14040 CVE-2018-14041 CVE-2018-14042 CVE-2016-10735 |
K24383845, BT767373 | CVE-2019-8331: Bootstrap Vulnerability | 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
762453-2 | CVE-2020-5872 | K63558580, BT762453 | Hardware cryptography acceleration may fail | 15.0.0, 14.1.2.5, 14.0.1.1, 13.1.3.2, 12.1.5 |
745377-1 | CVE-2020-5871 | K43450419, BT745377 | TMM cores in certain scenarios with HTTP virtual server | 15.0.0, 14.1.2.5 |
739971 | CVE-2018-5391 | K74374841, BT739971 | Linux kernel vulnerability: CVE-2018-5391 | 15.0.0, 14.1.2.5, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1 |
873469-1 | CVE-2020-5889 | K24415506, BT873469 | APM Portal Access: Base URL may be set to incorrectly | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
872673-3 | CVE-2020-5918 | K26464312, BT872673 | TMM can crash when processing SCTP traffic | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
868349-3 | CVE-2020-5935 | K62830532, BT868349 | TMM may crash while processing iRules with MQTT commands | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4 |
864109-3 | CVE-2020-5889 | K24415506, BT864109 | APM Portal Access: Base URL may be set to incorrectly | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
859089-5 | CVE-2020-5907 | K00091341, BT859089 | TMSH allows SFTP utility access | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
858349-1 | CVE-2020-5934 | K44808538, BT858349 | TMM may crash while processing SAML SLO traffic | 16.0.0, 15.1.1, 14.1.2.5 |
858025-3 | CVE-2021-22984 | K33440533, BT858025 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
848405-4 | CVE-2020-5933 | K26244025, BT848405 | TMM may consume excessive resources while processing compressed HTTP traffic | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
838881-3 | CVE-2020-5853 | K73183618, BT838881 | APM Portal Access Vulnerability: CVE-2020-5853 | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 12.1.5.2, 11.6.5.2 |
837837-3 | CVE-2020-5917 | K43404629, BT837837 | F5 SSH server key size vulnerability CVE-2020-5917 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 12.1.5.2 |
832021-1 | CVE-2020-5888 | K73274382, BT832021 | Port lockdown settings may not be enforced as configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
832017-1 | CVE-2020-5887 | K10251014, BT832017 | Port lockdown settings may not be enforced as configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
829121-3 | CVE-2020-5886 | K65720640, BT829121 | State mirroring default does not require TLS | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
829117-3 | CVE-2020-5885 | K17663061, BT829117 | State mirroring default does not require TLS | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
811789-2 | CVE-2020-5915 | K57214921, BT811789 | Device trust UI hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
810537-2 | CVE-2020-5883 | K12234501, BT810537 | TMM may consume excessive resources while processing iRules | 15.1.0, 15.0.1.1, 14.1.2.5, 14.0.1.1, 13.1.3.2 |
805557-2 | CVE-2020-5882 | K43815022, BT805557 | TMM may crash while processing crypto data | 15.1.0, 14.1.2.5, 12.1.5.1 |
789921-2 | CVE-2020-5881 | K03386032, BT789921 | TMM may restart while processing VLAN traffic | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
775833-2 | CVE-2020-5880 | K94325657, BT775833 | Administrative file transfer may lead to excessive resource consumption | 15.1.0, 15.0.1.4, 14.1.2.5 |
887637-1 | CVE-2019-3815 | K22040951, BT887637 | Systemd-journald Vulnerability: CVE-2019-3815 | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5 |
868097-1 | CVE-2020-5891 | K58494243, BT868097 | TMM may crash while processing HTTP/2 traffic | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
823893-2 | CVE-2020-5890 | K03318649, BT823893 | Qkview may fail to completely sanitize LDAP bind credentials | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
748122-1 | CVE-2018-15333 | K53620021, BT748122 | BIG-IP Vulnerability CVE-2018-15333 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
746091-1 | CVE-2019-19151 | K21711352, BT746091 | TMSH Vulnerability: CVE-2019-19151 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3 |
760723-2 | CVE-2015-4037 | K64765350, BT760723 | Qemu Vulnerability | 16.0.0, 15.0.1.4, 14.1.2.5, 12.1.5.2 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
870389-1 | 3-Major | BT870389 | Increase size of /var logical volume to 1.5 GiB for LTM-only VE images | 16.0.0, 15.1.0.2, 14.1.2.5 |
858229-3 | 3-Major | K22493037, BT858229 | XML with sensitive data gets to the ICAP server | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
738330-3 | 3-Major | BT738330 | /mgmt/toc endpoint issue after configuring remote authentication | 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
819009-3 | 2-Critical | BT819009 | Dynamic routing daemon mribd crashes if 'mrib debug all' is enabled in high availability (HA) config with Floating Self IP configured for PIM protocol. | 15.1.0, 14.1.2.5 |
792285-2 | 2-Critical | BT792285 | TMM crashes if the queuing message to all HSL pool members fails | 15.1.0, 14.1.2.5, 13.1.3.4 |
777993-2 | 2-Critical | BT777993 | Egress traffic to a trunk is pinned to one link for TCP/UDP traffic when L4 source port and destination port are the same | 15.1.0, 14.1.2.5 |
775897-1 | 2-Critical | BT775897 | High Availability failover restarts tmipsecd when tmm connections are closed | 15.1.0, 14.1.2.5, 13.1.5 |
769169-3 | 2-Critical | BT769169 | BIG-IP system with large configuration becomes unresponsive with BIG-IQ monitoring | 15.1.0, 14.1.2.5, 14.0.0.5, 13.1.3.6 |
767689-1 | 2-Critical | BT767689 | F5optics_install using different versions of RPM★ | 15.0.0, 14.1.2.5 |
749388-3 | 2-Critical | BT749388 | 'table delete' iRule command can cause TMM to crash | 15.0.0, 14.1.2.5, 13.1.3.2, 12.1.5.2 |
748205-3 | 2-Critical | BT748205 | SSD bay identification incorrect for RAID drive replacement★ | 15.0.0, 14.1.2.5, 13.1.3, 12.1.5 |
699515-2 | 2-Critical | BT699515 | nsm cores during update of nexthop for ECMP recursive route | 15.0.0, 14.1.2.5, 13.1.1.5 |
882557-4 | 3-Major | BT882557 | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
873877 | 3-Major | BT873877 | Kernel page allocation failure seen on VIPRION blades★ | 14.1.2.5 |
866925-3 | 3-Major | BT866925 | The TMM pages used and available can be viewed in the F5 system stats MIB | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
852001-3 | 3-Major | BT852001 | High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
849405-1 | 3-Major | BT849405 | LTM v14.1.2.1 does not log after upgrade★ | 16.0.0, 15.1.0.5, 14.1.2.5 |
842125-4 | 3-Major | BT842125 | Unable to reconnect outgoing SCTP connections that have previously aborted | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4 |
812981-4 | 3-Major | BT812981 | MCPD: memory leak on standby BIG-IP device | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
810957-2 | 3-Major | BT810957 | Changing a virtual server's destination address from IPv6 to IPv4 can cause tmrouted to core | 15.1.0, 15.0.1.4, 14.1.2.5, 12.1.5.3 |
802281-1 | 3-Major | BT802281 | Gossip shows active even when devices are missing | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5 |
800185-4 | 3-Major | BT800185 | Saving a large encrypted UCS archive may fail and might trigger failover | 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3 |
795685-2 | 3-Major | BT795685 | Bgpd crash upon displaying BGP notify (OUT_OF_RESOURCES) info from peer | 15.1.0, 14.1.2.5 |
772117-3 | 3-Major | BT772117 | Overwriting FIPS keys from the high availability (HA) peer with older config leads to abandoned key on FIPS card | 15.1.0, 14.1.2.5 |
762073-2 | 3-Major | BT762073 | Continuous TMM restarts when HSB drops off the PCI bus | 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
759735-2 | 3-Major | BT759735 | OSPF ASE route calculation for new external-LSA delayed | 15.1.0, 14.1.2.5, 13.1.3.2 |
759172-1 | 3-Major | BT759172 | Read Access Denied: user (gu, guest) type (Certificate Order Manager) | 15.1.0, 14.1.2.5 |
758387-2 | 3-Major | BT758387 | BIG-IP floods packet with MAC '01-80-c2-00-00-00' to VLAN instead of dropping it | 15.1.0, 15.0.1.3, 14.1.2.5, 14.0.0.5 |
751573-1 | 3-Major | BT751573 | Updates to HSL pool members may not take effect | 15.0.0, 14.1.2.5 |
749785-2 | 3-Major | BT749785 | nsm can become unresponsive when processing recursive routes | 15.0.0, 14.1.2.5, 13.1.3, 12.1.5.3 |
749690-1 | 3-Major | BT749690 | MOS_Image2Disk_Installation- kjournald service error★ | 15.0.0, 14.1.2.5 |
746861-1 | 3-Major | BT746861 | SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★ | 16.0.0, 15.1.4, 14.1.2.5 |
641450-7 | 3-Major | K30053855, BT641450 | A transaction that deletes and recreates a virtual may result in an invalid configuration | 15.0.0, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
755317-1 | 4-Minor | BT755317 | /var/log logical volume may run out of space due to agetty error message in /var/log/secure | 16.0.0, 15.1.0.2, 14.1.2.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
715032-2 | 1-Blocking | K73302459, BT715032 | iRulesLX Hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3 |
860881-1 | 2-Critical | BT860881 | TMM can crash when handling a compressed response from HTTP server | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
853329-4 | 2-Critical | BT853329 | HTTP explicit proxy can crash TMM when used with classification profile | 15.0.1.3, 14.1.2.5, 13.1.3.4, 11.6.5.2 |
839401-3 | 2-Critical | BT839401 | Moving a virtual-address from one floating traffic-group to another does not send GARPs out. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5 |
831325-2 | 2-Critical | K10701310, BT831325 | HTTP PSM detects more issues with Transfer-Encoding headers | 15.1.0, 15.0.1.1, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
799649-2 | 2-Critical | BT799649 | TMM crash | 15.1.0, 14.1.2.5 |
757391-2 | 2-Critical | BT757391 | Datagroup iRule command class can lead to memory corruption | 15.0.0, 14.1.2.5, 13.1.3, 12.1.5 |
755134-1 | 2-Critical | BT755134 | HTTP/2 connections may leak memory if server-side connection not established | 15.0.0, 14.1.2.5 |
868889 | 3-Major | BT868889 | BIG-IP may reset a stream with an empty DATA frame as END_STREAM | 14.1.2.5 |
853613-2 | 3-Major | BT853613 | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
851789-3 | 3-Major | BT851789 | SSL monitors flap with client certs with private key stored in FIPS | 16.0.0, 15.1.1, 14.1.2.5, 12.1.5.3 |
847325-1 | 3-Major | BT847325 | Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
843105-1 | 3-Major | BT843105 | Adding multicast stats for multicast bridging over L2 wire transparent VLAN-group (LACP STP LLDP) | 16.0.0, 14.1.2.5 |
809729-2 | 3-Major | BT809729 | When HTTP/2 stream is reset by a client, BIG-IP may not respond properly | 15.1.0, 15.0.1.1, 14.1.2.5 |
795261-2 | 3-Major | BT795261 | LTM policy does not properly evaluate condition when an operand is missing | 15.1.0, 15.0.1.1, 14.1.2.5 |
788741-2 | 3-Major | BT788741 | TMM cores in the MQTT proxy under rare conditions | 15.1.0, 14.1.2.5 |
777269-1 | 3-Major | BT777269 | Gratuitous ARP may be sent for self IPs from incorrect MAC address at startup | 15.1.0, 14.1.2.5 |
770477-2 | 3-Major | BT770477 | SSL aborted when client_hello includes both renegotiation info extension and SCSV | 15.1.0, 14.1.2.5, 13.1.3.2, 12.1.5.3 |
761030-2 | 3-Major | BT761030 | tmsh show net route lookup is not showing for IPv4-mapped IPv6 address route | 15.1.0, 14.1.2.5, 13.1.3.2 |
758631-4 | 3-Major | BT758631 | ec_point_formats extension might be included in the server hello even if not specified in the client hello | 15.1.0, 14.1.2.5, 14.0.1.1, 13.1.3.5, 12.1.5 |
757827-1 | 3-Major | BT757827 | Allow duplicate FQDN ephemeral create/delete for more reliable FQDN resolution | 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2 |
755997-2 | 3-Major | BT755997 | Non-IPsec listener traffic, i.e. monitoring traffic, can be translated to incorrect source address | 15.0.0, 14.1.2.5, 12.1.5.3 |
755727-2 | 3-Major | BT755727 | Ephemeral pool members not created after DNS flap and address record changes | 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2, 12.1.5.2 |
755213-1 | 3-Major | BT755213 | TMM cores in certain scenarios with HTTP/2 virtual server | 15.0.0, 14.1.2.5 |
751052-1 | 3-Major | BT751052 | HTTP iRule event HTTP_REJECT broken | 15.0.0, 14.1.2.5 |
746078-1 | 3-Major | BT746078 | Upgrades break existing iRulesLX workspaces that use node version 6 | 15.0.0, 14.1.2.5 |
745923-2 | 3-Major | BT745923 | Connection flow collision can cause packets to be sent with source and/or destination port 0 | 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.5 |
743257-3 | 3-Major | BT743257 | Fix block size insecurity init and assign | 15.0.0, 14.1.2.5, 14.0.0.5, 13.1.3.2 |
705112-4 | 3-Major | BT705112 | DHCP server flows are not re-established after expiration | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3, 12.1.4.1, 11.5.9 |
636842-2 | 3-Major | K51472519, BT636842 | A FastL4 virtual server may drop a FIN packet when mirroring is enabled | 15.1.0, 14.1.2.5, 13.1.3.2, 12.1.5.1 |
601189-4 | 3-Major | BT601189 | The BIG-IP system might send TCP packets out of order in fastl4 in syncookie mode | 15.1.0, 14.1.2.5, 13.1.3.2, 12.1.5.1 |
599567-4 | 3-Major | BT599567 | APM assumes SNAT automap, does not use SNAT pool | 15.0.0, 14.1.2.5, 14.0.1.1, 13.1.1.5, 12.1.5 |
859113-3 | 4-Minor | BT859113 | Using "reject" iRules command inside "after" may causes core | 16.0.0, 15.1.0.2, 14.1.2.5 |
852373-2 | 4-Minor | BT852373 | HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5 |
839245-1 | 4-Minor | BT839245 | IPother profile with SNAT sets egress TTL to 255 | 16.0.0, 15.1.0.2, 14.1.2.5 |
830833-2 | 4-Minor | BT830833 | HTTP PSM blocking resets should have better log messages | 15.1.0, 15.0.1.1, 14.1.2.5, 13.1.4.1 |
760683-1 | 4-Minor | BT760683 | RST from non-floating self-ip may use floating self-ip source mac-address | 15.1.0, 14.1.2.5, 13.1.3.2 |
757777-3 | 4-Minor | BT757777 | bigtcp does not issue a RST in all circumstances | 15.1.0, 14.1.2.5, 13.1.5 |
746077-4 | 4-Minor | BT746077 | If the 'giaddr' field contains a non-zero value, the 'giaddr' field must not be modified | 15.0.0, 14.1.2.5, 13.1.1.5, 12.1.5.3 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
807177-2 | 2-Critical | BT807177 | HTTPS monitoring is not caching SSL sessions correctly | 15.1.0, 14.1.2.5, 13.1.3.4 |
704198-4 | 2-Critical | K29403988, BT704198 | Replace-all-with can leave orphaned monitor_rule, monitor_rule_instance, and monitor_instance | 15.1.0, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
802961-2 | 3-Major | BT802961 | The 'any-available' prober selection is not as random as in earlier versions | 15.1.0, 14.1.2.5, 13.1.3.4 |
772233-4 | 3-Major | BT772233 | IPv6 RTT metric is not set when using collection protocols DNS_DOT and DNS_REV. | 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2 |
754901-1 | 3-Major | BT754901 | Frequent zone update notifications may cause TMM to restart | 15.0.0, 14.1.2.5, 13.1.3 |
750213-4 | 3-Major | K25351434, BT750213 | DNS FPGA Hardware-accelerated Cache can improperly respond to DNS queries that contain EDNS OPT Records. | 15.0.0, 14.1.2.5, 13.1.3, 12.1.5 |
744280-2 | 4-Minor | BT744280 | Enabling or disabling a Distributed Application results in a small memory leak | 15.1.0, 14.1.2.5, 14.0.0.5, 13.1.3.4 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
852437-1 | 2-Critical | K25037027, BT852437 | Overly aggressive file cleanup causes failed ASU installation | 16.0.0, 15.1.0.2, 14.1.2.5 |
882377-1 | 3-Major | BT882377 | ASM Application Security Editor Role User can update/install ASU | 16.0.0, 15.1.4.1, 14.1.2.5 |
871905-1 | 3-Major | K02705117, BT871905 | Incorrect masking of parameters in event log | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.5 |
854177-3 | 3-Major | BT854177 | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
850673-3 | 3-Major | BT850673 | BD sends bad ACKs to the bd_agent for configuration | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
681010-3 | 3-Major | K33572148, BT681010 | 'Referer' is not masked when 'Query String' contains sensitive parameter | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
838709-1 | 2-Critical | BT838709 | Enabling DoS stats also enables page-load-time | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
828937-3 | 2-Critical | K45725467, BT828937 | Some systems can experience periodic high IO wait due to AVR data aggregation | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4 |
870957-1 | 3-Major | BT870957 | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
863161-3 | 3-Major | BT863161 | Scheduled reports are sent via TLS even if configured as non encrypted | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
835381-1 | 3-Major | BT835381 | HTTP custom analytics profile 'not found' when default profile is modified | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
830073-3 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout | 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
817649-2 | 3-Major | BT817649 | AVR statistics for NAT cannot be shown on multi-bladed machine | 15.1.0, 15.0.1.3, 14.1.2.5 |
865053-1 | 4-Minor | BT865053 | AVRD core due to a try to load vip lookup when AVRD is down | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
863069-3 | 4-Minor | BT863069 | Avrmail timeout is too small | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
879401-3 | 2-Critical | K90423190, BT879401 | Memory corruption during APM SAML SSO | 16.0.0, 15.1.3, 14.1.2.5 |
871761-4 | 2-Critical | BT871761 | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
788593-2 | 2-Critical | K43404365, BT788593 | APM logs may contain additional data | 15.1.0, 15.0.1.3, 14.1.2.5 |
884797-2 | 3-Major | BT884797 | Portal Access: in some cases data is not delivered via WebSocket connection | 16.0.0, 15.1.0.5, 14.1.2.5 |
866685-3 | 3-Major | BT866685 | Empty HSTS headers when HSTS mode for HTTP profile is disabled | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
866161-3 | 3-Major | BT866161 | Client port reuse causes RST when the security service attempts server connection reuse. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
852313-2 | 3-Major | BT852313 | VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
832569-2 | 3-Major | BT832569 | APM end-user connection reset | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
831781-5 | 3-Major | BT831781 | AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
798261-2 | 3-Major | BT798261 | APMD fails to create session variables if spanning is enabled on SWG transparent virtual server | 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2 |
771905-2 | 3-Major | BT771905 | JWT token rejected due to unknown JOSE header parameters | 15.1.0, 14.1.2.5 |
768025-4 | 3-Major | BT768025 | SAML requests/responses fail with "failed to find certificate" | 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3.2 |
749036-2 | 3-Major | BT749036 | Some tmsh list commands may fail with message 'Password could not be retrieved' when SSLO is provisioned but not APM | 15.0.0, 14.1.2.5 |
747725-3 | 3-Major | BT747725 | Kerberos Auth agent may override settings that manually made to krb5.conf | 15.0.0, 14.1.2.5, 13.1.3, 12.1.4.1 |
747624-2 | 3-Major | BT747624 | RADIUS Authentication over RSA SecureID is not working in challenge mode | 15.0.0, 14.1.2.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
811105-1 | 2-Critical | BT811105 | MRF SIP-ALG drops SIP 183 and 200 OK messages | 15.1.0, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
781725-2 | 2-Critical | BT781725 | BIG-IP systems might not complete a short ICAP request with a body beyond the preview | 15.1.0, 14.1.2.5 |
882273 | 3-Major | BT882273 | MRF Diameter: memory leak during server down and reconnect attempt which leads to tmm crash and memory usage grow | 14.1.2.5, 13.1.3.4 |
876077-3 | 3-Major | BT876077 | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | 16.1.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
868381-3 | 3-Major | BT868381 | MRF DIAMETER: Retransmission queue unable to delete stale entries | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
866021-3 | 3-Major | BT866021 | Diameter Mirror connection lost on the standby due to "process ingress error" | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
853545-3 | 3-Major | BT853545 | MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event | 16.0.0, 15.1.0.2, 14.1.2.5 |
824149-3 | 3-Major | BT824149 | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
815877-1 | 3-Major | BT815877 | Information Elements with zero-length value are rejected by the GTP parser | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.3 |
811033-2 | 3-Major | BT811033 | MRF: BiDirectional pesistence does not work in reverse direction if different transport protocols are used | 15.1.0, 14.1.2.5, 13.1.3.4 |
788093 | 3-Major | BT788093 | MRF iRule command MR::restore with no argument causes tmm to crash | 14.1.2.5 |
859721-3 | 4-Minor | BT859721 | Using GENERICMESSAGE create together with reject inside periodic after may cause core | 16.0.0, 15.1.0.2, 14.1.2.5 |
836357-3 | 4-Minor | BT836357 | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
788005-2 | 4-Minor | BT788005 | Bypass MRF SIP LB restriction of conversion from reliable transport (TCP) to unreliable transport (UDP) | 15.1.0, 14.1.2.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
778869-3 | 2-Critical | K72423000, BT778869 | ACLs and other AFM features (e.g., IPI) may not function as designed | 15.1.0, 14.1.2.5, 14.0.1.1, 13.1.3.2 |
751292-1 | 2-Critical | BT751292 | mcpd core after changing parent netflow to use version9 | 15.0.0, 14.1.2.5 |
852289-2 | 3-Major | K23278332, BT852289 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4 |
771173-3 | 3-Major | BT771173 | FastL4 profile syn-cookie-enable attribute is not being rolled forward correctly.★ | 15.1.0, 15.0.1.3, 14.1.2.5, 13.1.3 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
857725 | 3-Major | BT857725 | Anti-Fraud/DataSafe Logging Settings page not found | 14.1.2.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
761199-1 | 2-Critical | BT761199 | Wr_urldbd might crash while system is in a restarting loop. | 15.0.0, 14.1.2.5 |
816529-2 | 3-Major | BT816529 | If wr_urldbd is restarted while queries are being run against Custom DB then further lookups can not be made after wr_urldbd comes back up from restart. | 15.1.0, 14.1.2.5, 12.1.5.2 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
839597-4 | 3-Major | BT839597 | Restjavad fails to start if provision.extramb has a large value | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
815649-1 | 3-Major | BT815649 | Named.config entry getting overwriting on SSL Orchestrator deployment | 15.1.0, 15.0.1.3, 14.1.2.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
852557-1 | 2-Critical | BT852557 | Tmm core while using service chaining for SSL Orchestrator | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
759191-1 | 2-Critical | BT759191 | While using explicit or transparent http type service on SSL Orchestrator, TMM cores. | 15.0.0, 14.1.2.5 |
864329-1 | 3-Major | BT864329 | Client port reuse causes RST when the backend server-side connection is open | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
852481-1 | 3-Major | BT852481 | Failure to check virtual-server context when closing server-side connection | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
852477-1 | 3-Major | BT852477 | Tmm core when SSL Orchestrator is enabled | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
886713-3 | 4-Minor | BT886713 | Error log seen in case of SSL Orchestrator configured with http service during connection close. | 16.0.0, 15.1.0.5, 14.1.2.5 |
Cumulative fixes from BIG-IP v14.1.2.4 that are included in this release
Functional Change Fixes
None
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
867413-2 | 2-Critical | BT867413 | The allow-only-in-enterprise LAN feature on Mac OS not working after reboot | 14.1.2.4 |
653210-2 | 3-Major | BT653210 | Rare resets during the login process | 16.0.0, 14.1.2.4, 13.1.3.2 |
Cumulative fixes from BIG-IP v14.1.2.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
849761-1 | CVE-2019-6675 | K55655944, BT849761 | CVE-2019-6675: LDAP vulnerability | 15.1.0, 14.1.2.3 |
846365-3 | CVE-2020-5878 | K35750231, BT846365 | TMM may crash while processing IP traffic | 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3 |
818709-2 | CVE-2020-5858 | K36814487, BT818709 | TMSH does not follow current best practices | 15.1.0, 15.0.1.4, 14.1.2.3, 13.1.3.4, 12.1.5.1, 11.6.5.2 |
818429-4 | CVE-2020-5857 | K70275209, BT818429 | TMM may crash while processing HTTP traffic | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.1 |
808301-2 | CVE-2019-6678 | K04897373, BT808301 | TMM may crash while processing IP traffic | 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1, 13.1.3.2 |
757357-3 | CVE-2019-6676 | K92002212, BT757357 | TMM may crash while processing traffic | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2 |
782529-2 | CVE-2019-6685 | K30215839, BT782529 | iRules does not follow current design best practices | 15.1.0, 15.0.1.3, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2 |
761144-4 | CVE-2019-6684 | K95117754, BT761144 | Broadcast frames may be dropped | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2, 12.1.5.1, 11.6.5.2 |
761112-3 | CVE-2019-6683 | K76328112, BT761112 | TMM may consume excessive resources when processing FastL4 traffic | 15.1.0, 15.0.1.4, 14.1.2.3, 14.0.1.1, 13.1.3.4, 12.1.5.1, 11.6.5.2 |
725551-2 | CVE-2019-6682 | K40452417, BT725551 | ASM may consume excessive resources | 15.1.0, 15.0.1.4, 14.1.2.3, 13.1.3.2, 12.1.5.1, 11.6.5.2 |
846157-3 | CVE-2020-5862 | K01054113, BT846157 | TMM may crash while processing traffic on AWS | 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3 |
817917-1 | CVE-2020-5856 | K00025388, BT817917 | TMM may crash when sending TCP packets | 15.1.0, 15.0.1.2, 14.1.2.3 |
789893-2 | CVE-2019-6679 | K54336216, BT789893 | SCP file transfer hardening | 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
749324-1 | CVE-2012-6708 | K62532311, BT749324 | jQuery Vulnerability: CVE-2012-6708 | 15.0.0, 14.1.2.3, 13.1.3.2, 12.1.5.2 |
738236-7 | CVE-2019-6688 | K25607522, BT738236 | UCS does not follow current best practices | 15.1.0, 15.0.1.3, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
819397-1 | 1-Blocking | K50375550, BT819397 | TMM does not enforce RFC compliance when processing HTTP traffic | 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.1 |
769193-5 | 3-Major | BT769193 | Added support for faster congestion window increase in slow-start for stretch ACKs | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2, 12.1.5.1 |
760234-1 | 4-Minor | BT760234 | Configuring Advanced shell for Resource Administrator User has no effect | 15.1.0, 15.0.1.4, 14.1.2.3, 12.1.5.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
806093-1 | 2-Critical | BT806093 | Unwanted LDAP referrals slow or prevent administrative login | 15.1.0, 15.0.1.1, 14.1.2.3 |
789169-2 | 2-Critical | BT789169 | Unable to create virtual servers with port-lists from the GUI★ | 15.1.0, 15.0.1.4, 14.1.2.3 |
780817-5 | 2-Critical | BT780817 | TMM can crash on certain vCMP hosts after modifications to VLANs and guests. | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.3 |
762385 | 2-Critical | BT762385 | Wrong remote-role assigned using LDAP authentication after upgrade to 14.1.x and later★ | 15.1.0, 14.1.2.3 |
762205-2 | 2-Critical | BT762205 | IKEv2 rekey fails to recognize VENDOR_ID payload when it appears | 15.1.0, 15.0.1.4, 14.1.2.3, 13.1.3.4 |
809205 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | 16.0.1.2, 15.1.3, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.1 | |
794501-2 | 3-Major | BT794501 | Duplicate if_indexes and OIDs between interfaces and tunnels | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.3 |
785741-1 | 3-Major | K19131357, BT785741 | Unable to login using LDAP with 'user-template' configuration | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.3 |
778125-1 | 3-Major | BT778125 | LDAP remote authentication passwords are limited to fewer than 64 bytes | 15.1.0, 15.0.1.4, 14.1.2.3 |
760439-4 | 3-Major | BT760439 | After installing a UCS that was taken in forced-offline state, the unit may release forced-offline status | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.3 |
760259-3 | 3-Major | BT760259 | Qkview silently fails to capture qkviews from other blades | 15.1.0, 14.1.2.3 |
759654-1 | 3-Major | BT759654 | LDAP remote authentication with remote roles and user-template failing | 15.1.0, 15.0.1.4, 14.1.2.3 |
759499-2 | 3-Major | BT759499 | Upgrade from version 12.1.x to version 13.1.x and later failing with error★ | 15.1.0, 15.0.1.1, 14.1.2.3 |
758781-3 | 3-Major | BT758781 | iControl SOAP get_certificate_list commands take a long time to complete when there are a large number of certificates | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2 |
758527-2 | 3-Major | K39604784, BT758527 | BIG-IP system forwards BPDUs with 802.1Q header when in STP pass-through mode | 15.1.0, 15.0.1.3, 14.1.2.3, 14.0.0.5, 13.1.3.2, 12.1.5, 11.6.5.1 |
757519-1 | 3-Major | K92525101, BT757519 | Unable to logon using LDAP authentication with a user-template | 15.1.0, 15.0.1.4, 14.1.2.3 |
756450-1 | 3-Major | BT756450 | Traffic using route entry that's more specific than existing blackhole route can cause core | 15.0.0, 14.1.2.3, 13.1.3, 12.1.5, 11.6.5.1 |
754691-1 | 3-Major | BT754691 | During failover, an OSPF routing daemon may crash. | 15.1.0, 15.0.1.4, 14.1.2.3 |
750318-3 | 3-Major | BT750318 | HTTPS monitor does not appear to be using cert from server-ssl profile | 15.0.0, 14.1.2.3, 13.1.1.5 |
746266-3 | 3-Major | BT746266 | A vCMP guest VLAN MAC mismatch across blades. | 15.0.0, 14.1.2.3, 13.1.3, 12.1.5 |
738943-3 | 3-Major | BT738943 | imish command hangs when ospfd is enabled | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.3 |
705037-7 | 3-Major | K32332000, BT705037 | System may exhibit duplicate if_index, which in some cases lead to nsm daemon restart | 14.1.2.3, 14.1.0, 14.0.1.1, 13.1.3, 12.1.4 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
816273-2 | 1-Blocking | BT816273 | L7 Policies may execute CONTAINS operands incorrectly. | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4 |
826601-5 | 2-Critical | BT826601 | Prevent receive window shrinkage for looped flows that use a SYN cookie | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.4, 12.1.5.1, 11.6.5.2 |
817417-1 | 2-Critical | BT817417 | Blade software installation stalled at Waiting for product image★ | 15.1.0, 15.0.1.4, 14.1.2.3 |
816625-1 | 2-Critical | BT816625 | The TMM may crash in a rare scenario involving HTTP unchunking, and plugins. | 15.1.0, 15.0.1.1, 14.1.2.3 |
800369-2 | 2-Critical | BT800369 | The fix for ID 770797 may cause a TMM crash | 15.1.0, 15.0.1.1, 14.1.2.3 |
800305-2 | 2-Critical | BT800305 | VDI::cmp_redirect generates flow with random client port | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2 |
791057-1 | 2-Critical | BT791057 | MCP may crash when traffic matching criteria is updated | 15.1.0, 15.0.1.3, 14.1.2.3 |
770797-1 | 2-Critical | BT770797 | HTTP2 streams may get stuck in rare situations | 15.0.0, 14.1.2.3 |
836661 | 3-Major | BT836661 | Incorrect source MAC used when the BIG-IP system in L2 transparent mode generates a TCP RST packet. | 16.0.0, 15.1.0.2, 14.1.2.3 |
834373-3 | 3-Major | BT834373 | Possible handshake failure with TLS 1.3 early data | 16.0.0, 15.0.1.1, 14.1.2.3 |
830797-2 | 3-Major | BT830797 | Standby high availability (HA) device passes traffic through virtual wire | 16.0.0, 15.1.1, 15.0.1.1, 14.1.2.3 |
815449-2 | 3-Major | BT815449 | BIG-IP closes connection when an unsized response is served to a HEAD request | 15.1.0, 15.0.1.1, 14.1.2.3 |
814761-2 | 3-Major | BT814761 | PostgreSQL monitor fails on second ping with count != 1 | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.6, 12.1.5.3 |
797977-1 | 3-Major | BT797977 | Self-IP traffic does not preserve the TTL from the Linux host | 15.1.0, 15.0.1.4, 14.1.2.3 |
789365-1 | 3-Major | BT789365 | pkcs11d CPU usage increases after running nethsm self validation test | 14.1.2.3 |
772545-3 | 3-Major | BT772545 | Tmm core in SSLO environment | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.6 |
765517-1 | 3-Major | BT765517 | Traffic Match Criteria validation fails when create Virtual server with address list with overlapping address space but a different ingress VLAN | 15.1.0, 15.0.1.4, 14.1.2.3 |
761185-2 | 3-Major | K50375550, BT761185 | Specifically crafted requests may lead the BIG-IP system to pass malformed HTTP traffic | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.4, 12.1.5.1 |
760771-1 | 3-Major | BT760771 | FastL4-steered traffic might cause SSL resume handshake delay | 15.0.0, 14.1.2.3, 13.1.3 |
758992-2 | 3-Major | BT758992 | The BIG-IP may use the traffic-group MAC address rather than a per-VLAN MAC address | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2 |
758872-3 | 3-Major | BT758872 | TMM memory leak | 15.0.0, 14.1.2.3, 13.1.3.4, 12.1.5 |
758655-1 | 3-Major | BT758655 | TMC does not allow inline addresses with non-zero Route-domain. | 15.1.0, 14.1.2.3 |
753514-3 | 3-Major | BT753514 | Large configurations containing LTM Policies load slowly | 15.0.0, 14.1.2.3, 14.0.1.1, 13.1.3 |
749689-2 | 3-Major | BT749689 | HTTPS monitor sends different number of cipher suites in client hello after config load and bigd restart | 15.0.0, 14.1.2.3, 13.1.1.5 |
726176-2 | 3-Major | BT726176 | Platforms using RSS hash reuse source port too rapidly when the FastL4 virtual server is set to source-port preserve | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2 |
712919-2 | 3-Major | K54802336, BT712919 | Removing an iRule from a Virtual Server may prevent executing other iRules on the same Virtual Server. | 15.0.0, 14.1.2.3, 14.0.1.1, 13.1.3 |
687887-3 | 3-Major | BT687887 | Unexpected result from multiple changes to a monitor-related object in a single transaction | 15.0.0, 14.1.2.3, 13.1.3.2, 12.1.5.3 |
824365-3 | 4-Minor | BT824365 | Need informative messages for HTTP iRule runtime validation errors | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.3, 13.1.3.6 |
806085-2 | 4-Minor | BT806085 | In-TMM MQTT monitor is not working as expected | 15.1.0, 15.0.1.1, 14.1.2.3 |
791337-1 | 4-Minor | BT791337 | Traffic matching criteria fails when using shared port-list with virtual servers | 15.1.0, 14.1.2.3 |
769309-2 | 4-Minor | BT769309 | DB monitor reconnects to server on every probe when count = 0 | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.3 |
754003-3 | 4-Minor | K73202036, BT754003 | Configuring SSL Forward Proxy and an OCSP stapling profile may allow a connection to a website with a revoked certificate | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2 |
747628-1 | 4-Minor | BT747628 | BIG-IP sends spurious ICMP PMTU message to server | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2 |
744210-2 | 4-Minor | BT744210 | DHCPv6 does not have the ability to override the hop limit from the client. | 15.0.0, 14.1.2.3, 13.1.3.2 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
776133-1 | 2-Critical | BT776133 | RSS hash is not used on VE resulting in performance impact on non-SR-IOV devices | 15.0.0, 14.1.2.3 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
761032-2 | 3-Major | K36328238, BT761032 | TMSH displays TSIG keys | 15.1.0, 14.1.2.3, 14.0.1.1, 13.1.3.2 |
760471-3 | 3-Major | BT760471 | GTM iQuery connections may be reset during SSL key renegotiation. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.3, 13.1.3.5, 12.1.5.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
813945-3 | 2-Critical | BT813945 | PB core dump while processing many entities | 15.1.0, 14.1.2.3, 13.1.3.2 |
813389-1 | 2-Critical | BT813389 | TMM Crashes upon failure in Bot Defense Client-Side code | 15.1.0, 14.1.2.3 |
791669 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3 |
790349-2 | 2-Critical | BT790349 | merged crash with a core file | 15.1.0, 14.1.2.3 |
756108-1 | 2-Critical | BT756108 | BD crash on specific cases | 15.0.0, 14.1.2.3 |
754109-1 | 2-Critical | BT754109 | ASM/Bot-Defense/DoSL7 content-security-policy header modification violates Content Security Policy directive | 15.0.0, 14.1.2.3, 13.1.3.4 |
832857 | 3-Major | BT832857 | Support ID on AJAX CAPTCHA popup (SPA) does not match the Support ID in log | 14.1.2.3 |
832205 | 3-Major | BT832205 | ASU cannot be completed after Signature Systems database corruption following binary Policy import | 14.1.2.3, 12.1.5.1 |
831661-2 | 3-Major | BT831661 | ASMConfig Handler undergoes frequent restarts | 15.1.0, 14.1.2.3, 12.1.5.1 |
824101-1 | 3-Major | BT824101 | Request Log export file is not visible for requests including binary data | 15.1.0, 14.1.2.3 |
824037-2 | 3-Major | BT824037 | Bot Defense whitelists do not apply for IP 'Any' when using route domains | 15.1.0, 14.1.2.3 |
812341-2 | 3-Major | BT812341 | Patch or Delete commands take a long time to complete when modifying an ASM signature set. | 15.1.0, 14.1.2.3, 13.1.3.2 |
805353-1 | 3-Major | BT805353 | ASM reporting for WebSocket frames has empty username field | 15.1.0, 14.1.2.3 |
800453-3 | 3-Major | K72252057, BT800453 | False positive virus violations | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2 |
793017-1 | 3-Major | BT793017 | Files left behind by failed Attack Signature updates are not cleaned | 16.0.0, 15.1.0.2, 14.1.2.3 |
786913-2 | 3-Major | BT786913 | Upgrade failure from 13.0.x or earlier when using LTM Policies with DOSL7 | 15.1.0, 14.1.2.3 |
783513-2 | 3-Major | BT783513 | ASU is very slow on device with hundreds of policies due to logging profile handling | 15.1.0, 14.1.2.3, 13.1.3.2 |
781021-2 | 3-Major | BT781021 | ASM modifies cookie header causing it to be non-compliant with RFC6265 | 15.1.0, 14.1.2.3 |
778681-2 | 3-Major | BT778681 | Factory-included Bot Signature update file cannot be installed without subscription★ | 15.1.0, 15.0.1.1, 14.1.2.3 |
754841-1 | 3-Major | BT754841 | Policy updates stall and never complete | 15.0.0, 14.1.2.3 |
754425-1 | 3-Major | BT754425 | Exported requests cannot be opened in Internet Explorer or Edge browser | 15.0.0, 14.1.2.3 |
739618-2 | 3-Major | BT739618 | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | 15.1.0.2, 14.1.2.3, 14.1.0, 13.1.3.2 |
734228 | 3-Major | BT734228 | False-positive illegal-length violation can appear | 14.1.2.3, 14.0.1.1, 13.1.1.4 |
795769-3 | 4-Minor | BT795769 | Incorrect value of Systems in system-supplied signature sets | 15.1.0, 15.0.1.1, 14.1.2.3 |
789817-1 | 4-Minor | BT789817 | In rare conditions info fly-out not shown | 15.1.0, 15.0.1.4, 14.1.2.3 |
760462-1 | 4-Minor | BT760462 | Live update notification is shown only for provisioned/licensed modules | 15.1.0, 14.1.2.3 |
758459-1 | 4-Minor | BT758459 | Cross origin AJAX requests are blocked Cross-Origin Resource Sharing (CORS) protection | 15.0.0, 14.1.2.3 |
620301-1 | 4-Minor | BT620301 | Policy import fails due to missing signature System in associated Signature Set | 15.0.0, 14.1.2.3, 12.1.5.1 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
781581-3 | 3-Major | BT781581 | Monpd uses excessive memory on requests for network_log data | 15.1.0, 15.0.1.3, 14.1.2.3, 13.1.3.2 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
757782-1 | 2-Critical | BT757782 | OAuth Authorization Server returns an invalid 'sub' claim in JWT access token when 'subject' field is configured to be a session variable other than the default | 15.0.0, 14.1.2.3, 14.0.1.1 |
825805-1 | 3-Major | BT825805 | NTLM Auth may fail due to incorrect handling of EPM response★ | 15.1.0, 15.0.1.3, 14.1.2.3 |
766577-2 | 3-Major | BT766577 | APMD fails to send response to client and it already closed connection. | 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1, 13.1.3.2, 12.1.5 |
756363-1 | 3-Major | BT756363 | SSLO or SWG connections using proxy chaining to Explicit Proxy can get reset | 15.0.0, 14.1.2.3 |
741222-2 | 3-Major | BT741222 | Install epsec1.0.0 into software partition.★ | 15.1.0, 15.0.1.3, 14.1.2.3 |
643935-4 | 3-Major | BT643935 | Rewriting may cause an infinite loop while processing some objects | 15.0.0, 14.1.2.3, 14.0.1.1, 13.1.3.2 |
WebAccelerator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
833213-3 | 3-Major | BT833213 | Conditional requests are served incorrectly with AAM policy in webacceleration profile | 15.1.3, 15.0.1.3, 14.1.2.3, 13.1.3.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
802865-1 | 3-Major | BT802865 | The iControl REST query request returning empty list for DoS Protected Objects | 15.1.0, 14.1.2.3 |
761345-3 | 3-Major | BT761345 | Additional config-sync may be required after blob compilation on a HA setup in manual config-sync mode | 15.1.0, 14.1.2.3, 13.1.3.2 |
738284-2 | 3-Major | BT738284 | Creating or deleting rule list results in warning message: Schema object encode failed | 15.1.0, 15.0.1.1, 14.1.2.3, 13.1.3.2 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
821133-2 | 3-Major | BT821133 | Wrong wildcard URL matching when none of the configured URLS include QS | 15.1.0, 15.0.1.1, 14.1.2.3, 14.0.1.1 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
748813-3 | 2-Critical | BT748813 | tmm cores under stress test on virtual server with DoS profile with admd enabled | 15.0.0, 14.1.2.3, 14.0.0.5, 13.1.1.4 |
767045-2 | 3-Major | BT767045 | TMM cores while applying policy | 15.1.0, 14.1.2.3, 13.1.3.2 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
787845 | 4-Minor | BT787845 | Tmsh command 'show running-config' fails when Protocol Inspection is not licensed. | 14.1.2.3 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
777241-2 | 3-Major | BT777241 | smtps partial_conncount issues and unexpected resets | 15.1.0, 14.1.2.3 |
Cumulative fixes from BIG-IP v14.1.2.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
741163-3 | CVE-2018-3693 | K54252492, BT741163 | RHEL7: Kernel CVE-2018-3693 | 15.0.0, 14.1.2.2 |
740755-6 | CVE-2018-3620 | K95275140, BT740755 | Kernel vulnerability: CVE-2018-3620 | 15.0.0, 14.1.2.2 |
721319-1 | CVE-2018-3639 | K29146534, BT721319 | CVE-2018-3639 | 15.0.0, 14.1.2.2 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
815689-3 | 3-Major | BT815689 | Azure walinuxagent has been updated to v2.2.42. | 14.1.2.2 |
760574 | 3-Major | BT760574 | Updating BIG-IP 14.1.x Linux kernel to RHEL7.5 | 14.1.2.2 |
760468 | 3-Major | BT760468 | Route domains cause diskmonitor errors in logs | 14.1.2.2 |
Cumulative fixes from BIG-IP v14.1.2.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
795437-4 | CVE-2019-6677 | K06747393, BT795437 | Improve handling of TCP traffic for iRules | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1 |
795197-1 | CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | K26618426, BT795197 | Linux Kernel Vulnerabilities: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
781377-2 | CVE-2019-6681 | K93417064, BT781377 | tmrouted may crash while processing Multicast Forwarding Cache messages | 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1 |
778077-3 | CVE-2019-6680 | K53183580, BT778077 | Virtual to virtual chain can cause TMM to crash | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.4, 12.1.5.1, 11.6.5.1 |
771873-5 | CVE-2019-6642 | K40378764, BT771873 | TMSH Hardening | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1 |
767653-1 | CVE-2019-6660 | K23860356, BT767653 | Malformed HTTP request can result in endless loop in an iRule script | 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3 |
636400-3 | CVE-2019-6665 | K26462555, BT636400 | CPB (BIG-IP->BIGIQ log node) Hardening | 15.1.0.2, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
810657-2 | CVE-2019-6674 | K21135478, BT810657 | Tmm core while using service chaining for SSLO | 15.1.0, 15.0.1.1, 14.1.2.1 |
809165-2 | CVE-2020-5854 | K50046200, BT809165 | TMM may crash will processing connector traffic | 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2 |
808525-2 | CVE-2019-6686 | K55812535, BT808525 | TMM may crash while processing Diameter traffic | 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
795797-2 | CVE-2019-6658 | K21121741, BT795797 | AFM WebUI Hardening | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 12.1.5.1 |
788773-2 | CVE-2019-9515 | K50233772, BT788773 | HTTP/2 Vulnerability: CVE-2019-9515 | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
788769-2 | CVE-2019-9514 | K01988340, BT788769 | HTTP/2 Vulnerability: CVE-2019-9514 | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
788033 | CVE-2020-5851 | K91171450, BT788033 | tpm-status may return "Invalid" after engineering hotfix installation | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1 |
781449-2 | CVE-2019-6672 | K14703097, BT781449 | Increase efficiency of sPVA DoS protection on wildcard virtual servers | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2 |
777737-3 | CVE-2019-6671 | K39225055, BT777737 | TMM may consume excessive resources when processing IP traffic | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
773673-2 | CVE-2019-9512 | K98053339, BT773673 | HTTP/2 Vulnerability: CVE-2019-9512 | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
768981-2 | CVE-2019-6670 | K05765031, BT768981 | VCMP Hypervisor Hardening | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
761160-2 | CVE-2019-1559 | K18549143, BT761160 | OpenSSL vulnerability: CVE-2019-1559 | 15.1.0, 15.0.1.1, 14.1.2.1 |
761014-2 | CVE-2019-6669 | K11447758, BT761014 | TMM may crash while processing local traffic | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1 |
758018-5 | CVE-2019-6661 | K61705126, BT758018 | APD/APMD may consume excessive resources | 15.1.0, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1 |
756458-3 | CVE-2018-18559 | K28241423, BT756458 | Linux kernel vulnerability: CVE-2018-18559 | 15.1.0, 15.0.1.4, 14.1.2.1, 13.1.3.4 |
756218-1 | CVE-2019-6654 | K45644893, BT756218 | Improve default management port firewall | 15.0.0, 14.1.2.1 |
751152-1 | CVE-2018-5407 | K49711130, BT751152 | OpenSSL Vulnerability: CVE-2018-5407 | 15.0.0, 14.1.2.1 |
751143-1 | CVE-2018-5407 | K49711130, BT751143 | OpenSSL Vulnerability: CVE-2018-5407 | 15.0.0, 14.1.2.1 |
745103-6 | CVE-2018-7159 | K27228191, BT745103 | NodeJS Vulnerability: CVE-2018-7159 | 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3.4 |
798249-2 | CVE-2019-6673 | K81557381, BT798249 | TMM may crash while processing HTTP/2 requests | 15.1.0, 15.0.1.1, 14.1.2.1 |
779177-2 | CVE-2019-19150 | K37890841, BT779177 | Apmd logs "client-session-id" when access-policy debug log level is enabled | 15.1.0, 15.0.1.3, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.2 |
759536-2 | CVE-2019-8912 | K31739796, BT759536 | Linux kernel vulnerability: CVE-2019-8912 | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.4 |
757617-1 | CVE-2018-16864 CVE-2018-16865 |
K06044762, BT757617 | Systemd vulnerabilities: CVE-2018-16864, CVE-2018-16865 | 15.1.0, 15.0.1.4, 14.1.2.1 |
747592-1 | CVE-2018-17082 | K89095152, BT747592 | PHP vulnerability CVE-2018-17082 | 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
759135-2 | 3-Major | BT759135 | AVR report limits are locked at 1000 transactions | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2 |
714292-3 | 3-Major | BT714292 | Transparent forwarding mode across multiple VLAN groups or virtual-wire | 14.1.2.1 |
788269-3 | 4-Minor | BT788269 | Adding toggle to disable AVR widgets on device-groups | 15.1.0, 15.0.1.3, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
793045-2 | 2-Critical | BT793045 | File descriptor leak in net-snmpd while reading /shared/db/cluster.conf | 15.1.0, 15.0.1.1, 14.1.2.1 |
770953 | 2-Critical | BT770953 | 'smbclient' executable does not work | 15.1.0, 14.1.2.1 |
767877-3 | 2-Critical | BT767877 | TMM core with Bandwidth Control on flows egressing on a VLAN group | 15.1.0, 15.0.1.1, 14.1.2.1 |
765533-2 | 2-Critical | K58243048, BT765533 | Sensitive information logged when DEBUG logging enabled | 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5.1, 11.6.5.2 |
760475-1 | 2-Critical | BT760475 | Apache spawns more processes than the configured limit, causing system low memory condition | 15.0.0, 14.1.2.1 |
755575-1 | 2-Critical | BT755575 | In MOS, the 'image2disk' utility with the '-format' option does not function properly | 15.0.0, 14.1.2.1 |
726240-1 | 2-Critical | BT726240 | 'Cannot find disk information' message when running Configuration Utility★ | 15.1.0, 14.1.2.1 |
788557-5 | 3-Major | BT788557 | BGP and BFD sessions are reset in GRST timeout period if bgpd daemon is restarted prior | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 11.6.5.2 |
788301-5 | 3-Major | K58243048, BT788301 | SNMPv3 Hardening | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1 |
777261-4 | 3-Major | BT777261 | When SNMP cannot locate a file it logs messages repeatedly | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1 |
766873 | 3-Major | BT766873 | Omission of lower-layer types from sFlow packet samples | 15.0.0, 14.1.2.1 |
761993-2 | 3-Major | BT761993 | The nsm process may crash if it detects a nexthop mismatch | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2 |
761933-1 | 3-Major | BT761933 | Reboot with 'tmsh reboot' does not log message in /var/log/audit | 15.0.0, 14.1.2.1 |
760998-1 | 3-Major | BT760998 | F5.ip_forwarding iAPP fails to deploy | 15.0.0, 14.1.2.1 |
759814-1 | 3-Major | BT759814 | Unable to view iApp component view★ | 15.0.0, 14.1.2.1 |
758119-6 | 3-Major | K58243048, BT758119 | qkview may contain sensitive information | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5, 11.6.5.1 |
724109-2 | 3-Major | BT724109 | Manual config-sync fails after pool with FQDN pool members is deleted | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 12.1.5.3 |
680917-5 | 3-Major | BT680917 | Invalid monitor rule instance identifier | 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5.3 |
648621-6 | 3-Major | BT648621 | SCTP: Multihome connections may not expire | 15.1.0, 15.0.1.4, 14.1.2.1, 13.1.3.4, 12.1.5.2, 11.6.5.3 |
776073-1 | 4-Minor | BT776073 | OOM killer killing tmm in system low memory condition as process OOM score is high | 15.1.0, 15.0.1.1, 14.1.2.1 |
760680-1 | 4-Minor | K36350541, BT760680 | TMSH may utilize 100% CPU (single core's worth) when set to be a process group leader and SSH session is closed. | 15.1.0, 15.0.1.1, 14.1.2.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
759968-3 | 1-Blocking | BT759968 | Distinct vCMP guests are able to cluster with each other. | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3, 12.1.5 |
803845-2 | 2-Critical | BT803845 | When in HA, the Standby device is forwarding traffic causing a loop and subsequent network shutdown | 15.1.0, 14.1.2.1 |
787825-2 | 2-Critical | K58243048, BT787825 | Database monitors debug logs have sensitive information printed in the log file | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
774913-1 | 2-Critical | BT774913 | IP-based bypass can fail if SSL ClientHello is not accepted | 15.1.0, 15.0.1.3, 14.1.2.1 |
760078-1 | 2-Critical | BT760078 | Incorrect source MAC used when the BIG-IP in L2 transparent mode generates a TCP RST packet. | 15.0.0, 14.1.2.1 |
758714-1 | 2-Critical | BT758714 | Virtual wire on a BIG-IP does not pass traffic when configured over two terminating link aggregation/trunk ports. | 15.0.0, 14.1.2.1 |
757578-2 | 2-Critical | BT757578 | RAM cache is not compatible with verify-accept | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.4, 12.1.5.2 |
757441-4 | 2-Critical | BT757441 | Specific sequence of packets causes Fast Open to be effectively disabled | 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3 |
755585-1 | 2-Critical | BT755585 | mcpd can restart on secondary blades if a policy is created, published, and attached to a virtual server in a single transaction | 15.0.0, 14.1.2.1, 13.1.3 |
747858-2 | 2-Critical | BT747858 | OSPF packets are duplicated in the BIG-IP in L2 transparent mode using virtual wires | 15.0.0, 14.1.2.1 |
746710-1 | 2-Critical | BT746710 | Use of HTTP::cookie after HTTP:disable causes TMM core | 15.0.0, 14.1.2.1, 13.1.3 |
737985-2 | 2-Critical | BT737985 | BIG-IP systems cannot be deployed in an L2 transparent mode with VLAN groups in Standard Proxy mode. | 15.0.0, 14.1.2.1 |
734551-3 | 2-Critical | BT734551 | L2 transparent VLAN group based deployments require configuration of a transparent next hop per virtual server | 15.0.0, 14.1.2.1 |
801497-2 | 3-Major | BT801497 | Virtual wire with LACP pinning to one link in trunk. | 16.0.0, 15.1.1, 14.1.2.1 |
798105-1 | 3-Major | BT798105 | Node Connection Limit Not Honored | 15.1.0, 15.0.1.4, 14.1.2.1 |
794581 | 3-Major | BT794581 | Transfer might stall for an object served from WAM cache | 14.1.2.1 |
788325-2 | 3-Major | K39794285, BT788325 | Header continuation rule is applied to request/response line | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5.1, 11.6.5.1 |
787433-3 | 3-Major | BT787433 | SSL forward proxy: OCSP signer certificate isn't refreshed or regenerated when forward proxy CA key/cert is changed | 15.1.0, 14.1.2.1 |
784713-3 | 3-Major | BT784713 | When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct | 15.1.0, 14.1.2.1 |
773821-1 | 3-Major | BT773821 | Certain plaintext traffic may cause SSLO to hang | 15.1.0, 15.0.1.3, 14.1.2.1 |
773421-1 | 3-Major | BT773421 | Server-side packets dropped with ICMP fragmentation needed when a OneConnect profile is applied | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2, 12.1.5.1 |
769801-1 | 3-Major | BT769801 | Internal tmm UDP filter does not set checksum | 15.1.0, 15.0.1.3, 15.0.1.1, 14.1.2.1 |
761385-1 | 3-Major | BT761385 | Without a virtual server, responses from server to client are dropped in a BIG-IP system when the latter is deployed in L2 transparent mode using virtual wire. | 15.0.0, 14.1.2.1 |
761381-1 | 3-Major | BT761381 | Incorrect MAC Address observed in L2 asymmetric virtual wire | 15.0.0, 14.1.2.1 |
754525-1 | 3-Major | BT754525 | Disabled virtual server accepts and serves traffic after restart | 15.1.0, 15.0.1.1, 14.1.2.1 |
748891-2 | 3-Major | BT748891 | Traffic bridged between VLANs in virtual-wire setups may have the wrong destination MAC in packets that egress from the BIG-IP system. | 15.0.0, 14.1.2.1 |
742237-4 | 3-Major | BT742237 | CPU spikes appear wider than actual in graphs | 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5 |
719300-3 | 3-Major | BT719300 | ICMP unreachable packets are transmitted via BIG-IP systems with the BIG-IP system's MAC address as the source MAC address | 15.0.0, 14.1.2.1 |
689361-4 | 3-Major | BT689361 | Configsync can change the status of a monitored pool member | 15.0.0, 14.1.2.1, 13.1.3.2, 12.1.5.2 |
751586 | 4-Minor | BT751586 | Http2 virtual does not honour translate-address disabled | 16.0.0, 15.1.4, 14.1.2.1, 13.1.3.4, 12.1.4.1 |
747585-3 | 4-Minor | BT747585 | TCP Analytics supports ANY protocol number | 15.1.0, 14.1.2.1, 13.1.3.4, 12.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
783849-2 | 3-Major | BT783849 | DNSSEC Key Generations are not imported to secondary FIPS card | 15.1.0, 14.1.2.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
781637-2 | 3-Major | BT781637 | ASM brute force counts unnecessary failed logins for NTLM | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3 |
781605-3 | 3-Major | BT781605 | Fix RFC issue with the multipart parser | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3, 12.1.6, 11.6.5.3 |
781069-2 | 3-Major | BT781069 | Bot Defense challenge blocks requests with long Referer headers | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3 |
773553-2 | 3-Major | BT773553 | ASM JSON parser false positive. | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3, 12.1.5 |
769997-1 | 3-Major | BT769997 | ASM removes double quotation characters on cookies | 15.1.0, 15.0.1.1, 14.1.2.1 |
769981-2 | 3-Major | BT769981 | bd crashes in a specific scenario | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3 |
764373-3 | 3-Major | BT764373 | 'Modified domain cookie' violation with multiple enforced domain cookies with different paths | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3 |
753711-1 | 3-Major | BT753711 | Copied policy does not retain signature staging | 15.0.0, 14.1.2.1 |
751710-4 | 3-Major | BT751710 | False positive cookie hijacking violation | 15.0.0, 14.1.2.1, 14.0.0.5, 13.1.1.5 |
746394-1 | 3-Major | BT746394 | With ASM CORS set to 'Disabled' it strips all CORS headers in response. | 15.0.0, 14.1.2.1, 14.0.1.1 |
745802-1 | 3-Major | BT745802 | Brute Force CAPTCHA response page truncates last digit in the support id | 15.0.0, 14.1.2.1, 14.0.0.5, 13.1.1.4 |
727107-4 | 3-Major | BT727107 | Request Logs are not stored locally due to shmem pipe blockage | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2, 12.1.5 |
803445-3 | 4-Minor | BT803445 | When adding several mitigation exceptions, the previously configured actions revert to the default action | 15.1.0, 15.0.1.1, 14.1.2.1 |
772473-3 | 4-Minor | BT772473 | Request reconstruct issue after challenge | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1 |
761088-1 | 4-Minor | BT761088 | Remove policy editing restriction in the GUI while auto-detect language is set | 15.1.0, 15.0.1.1, 14.1.2.1 |
695878-2 | 4-Minor | BT695878 | Signature enforcement issue on specific requests | 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3, 12.1.5, 11.5.6 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
761749-2 | 2-Critical | BT761749 | Security pages unavailable after switching RT mode on off few times | 15.0.0, 14.1.2.1 |
797785-2 | 3-Major | BT797785 | AVR reports no ASM-Anomalies data. | 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3.2 |
792265-3 | 3-Major | BT792265 | Traffic logs does not include the BIG-IQ tags | 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3.2 |
773925-2 | 3-Major | BT773925 | Sometimes MariaDB generates multiple error 24 (too many files open) for AVR DB tables files | 15.1.0, 14.1.2.1 |
765785-3 | 3-Major | BT765785 | Monpd core upon "bigstart stop monpd" while Real Time reporting is running | 15.0.0, 14.1.2.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
811145-2 | 2-Critical | BT811145 | VMware View resources with SAML SSO are not working | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
797541-1 | 2-Critical | BT797541 | NTLM Auth may fail when user's information contains SIDS array | 15.1.0, 15.0.1.1, 14.1.2.1 |
784989-2 | 2-Critical | BT784989 | TMM may crash with panic message: Assertion 'cookie name exists' failed | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
777173-2 | 2-Critical | BT777173 | Citrix vdi iApp fails in APM standalone deployments with "HTTP header transformation feature not licensed" error | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
821369 | 3-Major | BT821369 | Incomplete Action 'Deny' does not take effect for HTTP-Connect | 14.1.2.1 |
788417-2 | 3-Major | BT788417 | Remote Desktop client on macOS may show resource auth token on credentials prompt | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2 |
787477-2 | 3-Major | BT787477 | Export fails from partitions with '-' as second character | 15.1.0, 14.1.2.1, 13.1.3.2 |
786173-1 | 3-Major | BT786173 | UI becomes unresponsive when accessing Access active session information | 15.1.0, 15.0.1.1, 14.1.2.1 |
783817-2 | 3-Major | BT783817 | UI becomes unresponsive when accessing Access active session information | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3 |
782569-1 | 3-Major | BT782569 | SWG limited session limits on SSLO deployments | 15.1.0, 15.0.1.1, 14.1.2.1 |
775621-2 | 3-Major | BT775621 | urldb memory grows past the expected ~3.5GB | 15.1.0, 15.0.1.3, 14.1.2.1, 13.1.3 |
769853-2 | 3-Major | K24241590, BT769853 | Access Profile option to restrict connections from a single client IP is not honored for native RDP resources | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1 |
756777-1 | 3-Major | BT756777 | VDI plugin might crash on process shutdown during RDG connections handling | 15.0.0, 14.1.2.1 |
750823-1 | 3-Major | BT750823 | Potential memory leaks in TMM when Access::policy evaluate command failed to send the request to APMD | 15.0.0, 14.1.2.1, 13.1.3 |
749161-2 | 3-Major | BT749161 | Problem sync policy contains non-ASCII characters | 15.0.0, 14.1.2.1, 13.1.3 |
746768-4 | 3-Major | BT746768 | APMD leaks memory if access policy policy contains variable/resource assign policy items | 15.0.0, 14.1.2.1, 13.1.1.4, 12.1.4.1 |
697590-2 | 3-Major | BT697590 | APM iRule ACCESS::session remove fails outside of Access events | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2 |
781445-1 | 4-Minor | BT781445 | Named or dnscached cannot bind to IPv6 address | 15.1.0, 14.1.2.1 |
759579-1 | 4-Minor | BT759579 | Full Webtop: 'URL Entry' field is available again | 15.1.0, 14.1.2.1 |
756019-1 | 4-Minor | BT756019 | OAuth JWT Issuer claim requires URI format | 15.0.0, 14.1.2.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
811745-2 | 3-Major | BT811745 | Failover between clustered DIAMETER devices can cause mirror connections to be disconnected | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2 |
804313-2 | 3-Major | BT804313 | MRF SIP, Diameter, Generic MSG, high availability (HA) - mirrored-message-sweeper-interval not loaded. | 15.1.0, 15.0.1.2, 14.1.2.1, 13.1.3.4 |
761685-3 | 3-Major | BT761685 | Connections routed to a virtual server lose per-client connection mode if preserve-strict source port mode is set | 15.1.0, 15.0.1.4, 14.1.2.1, 14.0.1.1 |
750431-1 | 3-Major | BT750431 | Persistence record is deleted in MRF SIP after updating timeout value with the iRule 'SIP::persist timeout' | 15.0.0, 14.1.2.1 |
748253-1 | 3-Major | BT748253 | Race condition between clustered DIAMETER devices can cause the standby to disconnect its mirror connection | 15.0.0, 14.1.2.1, 13.1.3 |
786565-2 | 4-Minor | BT786565 | MRF Generic Message: unaccepted packets received by GENERIC MESSAGE filter causes subsequent messages to not be forwarded | 15.1.0, 15.0.1.1, 14.1.2.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
938149-3 | 3-Major | BT938149 | Port Block Update log message is missing the "Start time" field | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.1 |
800209-1 | 3-Major | BT800209 | The tmsh recursive list command includes DDoS GUI-specific data info | 15.1.0, 14.1.2.1 |
780837-1 | 3-Major | BT780837 | Firewall rule list configuration causes config load failure | 15.1.0, 15.0.1.4, 14.1.2.1 |
761234-2 | 3-Major | BT761234 | Changing a virtual server to use an address list should be prevented if the virtual server has a security policy with a logging profile attached | 15.1.0, 15.0.1.1, 14.1.2.1 |
760355 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
760438-3 | 3-Major | BT760438 | PEM iRule to set policy in rigorous loop may crash tmm due to rare timing conditions | 15.0.0, 14.1.2.1, 13.1.3 |
759192-3 | 3-Major | BT759192 | TMM core during display of PEM session under some specific conditions | 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3 |
756311-4 | 3-Major | BT756311 | High CPU during erroneous deletion | 15.0.0, 14.1.2.1, 14.0.1.1, 13.1.3 |
753163-4 | 3-Major | BT753163 | PEM does not initiate connection request with PCRF/OCS if failover occurs after 26 days | 15.0.0, 14.1.2.1, 13.1.3 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
804185-2 | 3-Major | BT804185 | Some WebSafe request signatures may not work as expected | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
783565-2 | 3-Major | BT783565 | Upgrade support for DB variable to attach AJAX payload to vToken cookie should be consistent with config in MCP | 15.1.0, 15.0.1.1, 14.1.2.1 |
775013-2 | 3-Major | BT775013 | TIME EXCEEDED alert has insufficient data for analysis | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
803477-2 | 3-Major | BT803477 | BaDoS State file load failure when signature protection is off | 15.1.0, 15.0.1.1, 14.1.2.1, 13.1.3.2 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
759439-1 | 2-Critical | BT759439 | Unable to attach default SSL and FTP profiles to virtual server | 15.1.0, 15.0.1.1, 14.1.2.1, 14.0.1.1 |
781313-1 | 3-Major | BT781313 | AVR dashboard displays incorrect client/server bytes-in/bytes-out stats | 15.1.0, 15.0.1.3, 14.1.2.1 |
Cumulative fixes from BIG-IP v14.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
773649-6 | CVE-2019-6656 | K23876153, BT773649 | APM Client Logging | 15.1.0, 15.0.1.1, 14.1.2, 14.0.0.5, 13.1.3, 12.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
771705-1 | 3-Major | BT771705 | You may not be able to log into BIG-IP Cloud Edition if FSCK fails | 15.1.0, 14.1.2 |
754875-1 | 3-Major | BT754875 | Enable FIPS 140-2 Level 1 Compliant Mode in PAYG VE images on first boot | 15.1.0, 14.1.2 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
808129-1 | 2-Critical | BT808129 | Cannot use BIG-IQ to license BIG-IP 14.1.0.3 on AWS. | 15.1.0, 15.0.1, 14.1.2 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
753485-1 | 2-Critical | K50285521, BT753485 | AVR global settings are being overridden by high availability (HA) peers | 15.1.0, 15.0.1, 15.0.0, 14.1.2, 13.1.3 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
757306-3 | 3-Major | BT757306 | SNMP MIBS for AFM NAT do not yet exist | 15.1.0, 15.0.1, 14.1.2, 13.1.3 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
794285 | 1-Blocking | K36191493, BT794285 | BIG-IQ reading AFM configuration fails with status 400 | 15.1.0, 14.1.2 |
Cumulative fixes from BIG-IP v14.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
807477-10 | CVE-2019-6650 | K04280042, BT807477 | ConfigSync Hardening | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10 |
797885-2 | CVE-2019-6649 | K05123525, BT797885 | ConfigSync Hardening | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10 |
796469-6 | CVE-2019-6649 | K05123525, BT796469 | ConfigSync Hardening | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10 |
810557-8 | CVE-2019-6649 | K05123525, BT810557 | ASM ConfigSync Hardening | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10 |
809377-6 | CVE-2019-6649 | K05123525 | AFM ConfigSync Hardening | 15.0.1, 14.1.2, 14.0.1, 13.1.3 |
799617-2 | CVE-2019-6649 | K05123525, BT799617 | ConfigSync Hardening | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10 |
799589-2 | CVE-2019-6649 | K05123525, BT799589 | ConfigSync Hardening | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10 |
794389-6 | CVE-2019-6651 | K89509323, BT794389 | iControl REST endpoint response inconsistency | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5 |
794413-2 | CVE-2019-6471 | K10092301, BT794413 | BIND vulnerability CVE-2019-6471 | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5, 11.5.10 |
793937-1 | CVE-2019-6664 | K03126093, BT793937 | Management Port Hardening | 15.1.0, 15.0.1, 14.1.2 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
744937-8 | 3-Major | K00724442, BT744937 | BIG-IP DNS and GTM DNSSEC security exposure | 15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
798949-3 | 3-Major | BT798949 | Config-Sync fails when Config-Sync IP configured to management IP | 15.1.0, 15.0.1, 14.1.2 |
760622-3 | 3-Major | BT760622 | Allow Device Certificate renewal from BIG-IP Configuration Utility | 16.0.0, 15.1.0.5 |
760363-1 | 3-Major | BT760363 | Update Alias Address field with default placeholder text | 13.1.3.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
811333-2 | 3-Major | BT811333 | Upgrade fails when SSLv2 cipher is in the cipher list of an SSL profile★ | 15.1.0, 15.0.1, 14.1.2 |
Cumulative fixes from BIG-IP v14.1.0.6 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
769361-2 | CVE-2019-6630 | K33444350, BT769361 | TMM may crash while processing SSLO traffic | 15.0.0, 14.1.0.6, 14.0.0.5 |
767401-1 | CVE-2019-6629 | K95434410, BT767401 | TMM may crash while processing TLS traffic | 15.0.0, 14.1.0.6 |
759343-6 | CVE-2019-6668 | K49827114, BT759343 | MacOS Edge Client installer does not follow best security practices | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 12.1.5.1, 11.6.5.1 |
758909-1 | CVE-2019-6628 | K04730051, BT758909 | TMM may crash will processing PEM traffic | 15.0.0, 14.1.0.6, 14.0.0.5 |
758065-4 | CVE-2019-6667 | K82781208, BT758065 | TMM may consume excessive resources while processing FIX traffic | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1 |
757084-2 | CVE-2019-6627 | K00432398, BT757084 | Bypassing SSL interception in SSL Orchestrator may crash TMM if virtual server is SNAT enabled | 15.0.0, 14.1.0.6 |
757023-2 | CVE-2018-5743 | K74009656, BT757023 | BIND vulnerability CVE-2018-5743 | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1 |
756538-4 | CVE-2019-6645 | K15759349, BT756538 | Failure to open data channel for active FTP connections mirrored across an high availability (HA) pair. | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1 |
754944-1 | CVE-2019-6626 | K00432398, BT754944 | AVR reporting UI does not follow best practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4 |
754345-2 | CVE-2019-6625 | K79902360, BT754345 | WebUI does not follow best security practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1 |
754103-1 | CVE-2019-6644 | K75532331, BT754103 | iRulesLX NodeJS daemon does not follow best security practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.4.1 |
753975-2 | CVE-2019-6666 | K92411323, BT753975 | TMM may crash while processing HTTP traffic with webacceleration profile | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
753776-2 | CVE-2019-6624 | K07127032, BT753776 | TMM may consume excessive resources when processing UDP traffic | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
748502-1 | CVE-2019-6623 | K72335002, BT748502 | TMM may crash when processing iSession traffic | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
737731-6 | CVE-2019-6622 | K44885536, BT737731 | iControl REST input sanitization | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5.1 |
737574-6 | CVE-2019-6621 | K20541896, BT737574 | iControl REST input sanitization★ | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5, 11.6.4, 11.5.9 |
737565-6 | CVE-2019-6620 | K20445457, BT737565 | iControl REST input sanitization | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5, 11.6.5.1 |
726393-2 | CVE-2019-6643 | K36228121, BT726393 | DHCPRELAY6 can lead to a tmm crash | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1 |
726327 | CVE-2018-12120 | K37111863, BT726327 | NodeJS debugger accepts connections from any host | 15.0.0, 14.1.0.6, 13.1.1.5 |
757455-2 | CVE-2019-6647 | K87920510, BT757455 | Excessive resource consumption when processing REST requests | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5, 11.6.5.1 |
753796-1 | CVE-2019-6640 | K40443301 | SNMP does not follow best security practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.5.9 |
750460-1 | CVE-2019-6639 | K61002104, BT750460 | Subscriber management configuration GUI | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
750298-1 | CVE-2019-6638 | K67825238, BT750298 | iControl REST may fail while processing requests | 15.0.0, 14.1.0.6, 14.0.0.5 |
750187-1 | CVE-2019-6637 | K29149494, BT750187 | ASM REST may consume excessive resources | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
745533-6 | CVE-2016-5325 | K24444803, BT745533 | NodeJS Vulnerability: CVE-2016-5325 | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
745371-1 | CVE-2019-6636 | K68151373, BT745371 | AFM GUI does not follow best security practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1 |
745257-1 | CVE-2018-14634 | K20934447, BT745257 | Linux kernel vulnerability: CVE-2018-14634 | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5, 11.6.4 |
742226-6 | CVE-2019-6635 | K11330536, BT742226 | TMSH platform_check utility does not follow best security practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
710857-5 | CVE-2019-6634 | K64855220 | iControl requests may cause excessive resource usage | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
702469-7 | CVE-2019-6633 | K73522927, BT702469 | Appliance mode hardening in scp | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5, 11.6.5.1 |
673842-6 | CVE-2019-6632 | K01413496, BT673842 | VCMP does not follow best security practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
773653-6 | CVE-2019-6656 | K23876153, BT773653 | APM Client Logging | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1 |
773641-6 | CVE-2019-6656 | K23876153, BT773641 | APM Client Logging | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1 |
773637-6 | CVE-2019-6656 | K23876153, BT773637 | APM Client Logging | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1 |
773633-6 | CVE-2019-6656 | K23876153, BT773633 | APM Client Logging | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1 |
773621-6 | CVE-2019-6656 | K23876153, BT773621 | APM Client Logging | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749704-2 | 4-Minor | BT749704 | GTPv2 Serving-Network field with mixed MNC digits | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
774445-1 | 1-Blocking | K74921042, BT774445 | BIG-IP Virtual Edition does not pass traffic on ESXi 6.7 Update 2 | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3 |
789993-1 | 2-Critical | BT789993 | Failure when upgrading to 15.0.0 with config move and static management-ip. | 15.1.0, 15.0.1.4, 14.1.0.6 |
773677-1 | 2-Critical | K72255850, BT773677 | BIG-IP 14.1.0 system-journald write to /run/log/journal cause SWAP usage increase★ | 15.0.0, 14.1.0.6 |
769809-4 | 2-Critical | BT769809 | The vCMP guests 'INOPERATIVE' after upgrade | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5 |
765801 | 2-Critical | BT765801 | WCCP service info field corrupted in upgrade to 14.1.0 final★ | 14.1.0.6 |
760573-1 | 2-Critical | K00730586, BT760573 | TPM system integrity check may return invalid status when booting into BIG-IP 14.1.0★ | 15.0.0, 14.1.0.6 |
760508-1 | 2-Critical | K91444000, BT760508 | On systems with multiple versions of BIG-IP in use, the 'invalid' System Integrity Status may persist★ | 15.0.0, 14.1.0.6 |
760408-3 | 2-Critical | BT760408 | System Integrity Status: Invalid after BIOS update★ | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3 |
760164-1 | 2-Critical | BT760164 | BIG-IP VE Compression Offload HA action requires modification of db variable | 15.1.0, 15.0.1.1, 14.1.0.6 |
757722-2 | 2-Critical | BT757722 | Unknown notify message types unsupported in IKEv2 | 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
756402-2 | 2-Critical | BT756402 | Re-transmitted IPsec packets can have garbled contents | 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
756071-3 | 2-Critical | BT756071 | MCPD crash | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
755254-1 | 2-Critical | K54339562, BT755254 | Remote auth: PAM_LDAP buffer too small errors★ | 15.0.0, 14.1.0.6 |
753650-2 | 2-Critical | BT753650 | The BIG-IP system reports frequent kernel page allocation failures. | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
750586-2 | 2-Critical | BT750586 | HSL may incorrectly handle pending TCP connections with elongated handshake time. | 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5 |
743803-1 | 2-Critical | BT743803 | IKEv2 potential double free of object when async request queueing fails | 15.1.0, 14.1.0.6, 14.0.0.3, 13.1.1.4, 12.1.5 |
741503-1 | 2-Critical | BT741503 | The BIG-IP system fails to load base config file when upgrading with static IPv4★ | 15.0.0, 14.1.0.6 |
726487-4 | 2-Critical | BT726487 | MCPD on secondary VIPRION or vCMP blades may restart after making a configuration change. | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.4, 12.1.5 |
648270-1 | 2-Critical | BT648270 | mcpd can crash if viewing a fast-growing log file through the GUI | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5.3, 11.6.5.2 |
766365-1 | 3-Major | BT766365 | Some trunks created on VE platform stay down even when the trunk's interfaces are up | 15.0.0, 14.1.0.6 |
766329-2 | 3-Major | BT766329 | SCTP connections do not reflect some SCTP profile settings | 15.1.0, 15.0.1.3, 14.1.0.6 |
765033 | 3-Major | BT765033 | Upgrades to versions that restrict resource-admin users from accessing bash may fail under certain conditions★ | 14.1.0.6, 11.6.5.1 |
760597-1 | 3-Major | BT760597 | System integrity messages not logged | 15.0.0, 14.1.0.6 |
760594 | 3-Major | BT760594 | On BIG-IP VE, 'snmpwalk -v 2c -c public localhost .1.3.6.1.4.1.3375.2.1.7.3' returns only /appdata details. | 15.0.0, 14.1.0.6 |
758879 | 3-Major | BT758879 | BIG-IP VE with ixlv devices does not reliably pass some traffic after hard-boot | 15.0.0, 14.1.0.6 |
748206-1 | 3-Major | BT748206 | Browser becomes unresponsive when loading the network map with a virtual server that contains a forwarding rule policy in the second position | 14.1.0.6, 13.1.1.4 |
748187-4 | 3-Major | BT748187 | 'Transaction Not Found' Error on PATCH after Transaction has been Created | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.4 |
746657-1 | 3-Major | BT746657 | tmsh help for FQDN node or pool member shows incorrect default for fqdn interval | 15.0.0, 14.1.0.6 |
745809-2 | 3-Major | BT745809 | The /var partition may become 100% full, requiring manual intervention to clear space | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4 |
740543-1 | 3-Major | BT740543 | System hostname not display in console | 15.0.0, 14.1.0.6 |
725791-6 | 3-Major | K44895409, BT725791 | Potential HW/HSB issue detected | 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5.2, 11.6.5.2 |
718405-2 | 3-Major | BT718405 | RSA signature PAYLOAD_AUTH mismatch with certificates | 15.1.0, 14.1.0.6, 13.1.1.4 |
581921-5 | 3-Major | K22327083, BT581921 | Required files under /etc/ssh are not moved during a UCS restore | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
754500-2 | 4-Minor | BT754500 | GUI LTM Policy options disappearing | 15.0.0, 14.1.0.6 |
726317-6 | 4-Minor | BT726317 | Improved debugging output for mcpd | 15.0.0, 14.1.0.6, 13.1.3.4, 12.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
759723-1 | 2-Critical | BT759723 | Abnormally terminated connections on server side may cause client side streams to stall | 15.0.0, 14.1.0.6 |
758465-1 | 2-Critical | BT758465 | TMM may crash or iRule processing might be incorrect | 15.0.0, 14.1.0.6 |
756356-2 | 2-Critical | BT756356 | External datagroups of type string cannot use iRule command 'class match equals' for entries > 32 characters long | 15.0.0, 14.1.0.6 |
753912-4 | 2-Critical | K44385170, BT753912 | UDP flows may not be swept | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
752930-3 | 2-Critical | BT752930 | Changing route-domain on partitions leads to Secondary blade reboot loop and virtual servers left in unusual state | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5, 12.1.5 |
747727-1 | 2-Critical | BT747727 | HTTP Profile Request Header Insert Tcl error | 15.0.0, 14.1.0.6 |
747239-1 | 2-Critical | BT747239 | TMM SIGABRT seen in HTTP/2 gateway scenario when shutting down connection | 15.0.0, 14.1.0.6 |
741048-1 | 2-Critical | BT741048 | iRule execution order could change after editing the scripts | 15.0.0, 14.1.0.6 |
766293-1 | 3-Major | BT766293 | Monitor logging fails on v14.1.0.x releases | 15.0.0, 14.1.0.6 |
760550-5 | 3-Major | BT760550 | Retransmitted TCP packet has FIN bit set | 15.1.0, 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.1 |
758311-1 | 3-Major | BT758311 | Policy Compilation may cause MCPD to crash | 15.0.0, 14.1.0.6 |
757985-1 | 3-Major | K79562045, BT757985 | TMM memory leak | 15.0.0, 14.1.0.6 |
757698-1 | 3-Major | BT757698 | TMM crashes in certain situations of which iRule execution interleaves client side and server side flows | 15.0.0, 14.1.0.6 |
756270-4 | 3-Major | BT756270 | SSL profile: CRL signature verification does not check for multiple certificates with the same name as the issuer in the trusted CA bundle | 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5, 11.6.4, 11.5.9 |
754985-1 | 3-Major | BT754985 | Standby mirrored server SSL connections fail, and tmm may crash while processing mirrored TLS traffic | 15.0.0, 14.1.0.6 |
752078-2 | 3-Major | BT752078 | Header Field Value String Corruption | 15.0.0, 14.1.0.6, 13.1.1.4 |
749414-4 | 3-Major | BT749414 | Invalid monitor rule instance identifier error | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5, 11.6.5.2 |
747907-2 | 3-Major | BT747907 | Persistence records leak while the high availability (HA) mirror connection is down | 15.1.0, 14.1.0.6, 13.1.3.2 |
742078-6 | 3-Major | BT742078 | Incoming SYNs are dropped and the connection does not time out. | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1 |
740959-4 | 3-Major | BT740959 | User with manager rights cannot delete FQDN node on non-Common partition | 15.0.0, 14.1.0.6, 12.1.5 |
740345-3 | 3-Major | BT740345 | TMM core files seen on standby device after failover, when connection mirroring, session mirroring and OCSP stapling are enabled. | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
696755-3 | 3-Major | BT696755 | HTTP/2 may truncate a response body when served from cache | 16.1.0, 16.0.1.2, 15.1.3, 14.1.0.6, 13.1.0.8 |
696735-2 | 3-Major | BT696735 | TCP ToS Passthrough mode does not work correctly | 15.1.0, 14.1.0.6 |
504522-4 | 3-Major | BT504522 | Trailing space present after 'tmsh ltm pool members monitor' attribute value | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.4, 12.1.5 |
747968-3 | 4-Minor | BT747968 | DNS64 stats not increasing when requests go through DNS cache resolver | 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.4.1, 11.6.5.3 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
777937-3 | 1-Blocking | BT777937 | AWS ENA: packet drops due to bad checksum | 15.1.0, 15.0.1, 14.1.0.6 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
759721-2 | 3-Major | K03332436, BT759721 | DNS GUI does not follow best practices | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3 |
749508-1 | 3-Major | BT749508 | LDNS and DNSSEC: Various OOM conditions need to be handled properly | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
749222-1 | 3-Major | BT749222 | dname compression offset overflow causes bad compression pointer | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
748902-5 | 3-Major | BT748902 | Incorrect handling of memory allocations while processing DNSSEC queries | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
746877-1 | 3-Major | BT746877 | Omitted check for success of memory allocation for DNSSEC resource record | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
744707-2 | 3-Major | BT744707 | Crash related to DNSSEC key rollover | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4, 12.1.4.1 |
723288-4 | 3-Major | BT723288 | DNS cache replication between TMMs does not always work for net dns-resolver | 14.1.0.6, 14.0.0.5, 13.1.1.4, 12.1.4.1, 11.6.5.3 |
748177-1 | 4-Minor | BT748177 | Multiple wildcards not matched to most specific WideIP when two wildcard WideIPs differ on a '?' and a non-wildcard character | 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.4.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
759360-2 | 2-Critical | BT759360 | Apply Policy fails due to policy corruption from previously enforced signature | 15.0.0, 14.1.0.6, 13.1.1.5 |
749912-1 | 2-Critical | BT749912 | [BIG-IQ Integration] Deadlock occurs when adding multiple hostnames with transparent enforcement | 15.0.0, 14.1.0.6 |
723790-3 | 2-Critical | BT723790 | Idle asm_config_server handlers consumes a lot of memory | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5 |
765449-1 | 3-Major | Update availability status may be inaccurate | 15.0.0, 14.1.0.6 | |
763001-1 | 3-Major | K70312000, BT763001 | Web-socket enforcement might lead to a false negative | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
761941-1 | 3-Major | BT761941 | ASM does not remove CSRT token query parameter before forwarding a request to the backend server | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
761194-2 | 3-Major | BT761194 | param data type violation on an Integer parameter, if an integer value is sent via websocket JSON | 15.0.0, 14.1.0.6 |
760878-3 | 3-Major | BT760878 | Incorrect enforcement of explicit global parameters | 15.0.0, 14.1.0.6, 13.1.1.5, 12.1.5 |
759840-1 | 3-Major | BT759840 | False positive 'Null in request' violation or bare byte subviolations | 15.0.0, 14.1.0.6 |
759483-1 | 3-Major | BT759483 | Message about HTTP status code which are set by default disappeared from the UI | 15.0.0, 14.1.0.6, 14.0.0.5 |
758085-1 | 3-Major | BT758085 | CAPTCHA Custom Response fails when using certain characters | 15.0.0, 14.1.0.6 |
756418-1 | 3-Major | BT756418 | Live Update does not authenticate remote users | 15.0.0, 14.1.0.6 |
742558-1 | 3-Major | BT742558 | Request Log export document fails to show some UTF-8 characters | 15.0.0, 14.1.0.6 |
687759-3 | 3-Major | BT687759 | bd crash | 14.1.0.6, 14.0.0.5, 13.1.0.8, 12.1.3.6 |
774941-1 | 4-Minor | BT774941 | GUI misspelling in Bot Defense logging profile | 15.0.0, 14.1.0.6 |
768761-2 | 4-Minor | BT768761 | Improved accept action description for suggestions to disable signature/enable metacharacter in policy | 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
766357-1 | 4-Minor | BT766357 | Two simultaneously manual installations can cause live-update inconsistency | 15.0.0, 14.1.0.6 |
765413-1 | 4-Minor | BT765413 | ASM cluster syncs caused by PB ignored suggestions updates | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5 |
761921-1 | 4-Minor | BT761921 | avrd high CPU utilization due to perpetual connection attempts | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
761553-2 | 4-Minor | BT761553 | Text for analyzed requests improved for suggestions that were created as result of absence of violations in traffic | 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
761549-2 | 4-Minor | BT761549 | Traffic Learning: Accept and Stage action is shown only in case entity is not in staging | 15.1.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
761231-2 | 4-Minor | K79240502, BT761231 | Bot Defense Search Engines getting blocked after configuring DNS correctly | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.3, 12.1.5 |
759462-1 | 4-Minor | BT759462 | Site names and vulnerabilities cannot be retrieved from WhiteHat server | 15.0.0, 14.1.0.6 |
755005-1 | 4-Minor | BT755005 | Request Log: wrong titles in details for Illegal Request Length and Illegal Query String Length violations | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.5.1 |
750689-3 | 4-Minor | BT750689 | Request Log: Accept Request button available when not needed | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3 |
749184-2 | 4-Minor | BT749184 | Added description of subviolation for the suggestions that enabled/disabled them | 15.1.0, 15.0.1.3, 14.1.0.6, 14.0.1.1, 13.1.3 |
747560-5 | 4-Minor | BT747560 | ASM REST: Unable to download Whitehat vulnerabilities | 15.0.0, 14.1.0.6, 13.1.3, 12.1.5.1 |
769061-2 | 5-Cosmetic | BT769061 | Improved details for learning suggestions to enable violation/sub-violation | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.1.1, 13.1.3 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
763349-3 | 2-Critical | BT763349 | AVRD can crash with core when HTTPS connection to BIG-IQ DCD node times out | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
756205-1 | 2-Critical | BT756205 | TMSTAT offbox statistics are not continuous | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
756102-2 | 2-Critical | BT756102 | TMM can crash with core on ABORT signal due to non-responsive AVR code | 15.1.0, 15.0.1.1, 14.1.0.6, 13.1.3.2 |
771025-3 | 3-Major | BT771025 | AVR send domain names as an aggregate | 15.1.0, 15.0.1.3, 14.1.0.6, 14.0.0.5, 13.1.3 |
764665-2 | 3-Major | BT764665 | AVRD core when connected to BIG-IQ via HTTPS at the moment of configuration change | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
763005-3 | 3-Major | BT763005 | Aggregated Domain Names in DNS statistics are shown as random domain name | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
760356-2 | 3-Major | BT760356 | Users with Application Security Administrator role cannot delete Scheduled Reports | 15.1.0, 15.0.1.1, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
770557-3 | 2-Critical | BT770557 | Per-Session RADIUS Acct STOP message is forged based on pool route domain, but is sent through default one | 15.0.0, 14.1.0.6, 14.0.0.5 |
769281-1 | 2-Critical | BT769281 | Per-request Acess Policy may show user interface pages incorrectly i nlanguages other than English | 15.0.0, 14.1.0.6, 14.0.0.5 |
755447-1 | 2-Critical | BT755447 | SSLO does not deliver content generated/originated from inline device | 15.0.0, 14.1.0.6 |
753370-3 | 2-Critical | BT753370 | RADIUS auth might not be working as configured when there is change in RADIUS auth config name. | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.3 |
774633-2 | 3-Major | BT774633 | Memory leak in tmm when session db variables are not cleaned up | 15.1.0, 15.0.1.1, 14.1.0.6 |
774213-1 | 3-Major | BT774213 | SWG session limits on SSLO deployments | 15.1.0, 15.0.1.1, 14.1.0.6 |
760410-1 | 3-Major | BT760410 | Connection reset is seen when Category lookup agent is used in per-req policy | 15.0.0, 14.1.0.6 |
760250 | 3-Major | BT760250 | 'Unsupported SSO Method' error when requests sharing the same TCP session | 15.0.0, 14.1.0.6 |
759868-1 | 3-Major | BT759868 | TMM crash observed while rendering internal pages (like blocked page) for per-request policy | 15.0.0, 14.1.0.6 |
758764-2 | 3-Major | BT758764 | APMD Core when CRLDP Auth fails to download revoked certificate | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
758701-1 | 3-Major | BT758701 | APM fails to handle Remote Desktop Gateway connections from standalone RDP clients after fresh install | 15.0.0, 14.1.0.6 |
757992-3 | 3-Major | BT757992 | RADIUS Acct STOP message is not being sent when configured with route domain for HA Pool setup | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
757360-1 | 3-Major | BT757360 | Category lookup returns wrong category on subsequent traffic following initial HTTP CONNECT traffic through SSLO | 15.0.0, 14.1.0.6 |
755475-1 | 3-Major | BT755475 | Corrupted customization group on target after updating access policy (any agent that is tied to customization group) on source device and config sync | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
755047-1 | 3-Major | BT755047 | Category lookup returns wrong category on CONNECT traffic through SSLO | 15.0.0, 14.1.0.6 |
754542-2 | 3-Major | BT754542 | TMM may crash when using RADIUS Accounting agent | 15.0.0, 14.1.0.6, 13.1.3 |
752875-2 | 3-Major | BT752875 | tmm core while using service chaining for SSLO | 15.0.0, 14.1.0.6, 14.0.1.1 |
751807-1 | 3-Major | BT751807 | SSL Orchestrator may not activate service connectors if traffic is an HTTP tunnel | 15.0.0, 14.1.0.6 |
751424-1 | 3-Major | BT751424 | HTTP Connect Category Lookup not working properly | 15.0.0, 14.1.0.6 |
749057-1 | 3-Major | BT749057 | VMware Horizon idle timeout is ignored when connecting via APM | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
745574-1 | 3-Major | BT745574 | URL is not removed from custom category when deleted | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4, 12.1.4 |
738430-3 | 3-Major | BT738430 | APM is not able to do compliance check on iOS devices running F5 Access VPN client | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
734291-1 | 3-Major | BT734291 | Logon page modification fails to sync to standby | 14.1.0.6, 14.1.0, 13.1.1.5 |
695985-4 | 3-Major | BT695985 | Access HUD filter has URL length limit (4096 bytes) | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.5 |
766761-2 | 4-Minor | BT766761 | Ant-server does not log requests that are excluded from scanning | 14.1.0.6 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
766405-2 | 2-Critical | BT766405 | MRF SIP ALG with SNAT: Fix for potential crash on next-active device | 15.1.0, 14.1.0.6, 13.1.3.4 |
754615-2 | 2-Critical | BT754615 | Tmm crash (assert) during SIP message processing on MRF-SIP-ALG setup. | 15.0.0, 14.1.0.6, 14.0.1.1 |
763157-2 | 3-Major | BT763157 | MRF SIP ALG with SNAT: Processing request and response at same time on same connection may cause one to be dropped | 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1 |
760370-2 | 3-Major | BT760370 | MRF SIP ALG with SNAT: Next active ingress queue filling | 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1 |
759077-2 | 3-Major | BT759077 | MRF SIP filter queue sizes not configurable | 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1, 13.1.3 |
755630-1 | 3-Major | BT755630 | MRF SIP ALG: Mirrored media flows timeout on standby after 2 minutes | 15.0.0, 14.1.0.6, 14.0.1.1 |
752822-1 | 3-Major | BT752822 | SIP MRF INGRESS_ALG_TRANSLATION_FAIL state has incorrect state_type | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.1.5 |
751179-1 | 3-Major | BT751179 | MRF: Race condition may create to many outgoing connections to a peer | 15.0.0, 14.1.0.6, 13.1.1.5, 11.6.5.2 |
746825-1 | 3-Major | BT746825 | MRF SIP ALG with SNAT: Ephemeral listeners not created for unsubscribed outgoing calls | 15.1.0, 15.0.0, 14.1.0.6, 14.0.1.1 |
745947-2 | 3-Major | BT745947 | Add log events for MRF SIP registration/deregistration and media flow creation/deletion | 15.0.0, 14.1.0.6 |
745590-1 | 3-Major | BT745590 | SIPALG::hairpin and SIPALG::hairpin_default iRule commands to enable or disable hairpin mode added | 15.0.0, 14.1.0.6, 14.0.1.1 |
760930-2 | 4-Minor | BT760930 | MRF SIP ALG with SNAT: Added additional details to log events | 15.1.0, 15.0.1.4, 14.1.0.6, 14.0.1.1 |
747909-5 | 4-Minor | BT747909 | GTPv2 MEI and Serving-Network fields decoded incorrectly | 15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3, 12.1.5.3, 11.6.5.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
757524 | 1-Blocking | BT757524 | Data operation attempt on object that has not been loaded | 14.1.0.6 |
757359-1 | 2-Critical | BT757359 | pccd crashes when deleting a nested Address List | 15.0.0, 14.1.0.6, 13.1.3 |
754805 | 2-Critical | K97981358, BT754805 | Possible tmm crash when AFM DoS badactor or attacked-dst or endpoint vector configured | 15.0.0, 14.1.0.6 |
753028-2 | 3-Major | BT753028 | AFM drops forwarding ICMP traffic matching FW NAT rule for Dest NAT that also has Proxy ARP enabled for destination addresses in the rule | 15.0.0, 14.1.0.6, 13.1.1.4 |
756477-2 | 5-Cosmetic | BT756477 | Drop Redirect tab incorrectly named as 'Redirect Drop' | 15.0.0, 14.1.0.6 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
744516-4 | 2-Critical | BT744516 | TMM panics after a large number of LSN remote picks | 15.0.0, 14.1.0.6, 13.1.1.4, 12.1.4 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
748121-3 | 2-Critical | BT748121 | admd livelock under CPU starvation | 15.0.0, 14.1.0.6, 14.0.0.5, 13.1.1.4 |
653573-6 | 2-Critical | BT653573 | ADMd not cleaning up child rsync processes | 15.0.0, 14.1.2.3, 14.1.0.6, 14.0.0.5, 13.1.1.4, 13.1.0 |
756877-1 | 3-Major | BT756877 | Virtual server created with Guided Configuration is not visible in Grafana | 15.0.0, 14.1.0.6, 14.0.0.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
752803-1 | 2-Critical | BT752803 | CLASSIFICATION_DETECTED running reject can lead to a tmm core | 15.0.0, 14.1.0.6, 13.1.3 |
752047-1 | 2-Critical | BT752047 | iRule running reject in CLASSIFICATION_DETECTED event can cause core | 15.0.0, 14.1.0.6, 13.1.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
758818-2 | 2-Critical | BT758818 | While using explicit or transparent http type service on SSL Orchestrator, TMM cores. | 15.0.0, 14.1.0.6, 14.0.1.1 |
756167-1 | 3-Major | BT756167 | No URL category data on SSL Orchestrator dashboard and on SSL Orchestrator statistics page after upgrade★ | 15.0.0, 14.1.0.6 |
748252-2 | 3-Major | BT748252 | Connection reset seen with SSL bypass on a L2 wire setup | 15.0.0, 14.1.0.6 |
Cumulative fixes from BIG-IP v14.1.0.5 that are included in this release
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
755817 | 3-Major | BT755817 | v14.1.0.5 includes Guided Configuration 4.1 | 14.1.0.5 |
751824-1 | 3-Major | BT751824 | Restore old 'merge' functionally with new tmsh verb 'replace' | 15.0.0, 14.1.0.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
663819-1 | 3-Major | BT663819 | APM NTLM Authentication for RDP Client Gateway and Microsoft Exchange Proxy are incompatible with Microsoft workaround for MS17-010 (Wannacry / Eternalblue) | 15.0.0, 14.1.0.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
761173-1 | 2-Critical | BT761173 | tmm crash after extended whitelist modification | 15.0.0, 14.1.0.5 |
751869-2 | 2-Critical | BT751869 | Possible tmm crash when using manual mode mitigation in DoS Profile | 15.0.0, 14.1.0.5, 13.1.1.5 |
760393 | 3-Major | BT760393 | GARP is not sent from newly active device after failover for FW NAT policy rule's dest prefixes | 15.0.0, 14.1.0.5 |
750477-1 | 3-Major | BT750477 | LTM NAT does not forward ICMP traffic | 15.0.0, 14.1.0.5 |
737035-2 | 3-Major | BT737035 | New and improved infrastructure for BDoS to share learned traffic characteristics within the device group/cluster setup. | 15.0.0, 14.1.0.5, 14.0.0.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
757088-1 | 2-Critical | BT757088 | TMM clock advances and cluster failover happens during webroot db nightly updates | 15.0.0, 14.1.0.5, 13.1.1.5, 12.1.5 |
758536 | 3-Major | BT758536 | Traffic Intelligence IM pkg for 14.1.0 fails to install on base build version 14.1.0.x | 15.0.0, 14.1.0.5 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
737558-1 | 2-Critical | BT737558 | Protocol Inspection user interface elements are active but do not work | 15.1.0, 14.1.0.5 |
774881 | 3-Major | BT774881 | Protocol Inspection profiles can be added to a virtual server without Protocol Inspection being licensed. | 15.1.0, 14.1.0.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
760278 | 2-Critical | BT760278 | F5 SSL Orchestrator may fail to install an RPM software package on BIG-IP systems running point release versions★ | 14.1.0.5 |
Cumulative fixes from BIG-IP v14.1.0.4 that are included in this release
Functional Change Fixes
None
Cumulative fixes from BIG-IP v14.1.0.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
745783-1 | 3-Major | BT745783 | Anti-fraud: remote logging of login attempts | 15.0.0, 14.1.0.3, 13.1.1.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
758667-1 | 2-Critical | BT758667 | BIG-IP VE high availability (HA) actions are not invoked when offload hardware hangs | 15.0.0, 14.1.0.3 |
754541-2 | 2-Critical | BT754541 | Reconfiguring an iApp that uses a client SSL profile fails | 15.0.0, 14.1.0.3 |
760222 | 3-Major | BT760222 | SCP fails unexpected when FIPS mode is enabled | 15.0.0, 14.1.0.3, 14.0.0.5, 13.1.1.5 |
725625-1 | 3-Major | BT725625 | BIG-IP VE Cryptographic Offload updated to Intel QAT 1.7 v4.4.0 SDK | 15.0.0, 14.1.0.3 |
Cumulative fixes from BIG-IP v14.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
757025-1 | CVE-2018-5744 | K00040234, BT757025 | BIND Update | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
756774-6 | CVE-2019-6612 | K24401914, BT756774 | Aborted DNS queries to a cache may cause a TMM crash | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
750292-2 | CVE-2019-6592 | K54167061, BT750292 | TMM may crash when processing TLS traffic | 15.0.0, 14.1.0.2, 13.1.3.4, 12.1.5.3 |
749879-2 | CVE-2019-6611 | K47527163, BT749879 | Possible interruption while processing VPN traffic | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
744035-6 | CVE-2018-15332 | K12130880, BT744035 | APM Client Vulnerability: CVE-2018-15332 | 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4.1, 11.6.5.1 |
757027-1 | CVE-2019-6465 | K01713115, BT757027 | BIND Update | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
757026-1 | CVE-2018-5745 | K25244852, BT757026 | BIND Update | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
745713-4 | CVE-2019-6619 | K94563344, BT745713 | TMM may crash when processing HTTP/2 traffic | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
745387-1 | CVE-2019-6618 | K07702240, BT745387 | Resource-admin user roles can no longer get bash access | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
745165-1 | CVE-2019-6617 | K38941195, BT745165 | Users without Advanced Shell Access are not allowed SFTP access | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
737910-4 | CVE-2019-6609 | K18535734, BT737910 | Security hardening on the following platforms | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4.1 |
724680-6 | CVE-2018-0732 | K21665601, BT724680 | OpenSSL Vulnerability: CVE-2018-0732 | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.2, 12.1.4, 11.6.3.3, 11.5.9 |
703835-5 | CVE-2019-6616 | K82814400, BT703835 | When using SCP into BIG-IP systems, you must specify the target filename | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
702472-7 | CVE-2019-6615 | K87659521, BT702472 | Appliance Mode Security Hardening | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.4, 11.5.9 |
698376-5 | CVE-2019-6614 | K46524395, BT698376 | Non-admin users have limited bash commands and can only write to certain directories | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
746131-4 | CVE-2018-0737 | K43429502, BT746131 | OpenSSL RSA key generation vulnerability CVE-2018-0737 | 15.0.0, 14.1.0.2 |
713806-8 | CVE-2018-0739 | K08044291, BT713806 | CVE-2018-0739: OpenSSL Vulnerability | 15.0.0, 14.1.0.2 |
699977-3 | CVE-2016-7055 | K43570545, BT699977 | CVE-2016-7055: OpenSSL Vulnerability in NodeJS ILX | 15.0.0, 14.1.0.2 |
737423-2 | CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 |
K72122162, BT737423 | Binutils vulnerabilities: CVE-2018-7569 CVE-2018-10373 CVE-2018-13033 | 15.0.0, 14.1.0.2 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
755641-1 | 2-Critical | BT755641 | Unstable asm_config_server after upgrade, 'Event dispatcher aborted' | 15.0.0, 14.1.0.2 |
744685-2 | 2-Critical | BT744685 | BIG-IP does not throw error when intermediate CA is missing the "Basic Constraints" and "CA:True" in its extension | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4 |
744188-1 | 2-Critical | BT744188 | First successful auth iControl REST requests will now be logged in audit and secure log files | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4 |
739432 | 3-Major | BT739432 | F5 Adaptive Auth (MFA) Reports are no longer supported on BIG-IP systems | 14.1.0.2 |
738108-1 | 3-Major | BT738108 | SCTP multi-homing INIT address parameter doesn't include association's primary address | 15.0.0, 14.1.0.2 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
753642-1 | 2-Critical | BT753642 | iHealth may report false positive for Critical Malware | 15.0.0, 14.1.0.2 |
752835-2 | 2-Critical | K46971044, BT752835 | Mitigate mcpd out of memory error with auto-sync enabled. | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1, 11.6.5.1 |
750580-1 | 2-Critical | BT750580 | Installation using image2disk --format may fail after TMOS v14.1.0 is installed★ | 15.0.0, 14.1.0.2 |
707013-3 | 2-Critical | BT707013 | vCMP host secondary member's cluster.conf file may replaced by that of vCMP guest | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5 |
668041-4 | 2-Critical | K27535157, BT668041 | Config load fails when an iRule comment ends with backslash in a config where there is also a policy.★ | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
621260-2 | 2-Critical | BT621260 | mcpd core on iControl REST reference to non-existing pool | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.5.1, 11.6.5.1 |
753564-1 | 3-Major | BT753564 | Attempt to change password using /bin/passwd fails | 15.0.0, 14.1.0.2 |
751011-3 | 3-Major | BT751011 | ihealth.sh script and qkview locking mechanism not working | 15.0.0, 14.1.0.2, 13.1.1.5 |
751009-3 | 3-Major | BT751009 | Generating Qkviews or tcpdumps via GUI or running the 'ihealth' command removes /var/tmp/mcpd.out | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4 |
750661 | 3-Major | BT750661 | URI translation rules defined in Rewrite profile with type 'uri-translation' are not applied. | 15.0.0, 14.1.0.2 |
750447-3 | 3-Major | BT750447 | GUI VLAN list page loading slowly with 50 records per screen | 15.0.0, 14.1.0.2, 13.1.1.5 |
749382-1 | 3-Major | BT749382 | Bare-metal installs via 'image2disk' may fail in v14.1.0 or greater | 15.0.0, 14.1.0.2 |
746873-1 | 3-Major | BT746873 | Non-admin users are not able to run the tmsh list command due to permissions error for LTM message-routing | 15.0.0, 14.1.0.2 |
745825-1 | 3-Major | BT745825 | The "audit_forwarder is disabled as the configuration is incomplete" message can be confusing if logged when the configuration is loading | 15.0.0, 14.1.0.2, 13.1.3.2 |
737536-2 | 3-Major | BT737536 | Enabling 'default-information originate' on one of the several OSPF processes does not inject a default route into others. | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
721585-1 | 3-Major | BT721585 | mcpd core processing ltm monitors with deep level of inheritance | 15.0.0, 14.1.0.2 |
639619-7 | 3-Major | BT639619 | UCS may fail to load due to Master key decryption failure on EEPROM-less systems★ | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1, 11.6.4 |
751636-1 | 4-Minor | BT751636 | Downgrading from v14.1.0 to a previous release leaves two directories with improper ownership★ | 15.0.0, 14.1.0.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
754143-1 | 2-Critical | K45456231, BT754143 | TCP connection may hang after FIN | 15.0.0, 14.1.0.2, 13.1.4.1 |
747617-2 | 2-Critical | BT747617 | TMM core when processing invalid timer | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.5.2 |
742184-3 | 2-Critical | BT742184 | TMM memory leak | 15.0.0, 14.1.0.2, 13.1.3 |
738945-4 | 2-Critical | BT738945 | SSL persistence does not work when there are multiple handshakes present in a single record | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1 |
716714-4 | 2-Critical | BT716714 | OCSP should be configured to avoid TMM crash. | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4 |
750200-3 | 3-Major | BT750200 | DHCP requests are not sent to all DHCP servers in the pool when the BIG-IP system is in DHCP Relay mode | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5 |
749294-4 | 3-Major | BT749294 | TMM cores when query session index is out of boundary | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3.2, 12.1.5 |
744686-2 | 3-Major | BT744686 | Wrong certificate can be chosen during SSL handshake | 15.0.0, 14.1.0.2 |
743900-1 | 3-Major | BT743900 | Custom DIAMETER monitor requests do not have their 'request' flag set | 15.0.0, 14.1.0.2 |
739963-4 | 3-Major | BT739963 | TLS v1.0 fallback can be triggered intermittently and fail with restrictive server setup | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.5 |
739349-3 | 3-Major | BT739349 | LRO segments might be erroneously VLAN-tagged. | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4 |
724327-2 | 3-Major | BT724327 | Changes to a cipher rule do not immediately have an effect | 15.0.0, 14.1.0.2, 13.1.1.4 |
720219-3 | 3-Major | K13109068, BT720219 | HSL::log command can fail to pick new pool member if last picked member is 'checking' | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3, 12.1.5 |
717896-4 | 3-Major | BT717896 | Monitor instances deleted in peer unit after sync | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1 |
717100-1 | 3-Major | BT717100 | FQDN pool member is not added if FQDN resolves to same IP address as another existing FQDN pool member | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4, 12.1.4.1 |
716167-2 | 3-Major | BT716167 | The value of the sys db variable vlan.backplane.mtu may be out-of-sync with the value of the MTU of the kernel interface tmm_bp | 15.0.0, 14.1.0.2, 13.1.3.4 |
704450-5 | 3-Major | BT704450 | bigd may crash when the BIG-IP system is under extremely heavy load, due to running with incomplete configuration | 15.0.0, 14.1.0.2, 13.1.3.2, 12.1.5.2 |
703593-1 | 3-Major | BT703593 | TMSH tab completion for adding profiles to virtual servers is not working as expected | 15.0.0, 14.1.0.2 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
756094-2 | 2-Critical | BT756094 | DNS express in restart loop, 'Error writing scratch database' in ltm log | 15.0.0, 14.1.0.2, 13.1.1.5, 12.1.4.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
752942-1 | 2-Critical | BT752942 | Live Update cannot be used by Administrator users other than 'admin' and 'root' | 15.0.0, 14.1.0.2 |
750922-1 | 2-Critical | BT750922 | BD crash when content profile used for login page has no parse parameters set | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
749136-1 | 2-Critical | BT749136 | Disk partition /var/log is low on free disk space | 15.0.0, 14.1.0.2 |
748321-1 | 2-Critical | BT748321 | bd crash with specific scenario | 15.0.0, 14.1.0.2 |
744347-4 | 2-Critical | BT744347 | Protocol Security logging profiles cause slow ASM upgrade and apply policy | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4 |
721741-4 | 2-Critical | BT721741 | BD and BD_Agent out-of-sync for IP Address Exception, false positive/negative | 14.1.0.2, 14.1.0, 13.1.1.2, 12.1.3.7 |
754420-1 | 3-Major | BT754420 | Missing policy name in exported ASM request details | 15.0.0, 14.1.0.2, 14.0.0.5 |
754066-1 | 3-Major | BT754066 | Newly added Systems are not added as part of installing a Server Technologies update file | 15.0.0, 14.1.0.2 |
753295-1 | 3-Major | BT753295 | ASM REST: All signatures being returned for policy Signatures regardless of signature sets | 15.0.0, 14.1.0.2 |
750973-1 | 3-Major | BT750973 | Import XML policy error | 15.0.0, 14.1.0.2 |
750793-2 | 3-Major | BT750793 | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | 15.0.0, 14.1.0.2, 14.0.0.5 |
750686-1 | 3-Major | BT750686 | ASE user cannot create or modify a bot signature. | 15.0.0, 14.1.0.2 |
750683-1 | 3-Major | BT750683 | REST Backwards Compatibility: Cannot modify enforcementMode of host-name | 15.0.0, 14.1.0.2 |
750668-1 | 3-Major | BT750668 | Impossible to remove Bot profiles, Logging profiles, and Cloud Security Service profiles from a user-defined partition | 15.0.0, 14.1.0.2 |
750666-1 | 3-Major | BT750666 | Impossible to create Bot Signature/Bot Category Signature in user partition different from 'Common' | 15.0.0, 14.1.0.2 |
750356-2 | 3-Major | BT750356 | Split View pages: if user-defined filter removed right after creation - all user-defined filters are deleted | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
749500-1 | 3-Major | BT749500 | Improved visibility for Accept on Microservice action in Traffic Learning | 15.0.0, 14.1.0.2 |
749109-3 | 3-Major | BT749109 | CSRF situation on BIGIP-ASM GUI | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5 |
748999-3 | 3-Major | BT748999 | invalid inactivity timeout suggestion for cookies | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
748848-2 | 3-Major | BT748848 | Anti-Bot Mobile SDK cookie name change to support identical cookies for multiple virtual servers | 15.0.0, 14.1.0.2, 14.0.0.5 |
748409-2 | 3-Major | BT748409 | Illegal parameter violation when json parsing a parameter on a case-insensitive policy | 15.0.0, 14.1.0.2, 14.0.0.5 |
747977-1 | 3-Major | BT747977 | File manually uploaded information is not synced correctly between blades | 15.0.0, 14.1.0.2 |
747777-3 | 3-Major | BT747777 | Extractions are learned in manual learning mode | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
747550-3 | 3-Major | BT747550 | Error 'This Logout URL already exists!' when updating logout page via GUI | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
746750-1 | 3-Major | BT746750 | Search Engine get Device ID challenge when using the predefined profiles | 15.0.0, 14.1.0.2 |
746298-1 | 3-Major | BT746298 | Server Technologies logos all appear as default icon | 15.0.0, 14.1.0.2 |
745813-1 | 3-Major | BT745813 | Requests are reported to local log even if only Bot Defense remote log is configured | 15.0.0, 14.1.0.2 |
745624-1 | 3-Major | BT745624 | Tooltips for OWASP Bot Categories and Anomalies were added | 15.0.0, 14.1.0.2 |
745607-1 | 3-Major | BT745607 | Bot Defense : Bot Traffic - 3 month/last year filter not displayed correctly | 15.0.0, 14.1.0.2 |
745531-2 | 3-Major | BT745531 | Puffin Browser gets blocked by Bot Defense | 15.0.0, 14.1.0.2, 13.1.1.4 |
742852-1 | 3-Major | BT742852 | Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header | 15.0.0, 14.1.0.2 |
739945-4 | 3-Major | BT739945 | JavaScript challenge on POST with 307 breaks application | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.4 |
738676-1 | 3-Major | BT738676 | Errors when trying to delete all bot requests from Security :: Event Logs : Bot Defense : Bot Requests | 15.0.0, 14.1.0.2 |
737866-2 | 3-Major | BT737866 | Rare condition memory corruption | 15.0.0, 14.1.0.2 |
754365-5 | 4-Minor | BT754365 | Updated flags for countries that changed their flags since 2010 | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5, 12.1.4.1 |
721724-1 | 4-Minor | BT721724 | LONG_REQUEST notice print incorrect in BD log | 14.1.0.2, 14.1.0 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
746941-2 | 2-Critical | BT746941 | Memory leak in avrd when BIG-IQ fails to receive stats information | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
753446-2 | 3-Major | BT753446 | avrd process crash during shutdown if connected to BIG-IQ | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5 |
749464-2 | 3-Major | BT749464 | Race condition while BIG-IQ updates common file | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
749461-2 | 3-Major | BT749461 | Race condition while modifying analytics global-settings | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
745027-2 | 3-Major | BT745027 | AVR is doing extra activity of DNS data collection even when it should not | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
744595-3 | 3-Major | BT744595 | DoS-related reports might not contain some of the activity that took place | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
744589-3 | 3-Major | BT744589 | Missing data for Firewall Events Statistics | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
715110-1 | 3-Major | BT715110 | AVR should report 'resolutions' in module GtmWideip | 14.1.0.2, 13.1.0.8 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
752592-1 | 2-Critical | BT752592 | VMware Horizon PCoIP clients may fail to connect shortly after logout | 15.0.0, 14.1.0.2, 13.1.1.5 |
754346-2 | 3-Major | BT754346 | Access policy was not found while creating configuration snapshot. | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
746771-3 | 3-Major | BT746771 | APMD recreates config snapshots for all access profiles every minute | 15.0.0, 14.1.0.2, 13.1.1.4 |
745654-4 | 3-Major | BT745654 | Heavy use of APM Kerberos SSO can sometimes lead to slowness of Virtual Server | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4, 12.1.4.1 |
743437-3 | 3-Major | BT743437 | Portal Access: Issue with long 'data:' URL | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749603-1 | 3-Major | BT749603 | MRF SIP ALG: Potential to end wrong call when BYE received | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5 |
749227-1 | 3-Major | BT749227 | MRF SIP ALG with SNAT: Temporary registration not extended by subsequent INVITE | 15.0.0, 14.1.0.2, 14.0.1.1 |
748043-2 | 3-Major | BT748043 | MRF SIP ALG with SNAT: SIP Response message not forwarded by BIG-IP | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5 |
747187-2 | 3-Major | BT747187 | SIP falsely detects media flow collision when SDP is in both 183 and 200 response | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5, 12.1.5.2 |
745715-2 | 3-Major | BT745715 | MRF SIP ALG now supports reading SDP from a mime multipart payload | 15.0.0, 14.1.0.2 |
745628-1 | 3-Major | BT745628 | MRF SIP ALG with SNAT does not translate media addresses in SDP after NOTIFY message | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3 |
745514-1 | 3-Major | BT745514 | MRF SIP ALG with SNAT does not translate media addresses in SDP after SUBSCRIBE message | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3 |
745404-4 | 3-Major | BT745404 | MRF SIP ALG does not reparse SDP payload if replaced | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.3, 12.1.5.2 |
744949-1 | 3-Major | BT744949 | MRF SIP ALG with SNAT may restore incorrect client identity if client IP does not match NAT64 prefix | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.5 |
744275-1 | 3-Major | BT744275 | BIG-IP system sends Product-Name AVP in CER with Mandatory bit set | 15.0.0, 14.1.0.2, 13.1.3.4 |
742829-1 | 3-Major | BT742829 | SIP ALG: Do not translate and create media channels if RTP port is defined in the SIP message is 0 | 15.0.0, 14.1.0.2, 14.0.1.1, 13.1.1.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
747104-1 | 1-Blocking | K52868493, BT747104 | LibSSH: CVE-2018-10933 | 15.0.0, 14.1.0.2, 13.1.1.4, 12.1.4.1 |
752363-2 | 2-Critical | BT752363 | Internally forwarded flows can get dropped with AFM L4 BDoS feature enabled | 15.0.0, 14.1.0.2, 13.1.3 |
749331-3 | 2-Critical | BT749331 | Global DNS DoS vector does not work in certain cases | 15.0.0, 14.1.0.2 |
747922-3 | 2-Critical | BT747922 | With AFM enabled, during bootup, there is a small possibility of a tmm crash | 15.0.0, 14.1.0.2, 13.1.3.2 |
748176-1 | 3-Major | BT748176 | BDoS Signature can wrongly match a DNS packet | 15.0.0, 14.1.0.2 |
748081-1 | 3-Major | BT748081 | Memory leak in Behavioral DoS module | 15.0.0, 14.1.0.2, 13.1.1.5 |
747926-2 | 3-Major | BT747926 | Rare TMM restart due to NULL pointer access during AFM ACL logging | 15.0.0, 14.1.0.2, 13.1.1.4 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
726647-5 | 3-Major | BT726647 | PEM content insertion in a compressed response may truncate some data | 15.0.0, 14.1.0.2, 14.0.0.3, 13.1.1.2, 12.1.4.1 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
752782-1 | 3-Major | BT752782 | 'DataSafe Profiles' menu has changed to 'BIG-IP DataSafe' | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.5 |
741449-3 | 4-Minor | BT741449 | alert_details is missing for COMPONENT_VALIDATION_JAVASCRIPT_THRESHOLD alerts | 15.0.0, 14.1.0.2, 14.0.0.5, 13.1.1.4 |
738677-1 | 4-Minor | BT738677 | Configured name of wildcard parameter is not sent in data integrity alerts | 15.0.0, 14.1.0.2 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
755378-1 | 2-Critical | BT755378 | HTTPS connection error from Chrome when BADOS TLS signatures configured | 15.0.0, 14.1.0.2 |
727136-1 | 3-Major | BT727136 | One dataset contains large number of variations of TLS hello messages on Chrome | 15.0.0, 14.1.0.2 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
745733-3 | 3-Major | BT745733 | TMSH command "tmsh show ltm urlcat-query" not performing cloud lookup | 15.0.0, 14.1.0.2, 13.1.3.5 |
Cumulative fixes from BIG-IP v14.1.0.1 that are included in this release
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
745629 | 2-Critical | BT745629 | Ordering Symantec and Comodo certificates from BIG-IP | 14.1.0.1 |
713817-1 | 3-Major | BT713817 | BIG-IP images are available in Alibaba Cloud | 15.0.0, 14.1.0.1 |
738891-1 | 4-Minor | BT738891 | TLS 1.3: Server SSL fails to increment key exchange method statistics | 15.0.0, 14.1.0.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
746424 | 2-Critical | BT746424 | Patched Cloud-Init to support AliYun Datasource | 15.0.0, 14.1.0.1 |
745851 | 3-Major | BT745851 | Changed Default Cloud-Init log level to INFO from DEBUG | 15.0.0, 14.1.0.1 |
742251-1 | 4-Minor | BT742251 | Add Alibaba Cloud support to Qkview | 15.0.0, 14.1.0.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
745774-1 | 3-Major | BT745774 | Creating EC-only client SSL profile for forward-proxy without RSA key certs defined results in invalid profile | 14.1.0.1, 14.1.0 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749774-5 | 3-Major | BT749774 | EDNS0 client subnet behavior inconsistent when DNS Caching is enabled | 15.0.0, 14.1.0.1, 14.0.0.4, 13.1.1.4, 12.1.4, 11.6.3.4, 11.5.8 |
749675-5 | 3-Major | BT749675 | DNS cache resolver may return a malformed truncated response with multiple OPT records | 15.0.0, 14.1.0.1, 14.0.0.4, 13.1.1.4, 12.1.4, 11.6.3.4, 11.5.8 |
Cumulative fix details for BIG-IP v14.1.5.6 that are included in this release
999901-4 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Links to More Info: K68816502, BT999901
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
999125-3 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
999097-4 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
998781 : When large no of feed list URLs are configured, BIG-IP takes long time to sync IP list
Links to More Info: BT998781
Component: Advanced Firewall Manager
Symptoms:
If large numbers of feed URLs are configured in the IPI Policy, it takes a lot of time to fetch the IP lists from the feed server. BIG-IP system performance is significantly degraded.
Conditions:
-- security ip-intelligence policy
-- security ip-intelligence feed-list : add large number of URLs to the list
Impact:
It can take several minutes to multiple hours for the BIG-IP system to fetch updates from the feed server.
Workaround:
None
Fix:
After fix, Performance had improved significantly.
Fixed Versions:
14.1.5
998729 : Query for virtual address statistics is slow when there are hundreds of virtual address and address lists entries
Links to More Info: BT998729
Component: TMOS
Symptoms:
If there are hundreds of virtual addresses and hundreds of address entries spanning one or more address lists, mcpd might take seconds to reply to a query for virtual address statistics.
One of the more commonly visible signs of this is high CPU usage by mcpd if it's processing a large number of queries for virtual address statistics. It is also likely that snmpd responses will be severely delayed to SNMP agent requests.
Conditions:
-- Hundreds of virtual servers.
-- Hundreds of address entries spanning one or many address lists.
-- Running SNMP queries for virtual address statistics.
Impact:
-- High CPU usage by mcpd.
-- SNMP requests/polling timeouts occur because mcpd takes hundreds of milliseconds to respond.
Note: If the address lists that contain the entries are not used in traffic-matching-criteria (and therefore do not increase the size of the tmstat virtual_address_stat table), mcpd response time is in the tens of milliseconds.
Workaround:
None
Fix:
Improved performance for query for virtual address statistics when there are hundreds of virtual address and address lists entries.
Fixed Versions:
14.1.4.4
998221-4 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
997929-4 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
Links to More Info: BT997929
Component: Local Traffic Manager
Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.
If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.
Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.
-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.
Impact:
The virtual server stops processing traffic.
Workaround:
To recover, you can do either of the following:
-- Restart tmm:
bigstart restart tmm
-- Change the virtual server's port back to 'any' (0).
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
997137-4 : CSRF token modification may allow WAF bypass on GET requests
Links to More Info: K80945213, BT997137
Component: Application Security Manager
Symptoms:
Under certain conditions a parameter is not processed as expected.
Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter
Impact:
Malicious request will bypass signatures and will not raise any attack signature violation
Workaround:
N/A
Fix:
The parameter is now processed as expected.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
996593-3 : Password change through REST or GUI not allowed if the password is expired
Links to More Info: BT996593
Component: TMOS
Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:
Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.
Impact:
Expired password cannot be updated through REST or the GUI.
Workaround:
Update password using tmsh:
tmsh modify auth password <username>
Fix:
You can now change an expired password through REST or the GUI.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
996381-4 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
996113-4 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
996001-2 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
995853-3 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
Links to More Info: BT995853
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.
Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.
Impact:
GSLB Server object creation fails.
Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.
Fix:
GSLB Server object creation no longer fails.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
995629-2 : Loading UCS files may hang if ASM is provisioned★
Links to More Info: BT995629
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.
Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1
995433-4 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
Links to More Info: BT995433
Component: Advanced Firewall Manager
Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.
Conditions:
This is encountered when viewing PPTP log entries.
Impact:
IPV6 addresses in PPTP logs are truncated.
Workaround:
None
Fix:
The full IPv6 address is now logged in PPTP logs.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
995029 : Configuration is not updated during auto-discovery
Links to More Info: BT995029
Component: Access Policy Manager
Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:
-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token
Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).
Impact:
JWT auto-discovery fails and the configuration is not updated.
Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.
Fix:
Fixed an issue with auto-discovery and JWKs.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2
994985-1 : CGNAT GUI shows blank page when applying SIP profile
Links to More Info: BT994985
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
Fix:
The GUI shows virtual server config page with all config values
Fixed Versions:
17.0.0, 15.1.4, 14.1.4.2
994801-4 : SCP file transfer system
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
tmsh does not follow best practices for SCP operations
Impact:
tmsh does not follow best practices for SCP operations
Workaround:
None
Fix:
The SCP file transfer system now follows current best practices.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1
994125-1 : NetHSM Sanity results are not reflecting in GUI test output box
Links to More Info: BT994125
Component: Local Traffic Manager
Symptoms:
Cannot see the netHSM sanity test results in GUI when selected hsm test.
Conditions:
NA
Impact:
Cannot see netHSM test results from GUI.
Workaround:
Use TMSH to see netHSM test results.
Fix:
Can test the selected HSM and partition and view the test results.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3
993921-1 : TMM SIGSEGV
Links to More Info: BT993921
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use 'pool XXXX member XXXX' iRule command.
Fix:
This rarely occurring issue is now fixed.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5.1
993913-1 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
993613-4 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
993517-4 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
993489-4 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
993457-3 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
992213-1 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2
992121-2 : REST "/mgmt/tm/services" endpoint is not accessible
Links to More Info: BT992121
Component: TMOS
Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.
Conditions:
When accessing /mgmt/tm/services through REST API
Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.
Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
992097-1 : Incorrect hostname is seen in logging files
Links to More Info: BT992097
Component: TMOS
Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".
Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.
Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5
991037-1 : MR::message can cause tmm crash
Links to More Info: BT991037
Component: Service Provider
Symptoms:
The iRule command MR::message drop can occasionally trigger a memory corruption and tmm crash.
Conditions:
The iRule command MR::message drop is used.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
14.1.4.3
990849-3 : Loading UCS with platform-migrate option hangs and requires exiting from the command★
Links to More Info: BT990849
Component: TMOS
Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:
Platform migrate loaded successfully. Saving configuration.
Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate
Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html
Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.
Workaround:
None.
Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1
990461-2 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
989753-3 : In HA setup, standby fails to establish connection to server
Links to More Info: BT989753
Component: Service Provider
Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:
err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config
Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.
Impact:
Standby BIG-IP system fails to establish a connection to the server.
Workaround:
None.
Fix:
Standby is now able to establish a connection to the server.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
989701-4 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
988533-3 : GRE-encapsulated MPLS packet support
Links to More Info: BT988533
Component: TMOS
Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).
Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.
Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.
Workaround:
None
Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.
Fixed Versions:
17.0.0, 15.1.4.1, 14.1.4.5
988005-3 : Zero active rules counters in GUI
Links to More Info: BT988005
Component: Advanced Firewall Manager
Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).
Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules
Impact:
Incorrect information on active rules count is seen in the UI.
Workaround:
Disable firewall inline editor.
Fix:
The active rules count column now displays the correct number of times a rule has been hit.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
987885-3 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
987341-3 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.
Links to More Info: BT987341
Component: Access Policy Manager
Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.
Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.
Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
987113-2 : CMP state degraded while under heavy traffic
Links to More Info: BT987113
Component: TMOS
Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.
Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.
Impact:
System performance drops dramatically.
Workaround:
Lower traffic load.
Fix:
Fixed an inconsistent CMP state.
Fixed Versions:
17.1.0, 15.1.4, 14.1.5
987077-4 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.
Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.
Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
985953-2 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
984765-4 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★
Links to More Info: BT984765
Component: Access Policy Manager
Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.
Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.
Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.
Workaround:
To resolve the issue temporarily, use either of the following:
-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.
-- Run the command:
bigstart restart nlad
The problem can reappear after a week, so you must repeat these steps each time the issue occurs.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4
984593-3 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
982869-3 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0
Links to More Info: BT982869
Component: Service Provider
Symptoms:
Tmm may crash.
Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm no longer crashes under these conditions.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
982785-4 : Guided Configuration hardening
Links to More Info: K52322100
982757-6 : APM Access Guided Configuration hardening
Links to More Info: K53197140
981785-2 : Incorrect incident severity in Event Correlation statistics
Links to More Info: BT981785
Component: Application Security Manager
Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".
Conditions:
Usually happens for the first incident after ASM startup.
Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.
Workaround:
Use severity info from the Incidents list.
Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
981689-1 : TMM memory leak with IPsec ALG
Links to More Info: BT981689
Component: Carrier-Grade NAT
Symptoms:
TMM crash due to out of memory.
Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.
Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm memory leak related to IPsec ALG connections.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.2
981385-4 : AVRD does not send HTTP events to BIG-IQ DCD
Links to More Info: BT981385
Component: Application Visibility and Reporting
Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).
Conditions:
This happens under normal operation.
Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.
Workaround:
None.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4
980821-1 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.
Links to More Info: BT980821
Component: Local Traffic Manager
Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.
Conditions:
There are two virtual servers configured:
- One with a specific port and ip-protocol 'any'
- One with port any and a specific ip-protocol
Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.
Workaround:
Create individual listeners for specific protocols.
For example, given the configuration:
ltm virtual vs-port80-protoAny {
destination 10.1.1.1:80
ip-protocol any
...
}
ltm virtual vs-portAny-protoTCP {
destination 10.1.1.1:0
ip-protocol TCP
...
}
Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
ltm virtual vs-port80-protoTCP {
destination 10.1.1.1:80
ip-protocol TCP
...
}
ltm virtual vs-port80-protoUDP {
destination 10.1.1.1:80
ip-protcol UDP
...
}
Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2
980325-4 : Chmand core due to memory leak from dossier requests.
Links to More Info: BT980325
Component: TMOS
Symptoms:
Chmand generates a core file when get_dossier is run continuously.
Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.
Conditions:
Repeated/continuous dossier requests during licensing operations.
Impact:
Chmand crashes; potential traffic impact while chmand restarts.
Workaround:
None.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
979877-6 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information
978833-3 : Use of CRL-based Certificate Monitoring Causes Memory Leak
Links to More Info: BT978833
Component: Local Traffic Manager
Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.
Conditions:
CRL certificate validator is configured.
Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.
Workaround:
None.
Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4
978393 : GUI screen shows blank screen while importing a certificate★
Links to More Info: BT978393
Component: TMOS
Symptoms:
When you click the import button of an existing certificate, the screen goes blank.
Go to:
1. System :: Certificate Management : Traffic Certificate Management : SSL Certificate List :: existing_certificate.crt ::
2. Click the 'Import' button at the bottom of the page.
Conditions:
-- Device is upgraded from 13.1.x to 14.1.x.
-- Attempting to import a certificate that was created prior to the upgrade.
Impact:
You are unable to import from a certificate using the GUI.
Workaround:
There are three workarounds:
-- Use the GUI to download and reimport:
1. Download the cert and key.
2. Delete the cert and key from system.
3. Import it back.
-- Use the GUI to rename and save:
1. Rename the cert and key, removing extensions from the file.
2. Update the config file accordingly. The Import button works successfully.
-- Use tmsh to update the certs.
Fix:
Certificates can now be imported via the GUI after upgrade.
Fixed Versions:
14.1.4.1
977657-1 : SELinux errors when deploying a vCMP guest.
Links to More Info: BT977657
Component: TMOS
Symptoms:
An error occurs:
SELinux avc: denied { write } for pid=9292 comm="rpm" name="rpm".
Conditions:
The error occurs when the system is started back up after provisioning VCMP.
Impact:
SELinux avc is denied write permission for rpm_var_lib_t.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5
977053-3 : TMM crash on standby due to invalid MR router instance
Links to More Info: BT977053
Component: Service Provider
Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.
Conditions:
-- HA environment.
-- Connection mirroring is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM on the standby device no longer crashes under these conditions.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1
977005-2 : Network Firewall Policy rules-list showing incorrect 'Any' for source column
Links to More Info: BT977005
Component: Advanced Firewall Manager
Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.
Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.
Impact:
GUI shows 'Any' extra text under the source column
Workaround:
None
Fix:
The GUI no longer shows extra text
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2
976669-3 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Links to More Info: BT976669
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
976525-2 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Links to More Info: BT976525
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5
976505-1 : Rotated restnoded logs will fail logintegrity verification.
Links to More Info: BT976505
Component: TMOS
Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restnoded logs fail logintegrity verification.
Workaround:
None
Fix:
Restnoded logs are now verified successfully by the logintegrity utility.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
976501-3 : Failed to establish VPN connection
Links to More Info: BT976501
Component: Access Policy Manager
Symptoms:
VPN client exits with message "Failed to establish VPN connection"
Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser
Impact:
Client will be unable to launch the VPN tunnel from the browser.
Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.
Fixed Versions:
16.1.0, 15.1.3, 14.1.4, 13.1.3.6
976365-1 : Traffic Classification hardening★
Links to More Info: BT976365
Component: Traffic Classification Engine
Symptoms:
Traffic Classification IM packages do not follow current best practices.
Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user
Impact:
Traffic Classification IM packages do not follow current best practices.
Workaround:
No Workaround
Fix:
Traffic Classification IM packages now follow current best practices.
Fixed Versions:
16.1.0, 15.1.3.1, 14.1.4.3
975809-2 : Rotated restjavad logs fail logintegrity verification.
Links to More Info: BT975809
Component: TMOS
Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.
Conditions:
Logintegrity support feature is enabled:
list sys db logintegrity.support
sys db logintegrity.support {
value "enable"
}
Impact:
Rotated restjavad logs fail logintegrity verification.
Workaround:
None
Fix:
Restjavad logs are now verified successfully by the logintegrity utility.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
974881-1 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic
Links to More Info: BT974881
Component: Service Provider
Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.
Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter
Impact:
Traffic disrupted while tmm restarts.
Fix:
Fixed a tmm crash related to handling certain events in an iRule.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
974205-2 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6
973661 : Two different 'Attack Signature' updates shown as 'Currently Installed'★
Links to More Info: BT973661
Component: Application Security Manager
Symptoms:
After upgrade system to version 14.1.x the system shows 2 different 'Attack Signature' update packages as 'Currently Installed'
Conditions:
Upgrade from version 12.1.x to version 14.1.x.
Impact:
Additional BIG-IP system restart is required.
Workaround:
None
Fixed Versions:
14.1.4.6