Applies To:
Show VersionsBIG-IP AAM
- 15.1.10
BIG-IP APM
- 15.1.10
BIG-IP Link Controller
- 15.1.10
BIG-IP Analytics
- 15.1.10
BIG-IP LTM
- 15.1.10
BIG-IP PEM
- 15.1.10
BIG-IP AFM
- 15.1.10
BIG-IP FPS
- 15.1.10
BIG-IP DNS
- 15.1.10
BIG-IP ASM
- 15.1.10
BIG-IP Release Information
Version: 15.1.10.2
Build: 02.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v15.1.10.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.10 that are included in this release
Cumulative fixes from BIG-IP v15.1.9.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.9 that are included in this release
Cumulative fixes from BIG-IP v15.1.8.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.8.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.8 that are included in this release
Cumulative fixes from BIG-IP v15.1.7 that are included in this release
Cumulative fixes from BIG-IP v15.1.6.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.6 that are included in this release
Cumulative fixes from BIG-IP v15.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x
Functional Change Fixes
None
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1324745-3 | 3-Major | An undisclosed TMUI endpoint may allow unexpected behavior | 17.1.0.3, 15.1.10.2, 14.1.5.6 |
Cumulative fixes from BIG-IP v15.1.10.1 that are included in this release
Functional Change Fixes
None
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1194077-1 | 1-Blocking | BT1194077 | The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000 |
Cumulative fixes from BIG-IP v15.1.10 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
981917-2 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 16.1.4, 15.1.10 |
1075657-2 | CVE-2020-12825 | K01074825, BT1075657 | CVE-2020-12825 - libcroco vulnerability | 16.1.4, 15.1.10 |
1061977-2 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390, BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 16.1.4, 15.1.10 |
1238321-3 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1, 16.1.4, 15.1.10 |
1235813-10 | CVE-2023-0215 | K000132946, BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 16.1.4, 15.1.10 |
1235801-3 | CVE-2023-0286 | K000132941, BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 16.1.4, 15.1.10 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
883597-1 | 3-Major | BT883597 | Add a way to look up URLs in one specified custom category | 16.0.0, 15.1.10 |
1211513-1 | 3-Major | BT1211513 | HSB loopback validation feature | 16.1.4, 15.1.10 |
792813-1 | 4-Minor | BT792813 | The iRule command 'DNS::edns0 subnet address' returns an empty string when subnet information is not received | 16.0.0, 15.1.10 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993481-3 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 16.1.4, 15.1.10 |
808277-6 | 2-Critical | BT808277 | Root's crontab file may become empty | 16.0.0, 15.1.10 |
776117-2 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type | 15.1.10 |
723109-1 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 16.1.4, 15.1.10 |
1256841-2 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 16.1.4, 15.1.10 |
1232997 | 2-Critical | BT1232997 | IPSEC: The tmm process may exit with 'Invalid policy remote index' | 16.1.4, 15.1.10 |
1155297-2 | 2-Critical | XAL debug register additions | 15.1.10 | |
1105901-3 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 16.1.4, 15.1.10 |
1075677-3 | 2-Critical | Multiple GnuTLS Mend findings | 16.1.4, 15.1.10 | |
997561-3 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | 15.1.10 |
995097-3 | 3-Major | BT995097 | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. | 17.0.0, 16.1.4, 15.1.10 |
992813-2 | 3-Major | BT992813 | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. | 17.0.0, 16.1.4, 15.1.10 |
989501-1 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 16.1.4, 15.1.10 |
969737-1 | 3-Major | BT969737 | Snmp requests not answered if V2 traps are configured | 16.1.0, 15.1.10 |
964125-2 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 16.1.4, 15.1.10 |
958833-1 | 3-Major | BT958833 | After mgmt ip change via GUI, brower is not redirected to new address | 16.1.0, 15.1.10, 14.1.5.1 |
955953-2 | 3-Major | BT955953 | iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' | 17.0.0, 15.1.10 |
950153-2 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned | 15.1.10 |
933329-2 | 3-Major | BT933329 | The process plane statistics do not accurately label some processes | 16.1.0, 15.1.10 |
930393-3 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration | 17.1.0, 16.1.4, 15.1.10 |
906273-2 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 16.1.4, 15.1.10 |
878433-1 | 3-Major | BT878433 | Updated daemon may crash at shutdown | 16.1.0, 15.1.10 |
873013-5 | 3-Major | BT873013 | Alertd could leak memory if nokia alarm is enabled and nokiasnmpd is not running | 16.0.0, 15.1.10 |
807957-5 | 3-Major | BT807957 | Link Up status should clear Link Down in Nokia Alarm database | 16.1.0, 15.1.10 |
804529 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 16.1.4, 15.1.10 |
760739-2 | 3-Major | BT760739 | The Nokia alert configuration is not correct for all clearing events | 16.1.0, 15.1.10 |
715748-6 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits | 15.1.10 |
1304497 | 3-Major | BT1304497 | SIGSEGV core during HUDEVT_EXPIRED | 15.1.10 |
1293193-1 | 3-Major | BT1293193 | Missing MAC filters for IPv6 multicast | 15.1.10 |
1288729-1 | 3-Major | BT1288729 | Memory corruption due to use-after-free in the TCAM rule management module | 15.1.10 |
1287981-1 | 3-Major | BT1287981 | Hardware SYN cookie mode may not exit | 15.1.10 |
1287821-1 | 3-Major | BT1287821 | Missing Neuron/TCAM rules | 15.1.10 |
1253649 | 3-Major | BT1253649 | RPM error log in liveinstall.log and TMM error with failed to load/open library during upgrade★ | 15.1.10 |
1215613-1 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address | 15.1.10 |
1183901-4 | 3-Major | BT1183901 | VLAN name greater than 31 characters results in invalid F5OS tenant configuration | 15.1.10 |
1154381-3 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol | 15.1.10 |
1136921-3 | 3-Major | BT1136921 | BGP might delay route updates after failover | 16.1.4, 15.1.10 |
1134509-3 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. | 15.1.10 |
1121517-3 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 | 16.1.4, 15.1.10 |
1112537-3 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 16.1.4, 15.1.10 |
1111993-1 | 3-Major | BT1111993 | HSB tool utility does not display PHY settings for HiGig interfaces | 17.1.0, 15.1.10 |
1106489-3 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. | 16.1.4, 15.1.10 |
1102425-2 | 3-Major | BT1102425 | F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary | 15.1.10 |
1100321-1 | 3-Major | BT1100321 | MCPD memory leak | 17.1.0, 16.1.4, 15.1.10 |
1100125-1 | 3-Major | BT1100125 | Per virtual SYN cookie may not be activated on all HSB modules | 17.1.0, 16.1.4, 15.1.10 |
1081641 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page | 17.1.0, 16.1.4, 15.1.10 |
1077533 | 3-Major | BT1077533 | BIG-IP fails to restart services after mprov runs during boot. | 16.1.4, 15.1.10 |
1044089-1 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 16.1.4, 15.1.10 |
1042589-2 | 3-Major | BT1042589 | Wrong trunk_id is associated in bcm56xxd. | 17.0.0, 15.1.10 |
1040573-2 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel | 15.1.10 |
1020129-1 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error★ | 15.1.10 |
964533-3 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 16.1.4, 15.1.10 |
939757-4 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 16.1.4, 15.1.10 |
889813-2 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second | 17.0.0, 16.1.4, 15.1.10, 14.1.4.5 |
838405-3 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 16.1.4, 15.1.10 |
819429-5 | 4-Minor | BT819429 | Unable to scp to device after upgrade: path not allowed | 16.0.0, 15.1.10 |
818297-3 | 4-Minor | BT818297 | OVSDB-server daemon lost permission to certs due to SELinux issue, causing SSL connection failure | 16.0.0, 15.1.10 |
817989-1 | 4-Minor | BT817989 | Cannot change managemnet IP from GUI | 16.1.0, 15.1.10 |
1280281-2 | 4-Minor | BT1280281 | SCP allow list may have issues with file paths that have spaces in them | 15.1.10 |
1185257-3 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 16.1.4, 15.1.10 |
1136837-3 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization | 15.1.10 |
1064753-3 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. | 15.1.10 |
1058229-2 | 4-Minor | CVE-2019-17546 - heap-based buffer overflow via a crafted RGBA image | 15.1.10 | |
1050413-3 | 4-Minor | BT1050413 | Drive model HGST HUS722T1TALA604 must be added to pendsect drives.xml | 17.0.0, 15.1.10 |
1044893-3 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 | 15.1.10 |
1041765-1 | 4-Minor | BT1041765 | Racoon may crash in rare cases | 17.0.0, 16.1.2.1, 15.1.10 |
1003081-2 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. | 15.1.10 |
965457-4 | 5-Cosmetic | BT965457 | OSPF duplicate router detection might report false positives | 16.1.0, 15.1.10 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1305865 | 1-Blocking | BT1305865 | Drop in performance with high throughput on BIG-IP 15.1.9 Virtual Edition or tenants on r2000 or r4000 hosts. | 15.1.10 |
935193-1 | 2-Critical | BT935193 | With APM and AFM provisioned, single logout ( SLO ) fails | 17.0.0, 16.1.4, 15.1.10 |
858453-2 | 2-Critical | BT858453 | TMM may crash with forward proxy enabled when SessionDB looks for a null profile | 16.0.0, 15.1.10 |
474797-8 | 2-Critical | BT474797 | Nitrox crypto hardware may attempt soft reset while currently resetting | 16.0.0, 15.1.10, 12.1.5, 11.6.2, 11.5.7 |
1295017-1 | 2-Critical | TMM crash when using MPTCP | 15.1.10 | |
1291993-1 | 2-Critical | BT1291993 | When using http2-to-http-gateway, tmm can crash in very rare circumstances | 15.1.10 |
1289189-2 | 2-Critical | TMM crash under certain traffic patterns | 16.1.4, 15.1.10 | |
1282357 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 16.1.4, 15.1.10 |
1214069-1 | 2-Critical | BT1214069 | Potential data leak inside Ethernet padding field on VELOS architecture products | 17.1.0, 15.1.10 |
1100721-3 | 2-Critical | BT1100721 | IPv6 link-local floating self-IP breaks IPv6 query to BIND | 15.1.10 |
1072377-1 | 2-Critical | BT1072377 | TMM crash in rare circumstances during route changes | 17.1.0, 15.1.10 |
996649-4 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections | 15.1.10 |
994269-2 | 3-Major | BT994269 | Message 'double flow removal' is logged in LTM log file | 16.1.0, 15.1.10 |
985925-1 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 16.1.4, 15.1.10 |
980617-3 | 3-Major | BT980617 | SNAT iRule is not working with HTTP/2 and HTTP Router profiles | 17.0.0, 16.1.1, 15.1.10 |
976433-2 | 3-Major | BT976433 | Use of OCSP responder may leak X509 store instances | 16.1.0, 15.1.10 |
921541-3 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 16.1.4, 15.1.10 |
876569-3 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 16.1.4, 15.1.10 |
851121-2 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 16.1.4, 15.1.10 |
842425-1 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 16.1.4, 15.1.10 |
774817-1 | 3-Major | BT774817 | ICMP packets are intermittently forwarded out of both VLAN group members | 16.0.0, 15.1.10 |
709952-4 | 3-Major | BT709952 | Disallow DHCP relay traffic to traverse between route domains | 16.0.0, 15.1.10, 13.1.1.5 |
582666-1 | 3-Major | BT582666 | TMM spams ltm log with "01010235:2: Inet port find called for pg 1 with invalid cmp state 0" | 16.0.0, 15.1.10 |
1292793-1 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 16.1.4, 15.1.10 |
1291565-1 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 16.1.4, 15.1.10 |
1284261-2 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. | 15.1.10 |
1269733-4 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 16.1.4, 15.1.10 |
1238413-2 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 16.1.4, 15.1.10 |
1229369-1 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 16.1.4, 15.1.10 |
1126841-2 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 16.1.4, 15.1.10 |
1117609-3 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 16.1.4, 15.1.10 |
1112385-2 | 3-Major | BT1112385 | Traffic classes match when they shouldn't | 15.1.10 |
1088597-3 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances | 15.1.10 |
1059573-3 | 3-Major | BT1059573 | Variation in a case insensitive value of an operand in LTM policy may fail in some rules. | 17.0.0, 15.1.10 |
1037257 | 3-Major | BT1037257 | SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check | 15.1.10 |
1017841 | 3-Major | BT1017841 | High tmm memory use when transferring large documents to slow clients | 15.1.10 |
929429-2 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed | 15.1.10 |
1289549-2 | 4-Minor | BT1289549 | TCP RST internal error in tcpproxy bad transition during SSL connection closure. | 15.1.10 |
1281709-2 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 16.1.4, 15.1.10 |
1269773-4 | 4-Minor | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request | 15.1.10 |
1253481-2 | 4-Minor | BT1253481 | Traffic loss observed after reconfiguring Virtual Networks | 15.1.10 |
1252405 | 4-Minor | BT1252405 | HTTP Invalid action:0x10a090 serverside | 15.1.10 |
1251033-2 | 4-Minor | BT1251033 | HA is not established between Active and Standby devices when the vwire configuration is added | 15.1.10 |
1240937-2 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 16.1.4, 15.1.10 |
1137717-3 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 16.1.4, 15.1.10 |
1133557-3 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 16.1.4, 15.1.10 |
979213-2 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | 15.1.10 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211341-3 | 1-Blocking | BT1211341 | Failed to delete custom monitor after dissociating from virtual server | 17.1.0, 16.1.4, 15.1.10 |
958325-1 | 3-Major | BT958325 | Updating DNS pool monitor via transaction leaves dangling monitor_rule in MCP DB | 16.1.0, 15.1.10 |
935945-1 | 3-Major | BT935945 | GTM HTTP/HTTPS monitors cannot be modified via GUI | 17.1.0, 16.1.4, 15.1.10 |
894081-2 | 3-Major | BT894081 | The Wide IP members view in the WebUI may report the incorrect status for a virtual server. | 16.0.0, 15.1.10 |
1250077-3 | 3-Major | BT1250077 | TMM memory leak | 15.1.10 |
1230709 | 3-Major | BT1230709 | Remove unnecessary logging with nsec3_add_nonexist_proof | 16.1.4, 15.1.10 |
1200929-1 | 3-Major | BT1200929 | GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang | 17.1.0, 16.1.4, 15.1.10 |
1162221-4 | 3-Major | BT1162221 | Probing decision will skip local GTM upon reboot if net interface is not brought up soon enough | 15.1.10 |
1137569-2 | 3-Major | BT1137569 | Set nShield HSM environment variable. | 15.1.10 |
1103477-1 | 3-Major | BT1103477 | Refreshing pool member statistics results in error while processing requests | 15.1.10 |
1073677-4 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready | 17.1.0, 16.1.4, 15.1.10 |
1225941-1 | 5-Cosmetic | BT1225941 | OLH Default Values on Notification and Early Retransmit Settings | 15.1.10 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
880917-1 | 2-Critical | BT880917 | A BD memory leak | 16.0.0, 15.1.10 |
1282281-2 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns | 15.1.10 |
895013-2 | 3-Major | BT895013 | Learning of login pages does not work | 16.1.0, 16.0.0, 15.1.10 |
890169-2 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 16.1.4, 15.1.10 |
875909-1 | 3-Major | BT875909 | Added internal parameter to address Chrome samesite default change | 16.0.0, 15.1.10 |
835029-1 | 3-Major | BT835029 | The liveupdate.log file is not gzipped | 16.0.0, 15.1.10 |
1302925 | 3-Major | BT1302925 | Failed to load detected bots list , when you clicked on Bot Category | 15.1.10 |
1302689-1 | 3-Major | BT1302689 | ASM requests to rechunk payload | 15.1.10 |
1301197-4 | 3-Major | BT1301197 | Bot Profile screen does not load and display large number of pools/members | 15.1.10 |
1296489-4 | 3-Major | ASM UI hardening | 16.1.4, 15.1.10 | |
1295009-4 | 3-Major | BT1295009 | "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data | 15.1.10 |
1292685-1 | 3-Major | BT1292685 | The date-time RegExp pattern through swagger would not cover all valid options | 15.1.10 |
1286101-4 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 16.1.4, 15.1.10 |
1229813-3 | 3-Major | BT1229813 | The ref schema handling fails with oneOf/anyOf | 15.1.10 |
1207793-4 | 3-Major | BT1207793 | Bracket expression in JSON schema pattern does not work with non basic latin characters | 15.1.10 |
1190365-4 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 16.1.4, 15.1.10 |
1184841-3 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 16.1.4, 15.1.10 |
1173493-1 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 16.1.4, 15.1.10 |
1117245-3 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 16.1.4, 15.1.10 |
1095041-3 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. | 17.1.0, 16.1.4, 15.1.10 |
1085661-3 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 16.1.4, 15.1.10 |
1069441-1 | 3-Major | BT1069441 | Cookie without '=' sign does not generate rfc violation | 15.1.10 |
1059513-4 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 16.1.4, 15.1.10 |
1029989-2 | 3-Major | BT1029989 | CORS : default port of origin header is set 80, even when the protocol in the header is https | 16.1.4, 15.1.10 |
1023889-2 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 16.1.4, 15.1.10 |
942617-3 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 16.1.4, 15.1.10 |
1113753-3 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 16.1.4, 15.1.10 |
1099765-4 | 4-Minor | BT1099765 | Inconsistent behavior in Violation detection with max parameter enforcement | 16.1.4, 15.1.10 |
1084857-3 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 16.1.4, 15.1.10 |
1083513-2 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 16.1.4, 15.1.10 |
1011045-1 | 5-Cosmetic | BT1011045 | GUI does not reflect 'Fully Automatic' state , which is substate of Automatic learning mode. | 16.1.0, 15.1.10 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1314301-3 | 3-Major | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 16.1.4, 15.1.10 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1146341-3 | 1-Blocking | BT1146341 | TMM crashes while processing traffic on virtual server | 17.1.0, 15.1.10 |
756540-1 | 2-Critical | BT756540 | End-user may not be able to connect to VPN. | 16.0.0, 15.1.10 |
1272537 | 2-Critical | BT1272537 | TMM high memory due to ping_access_agent | 15.1.10 |
1104517 | 2-Critical | BT1104517 | In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map | 15.1.10 |
1078829-2 | 2-Critical | BT1078829 | Login as current user fails in VMware | 17.0.0, 16.1.4, 15.1.10 |
1063261-1 | 2-Critical | BT1063261 | TMM crash is seen due to sso_config objects. | 17.0.0, 15.1.10 |
949105-2 | 3-Major | BT949105 | Error log seen on Category Lookup SNI requests for same connection | 16.1.0, 15.1.10 |
848673-1 | 3-Major | BT848673 | Messages that originate from split tunneled frame have incorrect Portal Access message event origin. | 16.0.0, 15.1.10 |
1268521-2 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop | 16.1.4, 15.1.10 |
1251157 | 3-Major | BT1251157 | Ping Access filter can accumulate connections increasing the memory use | 15.1.10 |
1208949-3 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 16.1.4, 15.1.10 |
1207821-4 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions | 15.1.10 |
1180365-1 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 16.1.4, 15.1.10 |
1124109-1 | 3-Major | Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS | 17.1.0, 16.1.4, 15.1.10 | |
1071485-1 | 3-Major | BT1071485 | For IP based bypass, Response Analytics sends RST. | 17.0.0, 16.1.3.1, 15.1.10 |
1070029 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 16.1.4, 15.1.10 |
1046401-1 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 16.1.4, 15.1.10 |
1044457-2 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. | 15.1.10 |
1039941-2 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 16.1.4, 15.1.10 |
1022493-2 | 3-Major | BT1022493 | Slow file descriptor leak in urldbmgrd (sockets open over time) | 17.0.0, 16.1.3.1, 15.1.10 |
1013729-3 | 3-Major | BT1013729 | Changing User login password using VMware View Horizon client results in “HTTP error 500” | 17.0.0, 16.1.4, 15.1.10 |
1252005-2 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 16.1.4, 15.1.10 |
1224409-2 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 16.1.4, 15.1.10 |
1142389-1 | 4-Minor | BT1142389 | APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request | 15.1.10 |
1040829-3 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 16.1.4, 15.1.10 |
427094-2 | 5-Cosmetic | BT427094 | Accept-language is not respected if there is no session context for page requested. | 15.1.10 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
839389-3 | 2-Critical | BT839389 | TMM can crash when connecting to IVS under extreme overload | 16.0.0, 15.1.10 |
1269889-2 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 16.1.4, 15.1.10 |
1291149-2 | 3-Major | BT1291149 | Cores with fail over and message routing | 16.1.4, 15.1.10 |
1287313-1 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 16.1.4, 15.1.10 |
1251013-3 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters | 15.1.10 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
965897-2 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync | 15.1.10 |
1080957 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW | 15.1.10 |
1060833-1 | 2-Critical | BT1060833 | After handling a large number of connections with firewall rules that log or report translation fields or server side statistics, TMM may crash. | 17.0.0, 15.1.10 |
1040685-3 | 2-Critical | BT1040685 | Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) | 17.0.0, 16.1.4, 15.1.10 |
998701-2 | 3-Major | BT998701 | Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value. | 15.1.10 |
955773-1 | 3-Major | BT955773 | Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4 | 15.1.10 |
918905-2 | 3-Major | BT918905 | PCCD restart loop when using more than 256 FQDN entries in Firewall Rules | 16.1.0, 15.1.10 |
863285-1 | 3-Major | BT863285 | Incorrect value (icmpv6) is used when Rule List/Rule/Protocol is set to ICMPv6 via GUI.★ | 16.0.0, 15.1.10 |
844597-4 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query | 15.1.10 |
594600-1 | 3-Major | BT594600 | No validation when delete iRule that is assigned to ACL policy | 16.0.0, 15.1.10 |
1307697 | 3-Major | BT1307697 | IPI not working on a new device - 401 invalid device error from BrightCloud | 15.1.10 |
1238629-3 | 3-Major | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 16.1.4, 15.1.10 | |
1199025-1 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI | 15.1.10 |
1196053-2 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates | 15.1.10 |
1101653-1 | 3-Major | BT1101653 | Query Type Filter in DNS Security Profile blocks allowed query types | 15.1.10 |
1057061-1 | 3-Major | BT1057061 | BIG-IP Virtual Edition + security-log-profile (HSL) performance issue with Log Translation Fields. | 17.0.0, 15.1.10 |
1042153-1 | 3-Major | BT1042153 | AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN. | 17.0.0, 15.1.10 |
1251105-3 | 4-Minor | BT1251105 | DoS Overview (non-HTTP) - A null pointer was passed into a function | 15.1.10 |
1211021-3 | 4-Minor | BT1211021 | Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues | 17.1.0, 16.1.4, 15.1.10 |
1094145 | 4-Minor | BT1094145 | AFM does not detect NXDOMAIN attack when DNS cache is activated. | 15.1.10 |
1069265-1 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 16.1.4, 15.1.10 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1302677-1 | 3-Major | BT1302677 | Memory leak in PEM when Policy is queried via TCL | 15.1.10 |
1259489-1 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 16.1.4, 15.1.10 |
1238249-4 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 16.1.4, 15.1.10 |
1190353-2 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 16.1.4, 15.1.10 |
1093357-1 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 16.1.4, 15.1.10 |
1020041-2 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 16.1.4, 15.1.10 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
751719-2 | 2-Critical | BT751719 | UDP::hold/UDP::release does not work correctly | 17.1.0, 15.1.10 |
1096317-3 | 3-Major | BT1096317 | SIP msg alg zombie flows | 15.1.10 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1223369-4 | 2-Critical | Classification of certain UDP traffic may cause crash | 16.1.3.4, 15.1.10 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
954001-5 | 3-Major | REST File Upload hardening | 16.1.4, 15.1.10 | |
1049237 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 16.1.4, 15.1.10 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1004697-2 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space | 16.1.4, 15.1.10 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1122205 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 16.1.4, 15.1.10 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211985-3 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring | 15.1.10 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
922737-4 | 2-Critical | BT922737 | TMM crashes with a sigsegv while passing traffic | 17.1.0, 16.1.4, 15.1.10 |
1104037-3 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire | 17.1.0, 16.1.4, 15.1.10 |
873545-2 | 3-Major | BT873545 | SSL Orchestrator Configuration GUI freezes after management IP change. | 15.1.10, 14.1.4.5 |
1303185-2 | 3-Major | BT1303185 | Large numbers of URLs in url-db can cause TMM to restart | 15.1.10 |
1289365-3 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★ | 16.1.4, 15.1.10 |
F5OS Messaging Agent Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1295113 | 3-Major | BT1295113 | LACP Mode is always ACTIVE even though it is configured PASSIVE on the Host on R2x00/R4x00/R5x00/R10x00 | 15.1.10 |
1289997-1 | 3-Major | BT1289997 | Tenant clustering fails when adding a lower number slot to Tenant | 15.1.10 |
Cumulative fixes from BIG-IP v15.1.9.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1285173-4 | CVE-2023-38138 | K000133474 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1265425-3 | CVE-2023-38423 | K000134535 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1185421-3 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v15.1.9 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1167897-5 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 16.1.4, 15.1.9 |
1122441-3 | CVE-2015-1283, CVE-2021-45960,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143 | K19473898, BT1122441 | Upgrading the libexpat library | 17.1.0, 16.1.4, 15.1.9 |
1271349-2 | CVE-2023-25690 | K000133098, BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 16.1.4, 15.1.9 |
1189465-4 | CVE-2023-24461 | K000132539, BT1189465 | Edge Client allows connections to untrusted APM Virtual Servers | 16.1.4, 15.1.9 |
1183453-2 | CVE-2022-31676 | K87046687 | Local privilege escalation vulnerability (CVE-2022-31676) | 17.1.0, 16.1.4, 15.1.9 |
1167929-3 | CVE-2022-40674 | K44454157, BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 16.1.4, 15.1.9 |
1111097-4 | CVE-2022-1271 | K000130546, BT1111097 | gzip arbitrary-file-write vulnerability CVE-2022-1271 | 17.1.0, 16.1.4, 15.1.9 |
1102881-3 | CVE-2021-25217 | K08832573, BT1102881 | dhclient/dhcpd vulnerability CVE-2021-25217 | 17.1.0, 16.1.4, 15.1.9 |
1098829-5 | CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 | K19473898, BT1098829 | Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 | 17.1.0, 16.1.4, 15.1.9 |
1093253-5 | CVE-2021-3999 | K24207649 | CVE-2021-3999 Glibc Vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1091601-6 | CVE-2022-23218, CVE-2022-23219 | K52308021, BT1091601 | Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 | 17.1.0, 16.1.4, 15.1.9 |
1075733-2 | CVE-2018-14348 | K26890535, BT1075733 | Updated libcgroup library to fix CVE-2018-14348 | 17.1.0, 16.1.4, 15.1.9 |
1070753-3 | CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065, BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 16.1.4, 15.1.9 |
989373-3 | CVE-2020-14314 | K67830124 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | 15.1.9 |
950605-4 | CVE-2020-14145 | K48050136, BT950605 | Openssh insecure client negotiation CVE-2020-14145 | 17.1.0, 16.1.4, 15.1.9 |
785197-3 | CVE-2019-9075 | K42059040, BT785197 | binutils vulnerability CVE-2019-9075 | 17.1.0, 16.1.4, 15.1.9 |
601271-10 | CVE-2016-0723 | K43650115 | CVE-2016-0723: TTY use-after-free race | 15.1.9 |
1189457-4 | CVE-2023-22372 | K000132522, BT1189457 | Hardening of client connection handling from Edge client. | 16.1.4, 15.1.9 |
1123537-5 | CVE-2022-28615 | K40582331, BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 16.1.4, 15.1.9 |
1121965-4 | CVE-2022-28614 | K58003591, BT1121965 | CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() | 17.1.0, 16.1.4, 15.1.9 |
1099341-3 | CVE-2018-25032 | K21548854 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 16.1.4, 15.1.9 |
1089921-5 | CVE-2022-0359 | K08827426, BT1089921 | Vim vulnerability CVE-2022-0359 | 17.1.0, 16.1.4, 15.1.9 |
1089233-3 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1088445-5 | CVE-2022-22720 | K67090077 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 16.1.4, 15.1.9 |
1070905-3 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 16.1.4, 15.1.9 |
1026873-5 | CVE-2020-27618 | K08641512 | CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets | 15.1.9 |
1021245-2 | CVE-2019-20907 | K78284681, BT1021245 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | 17.1.0, 16.1.4, 15.1.9 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1144373-3 | 3-Major | BT1144373 | BIG-IP SFTP hardening | 17.1.0, 16.1.4, 15.1.9 |
1040609-3 | 3-Major | RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. | 17.1.0, 16.1.4, 15.1.9 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1209561-2 | 1-Blocking | BT1209561 | License is not operational after reboot and an error is logged in /var/log/ltm | 17.1.0, 15.1.9 |
1173441-2 | 1-Blocking | BT1173441 | The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired | 17.1.0, 16.1.4, 15.1.9 |
1116845-1 | 1-Blocking | BT1116845 | Interfaces using the xnet driver are not assigned a MAC address | 17.1.0, 16.1.4, 15.1.9 |
995849-2 | 2-Critical | BT995849 | Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c | 17.0.0, 16.1.4, 15.1.9 |
994033-2 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 16.1.4, 15.1.9 |
950201-4 | 2-Critical | BT950201 | Tmm core on GCP | 16.1.4, 15.1.9 |
856713-3 | 2-Critical | BT856713 | IPsec crash during rekey | 16.1.0, 16.0.1.2, 15.1.9, 14.1.2.8 |
756830-5 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' | 15.1.9 |
1290889-3 | 2-Critical | K000134792, BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 16.1.4, 15.1.9 |
1286433-1 | 2-Critical | BT1286433 | Improve ASM performance for BIG-IP instances running on r2k / r4k appliances | 15.1.9 |
1282513 | 2-Critical | BT1282513 | Redirections on the lowest numbered blade in mirroring configuration. | 15.1.9 |
1225789-3 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 16.1.4, 15.1.9 |
1209709 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 16.1.4, 15.1.9 |
1208529-3 | 2-Critical | TMM crash when handling IPSEC traffic | 17.1.0, 16.1.4, 15.1.9 | |
1195489-3 | 2-Critical | iControl REST input sanitization | 16.1.4, 15.1.9 | |
1191137-2 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations | 15.1.9 |
1189881 | 2-Critical | BT1189881 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading does not work on hardware | 15.1.9 |
1178221-2 | 2-Critical | BT1178221 | In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT | 17.1.0, 16.1.4, 15.1.9 |
1136429-3 | 2-Critical | BT1136429 | Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group | 17.1.0, 16.1.4, 15.1.9 |
1134301-2 | 2-Critical | BT1134301 | IPsec interface mode may stop sending packets over tunnel after configuration update | 17.1.0, 16.1.4, 15.1.9 |
1128629-2 | 2-Critical | BT1128629 | Neurond crash observed during live install through test script | 17.1.0, 16.1.4, 15.1.9 |
1122313 | 2-Critical | BT1122313 | VXLAN tunnels fail to pass traffic after TMM restarts | 17.1.0, 15.1.9 |
1110893-3 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy | 17.1.0, 16.1.4, 15.1.9 |
1097193-1 | 2-Critical | K000134769, BT1097193 | Unable to SCP files using WinSCP or relative path name | 17.1.0, 16.1.3.1, 15.1.9 |
1095217-3 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.1.0, 16.1.4, 15.1.9 |
1082941-3 | 2-Critical | System account hardening | 17.1.0, 16.1.4, 15.1.9 | |
1076909-3 | 2-Critical | BT1076909 | Syslog-ng truncates the hostname at the first period. | 17.1.0, 16.1.4, 15.1.9 |
1035121-3 | 2-Critical | BT1035121 | Configsync syncs the node's monitor status | 17.0.0, 16.1.4, 15.1.9 |
1023829 | 2-Critical | BT1023829 | Security->Policies in Virtual Server web page spins mcpd 100%, which later cores | 17.0.0, 16.1.4, 15.1.9 |
1018997-3 | 2-Critical | Improper logging of sensitive DB variables | 17.1.0, 16.1.4, 15.1.9 | |
998225-4 | 3-Major | BT998225 | TMM crash when disabling/re-enabling a blade that triggers a primary blade transition. | 17.0.0, 16.1.4, 15.1.9 |
987301-1 | 3-Major | BT987301 | Software install on vCMP guest via block-device may fail with error 'reason unknown' | 17.0.0, 16.1.4, 15.1.9 |
966949-2 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | 17.1.0, 16.1.4, 15.1.9 |
966541-3 | 3-Major | Improper data logged in plaintext | 17.1.0, 16.1.4, 15.1.9 | |
949857-5 | 3-Major | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 16.1.4, 15.1.9 | |
936093-2 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 16.1.4, 15.1.9 |
925797-2 | 3-Major | BT925797 | Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pool members | 16.1.0, 15.1.9 |
925469-1 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo | 17.1.0, 16.1.4, 15.1.9 |
921149-1 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy | 17.1.0, 16.1.4, 15.1.9 |
905937-4 | 3-Major | TSIG key value logged in plaintext in log | 17.1.0, 16.1.4, 15.1.9 | |
883593-1 | 3-Major | BT883593 | Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low | 16.0.0, 15.1.9 |
879001-1 | 3-Major | BT879001 | LDAP data is not updated consistently which might affect authentication. | 16.0.0, 15.1.9 |
853161-4 | 3-Major | BT853161 | Restjavad has different behavior for error responses if the body is over 2k | 16.0.0, 15.1.9 |
850997-1 | 3-Major | BT850997 | 'SNMPD' no longer shows up in the list of daemons on the high availability (HA) Fail-safe GUI page | 16.0.0, 15.1.9 |
662301-2 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config | 17.1.0, 16.1.4, 15.1.9 |
651029-9 | 3-Major | Sensitive information exposed during incremental sync | 17.1.0, 16.1.4, 15.1.9 | |
398683-4 | 3-Major | K12304 | Use of a # in a TACACS secret causes remote auth to fail | 16.1.0, 16.0.1.1, 15.1.9 |
1232521-1 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 16.1.4, 15.1.9 | |
1195177 | 3-Major | BT1195177 | TMM may crash during hardware offload on virtual-wire setup | 17.1.0, 15.1.9 |
1160805 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin | 16.1.4, 15.1.9 |
1155861-1 | 3-Major | BT1155861 | 'Unlicensed objects' error message appears despite there being no unlicensed configuration | 15.1.9 |
1154933-3 | 3-Major | Improper permissions handling in REST SNMP endpoint | 17.1.0, 16.1.4, 15.1.9 | |
1153865-3 | 3-Major | BT1153865 | Restjavad OutOfMemoryError errors and restarts after upgrade★ | 17.1.0, 16.1.4, 15.1.9 |
1146373 | 3-Major | BT1146373 | Basic authentication for REST admin account fails | 15.1.9 |
1136013-4 | 3-Major | BT1136013 | The tmrouted generates core with double free or corruption | 15.1.9 |
1135961-4 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption | 15.1.9 |
1134057-3 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart | 15.1.9 |
1126805-2 | 3-Major | BT1126805 | TMM CPU usage statistics may show a lower than expected value on Virtual Edition | 17.1.0, 16.1.4, 15.1.9 |
1125773-2 | 3-Major | BT1125773 | TCP options are disabled while hardware SYN cookie is active | 17.1.0, 15.1.9 |
1125733-1 | 3-Major | BT1125733 | Wrong server-side window scale used in hardware SYN cookie mode | 17.1.0, 15.1.9 |
1124209-2 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 16.1.4, 15.1.9 |
1123885-3 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. | 17.1.0, 16.1.4, 15.1.9 |
1121085-2 | 3-Major | BT1121085 | Some valid connections may get rejected in hardware SYN cookie mode | 17.1.0, 15.1.9 |
1117673-1 | 3-Major | BT1117673 | Configuration load error for a non default value of 'net dag-global {dag-ipv6-prefix-len}'★ | 17.1.0, 15.1.9 |
1116813 | 3-Major | BT1116813 | Some of the valid connections may get rejected in HW SYN cookie mode | 17.1.0, 15.1.9 |
1113961-4 | 3-Major | K43391532, BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China | 17.1.0, 16.1.4, 15.1.9 |
1112109-3 | 3-Major | K000134769, BT1112109 | Unable to retrieve SCP files using WinSCP or relative path name | 17.1.0, 16.1.4, 15.1.9 |
1111629-3 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors | 17.1.0, 16.1.4, 15.1.9 |
1102849-2 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1101453-3 | 3-Major | BT1101453 | MCPD SIGABRT and core happened while deleting GTM pool member | 17.1.0, 16.1.4, 15.1.9 |
1100409-3 | 3-Major | BT1100409 | Valid connections may fail while a virtual server is in SYN cookie mode. | 17.1.0, 16.1.4, 15.1.9 |
1091725-3 | 3-Major | BT1091725 | Memory leak in IPsec | 17.1.0, 16.1.4, 15.1.9 |
1088429-3 | 3-Major | BT1088429 | Kernel slab memory leak | 17.1.0, 16.1.4, 15.1.9 |
1086389-3 | 3-Major | BT1086389 | BIG-IP r4k and r2k series based systems shows has_pva flag true though they cannot support | 17.1.0, 15.1.9 |
1084781-5 | 3-Major | Resource Admin permission modification | 17.1.0, 16.1.4, 15.1.9 | |
1081649-1 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management | 17.1.0, 16.1.4, 15.1.9 |
1080297-2 | 3-Major | BT1080297 | ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration | 17.1.0, 16.1.4, 15.1.9 |
1077405-3 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. | 17.1.0, 16.1.4, 15.1.9 |
1076377-2 | 3-Major | BT1076377 | OSPF path calculation for IA and E routes is incorrect. | 17.0.0, 16.1.2.2, 15.1.9 |
1069337-3 | 3-Major | CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument | 17.1.0, 16.1.4, 15.1.9 | |
1063237-3 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 | 16.1.4, 15.1.9 |
1053557-3 | 3-Major | BT1053557 | Support for Mellanox CX-6 | 17.1.0, 16.1.4, 15.1.9 |
1048137-3 | 3-Major | BT1048137 | IPsec IKEv1 intermittent but consistent tunnel setup failures | 17.0.0, 16.1.3.1, 15.1.9 |
1041577-3 | 3-Major | SCP file transfer system, completing fix for 994801 | 16.1.4, 15.1.9 | |
1032821-5 | 3-Major | BT1032821 | Syslog: invalid level/facility from /usr/libexec/smart_parse.pl | 17.0.0, 16.1.4, 15.1.9 |
1022757-3 | 3-Major | BT1022757 | Tmm core due to corrupt list of ike-sa instances for a connection | 17.0.0, 16.1.2, 15.1.9 |
1001069-3 | 3-Major | BT1001069 | VE CPU usage higher after upgrade, given same throughput | 17.1.0, 16.1.4, 15.1.9 |
955057-2 | 4-Minor | BT955057 | UCS archives containing a large number of DNS zone files may fail to restore.★ | 16.1.0, 15.1.9 |
936501-6 | 4-Minor | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled | 17.1.0, 16.1.3.1, 15.1.9 |
921001-4 | 4-Minor | BT921001 | After provisioning change, pfmand might keep interfaces down on particular platforms | 16.1.0, 15.1.9 |
760496-1 | 4-Minor | BT760496 | Traffic processing interrupted by PF reset | 17.1.0, 16.1.4, 15.1.9 |
674026-4 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete.★ | 17.0.0, 16.1.4, 15.1.9 |
1155733-2 | 4-Minor | BT1155733 | NULL bytes are clipped from the end of buffer | 17.1.0, 16.1.4, 15.1.9 |
1154673 | 4-Minor | BT1154673 | Enabling DHCP for management should not be allowed on F5OS BIG-IP tenants | 17.1.0, 15.1.9 |
1144817-1 | 4-Minor | BT1144817 | Traffic processing interrupted by PF reset | 17.1.0, 15.1.9 |
1117305-1 | 4-Minor | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 16.1.4, 15.1.9 |
1113889 | 4-Minor | BT1113889 | Classic BIG-IP tenant running on F5OS will not correctly pin in-tenant control plane threads correctly on first deployment | 17.1.0, 15.1.9 |
1106353-3 | 4-Minor | BT1106353 | [Zebos] Expand zebos/bgp commands in a qkview | 17.1.0, 16.1.4, 15.1.9 |
1076897-3 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly | 17.1.0, 16.1.4, 15.1.9 |
1076253-3 | 4-Minor | BT1076253 | IKE library memory leak | 17.0.0, 16.1.4, 15.1.9 |
1062385-3 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. | 17.1.0, 16.1.4, 15.1.9 |
1043821-2 | 4-Minor | Inconsistent user role handling across configuration UIs | 17.1.0, 16.1.4, 15.1.9 | |
1022417-2 | 4-Minor | BT1022417 | Ike stops with error ikev2_send_request: [WINDOW] full window | 17.0.0, 16.1.2, 15.1.9 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1112349-3 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize | 17.1.0, 16.1.4, 15.1.9 |
966421-3 | 2-Critical | BT966421 | Connection stall happened when the shutdown received before all egress data | 16.1.0, 15.1.9 |
937649-3 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict | 17.1.0, 16.1.4, 15.1.9 |
1286357-1 | 2-Critical | Reducing packet loss for BIG-IP instance running on r2k / r4k appliances | 15.1.9 | |
1220629-4 | 2-Critical | TMM may crash on response from certain backend traffic | 16.1.4, 15.1.9 | |
1214073-1 | 2-Critical | BT1214073 | LACP Trunks are not created in TMM on R2800/R4800 platforms. | 17.1.0, 15.1.9 |
1210433-1 | 2-Critical | BT1210433 | Conversion between virtual-wire VLAN and normal VLAN | 17.1.0, 15.1.9 |
1209945 | 2-Critical | BT1209945 | Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs | 15.1.9 |
1205501 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 16.1.4, 15.1.9 |
1156697-2 | 2-Critical | BT1156697 | Translucent VLAN groups may pass some packets without changing the locally administered bit | 17.1.0, 16.1.4, 15.1.9 |
1154681 | 2-Critical | BT1154681 | Reconfiguration of virtual-wire VLAN in tenant | 17.1.0, 15.1.9 |
1146377-3 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 16.1.4, 15.1.9 |
1132405-1 | 2-Critical | BT1132405 | TMM does not process BFD echo pkts with src.addr == dst.addr | 17.1.0, 16.1.4, 15.1.9 |
1124865-1 | 2-Critical | BT1124865 | Removal of LAG member from an active LACP trunk on r2k and r4k systems requires tmm restart | 15.1.9 |
1110813-2 | 2-Critical | BT1110813 | Improve MPTCP retransmission handling while aborting | 17.1.0, 16.1.4, 15.1.9 |
1110205-1 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown | 17.1.0, 16.1.3.1, 15.1.9 |
1099545-3 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used | 17.1.0, 16.1.4, 15.1.9 |
1075073-1 | 2-Critical | BT1075073 | TMM Crash observed with Websocket and MQTT profile enabled | 17.0.0, 16.1.4, 15.1.9 |
1067669-2 | 2-Critical | BT1067669 | TCP/UDP virtual servers drop all incoming traffic. | 17.0.0, 16.1.4, 15.1.9 |
1030185-3 | 2-Critical | BT1030185 | TMM may crash when looking up a persistence record using "persist lookup" iRule commands | 17.0.0, 16.1.4, 15.1.9 |
1024241-2 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 16.1.4, 15.1.9 |
948065-3 | 3-Major | BT948065 | DNS Responses egress with an incorrect source IP address. | 17.0.0, 16.1.4, 15.1.9 |
947125-2 | 3-Major | BT947125 | Unable to delete monitors after certain operations | 17.1.0, 15.1.9 |
945601-4 | 3-Major | BT945601 | An incorrect LTM policy rule may be matched when a policy consists of multiple rules with TCP address matching conditions. | 16.1.0, 16.0.1.2, 15.1.9 |
920205-4 | 3-Major | BT920205 | Rate shaping might suppress TCP RST | 16.1.0, 15.1.9 |
918277-2 | 3-Major | BT918277 | Slow Ramp does not take into account pool members' ratio weights | 16.1.0, 15.1.9 |
909997-3 | 3-Major | BT909997 | Virtual server status displays as unavailable when it is accepting connections | 16.1.0, 15.1.9 |
884541-7 | 3-Major | Improper handling of cookies on VIPRION platforms | 17.1.0, 16.1.4, 15.1.9 | |
883133-2 | 3-Major | BT883133 | TLS_FALLBACK_SCSV with TLS1.3 | 16.1.0, 15.1.9 |
878641-2 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 16.1.4, 15.1.9 |
863165-3 | 3-Major | BT863165 | Unbalanced trunk distribution on i4x00 and 4000 platforms with odd number of members. | 16.0.0, 15.1.9 |
785361-3 | 3-Major | BT785361 | In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped | 16.1.0, 15.1.9 |
756313-6 | 3-Major | BT756313 | SSL monitor continues to mark pool member down after restoring services | 16.1.0, 15.1.9 |
693473-6 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 16.1.4, 15.1.9 |
574762-2 | 3-Major | BT574762 | Forwarding flows leak when a routing update changes the egress vlan | 17.0.0, 16.1.4, 15.1.9 |
1281637 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 16.1.4, 15.1.9 |
1229417-3 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 16.1.4, 15.1.9 | |
1210469-5 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 16.1.4, 15.1.9 |
1185133-3 | 3-Major | BT1185133 | ILX streaming plugins limited to MCP OIDs less than 10 million | 17.1.0, 16.1.4, 15.1.9 |
1184153-3 | 3-Major | BT1184153 | TMM crashes when you use the rateshaper with packetfilter enabled | 17.1.0, 16.1.4, 15.1.9 |
1161733-3 | 3-Major | Enabling client-side TCP Verified Accept can cause excessive memory consumption | 17.1.0, 16.1.4, 15.1.9 | |
1159569-1 | 3-Major | BT1159569 | Persistence cache records may accumulate over time | 17.1.0, 16.1.4, 15.1.9 |
1155393-1 | 3-Major | BT1155393 | Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression | 17.1.0, 16.1.4, 15.1.9 |
1153969-3 | 3-Major | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 16.1.4, 15.1.9 | |
1146241-3 | 3-Major | BT1146241 | FastL4 virtual server may egress packets with unexpected and erratic TTL values | 17.1.0, 16.1.4, 15.1.9 |
1144117-2 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 16.1.4, 15.1.9 |
1141845-3 | 3-Major | BT1141845 | RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. | 17.1.0, 16.1.4, 15.1.9 |
1135313-3 | 3-Major | BT1135313 | Pool member current connection counts are incremented and not decremented | 17.1.0, 16.1.4, 15.1.9 |
1133881-3 | 3-Major | BT1133881 | Errors in attaching port lists to virtual server when TMC is used with same sources | 17.1.0, 16.1.4, 15.1.9 |
1133625-3 | 3-Major | BT1133625 | The HTTP2 protocol is not working when SSL persistence and session ticket are enabled | 17.1.0, 16.1.4, 15.1.9 |
1133013-2 | 3-Major | Appliance mode hardening | 17.1.0, 16.1.4, 15.1.9 | |
1126329-3 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★ | 17.1.0, 16.1.4, 15.1.9 |
1123169-3 | 3-Major | BT1123169 | Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event | 17.1.0, 16.1.4, 15.1.9 |
1115041-3 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. | 17.1.0, 16.1.4, 15.1.9 |
1113181-3 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". | 16.1.4, 15.1.9 |
1112205-2 | 3-Major | BT1112205 | HTTP/2 may garble responses if the client-side stream aborts while response headers are on the wire | 17.1.0, 15.1.9 |
1111473-3 | 3-Major | BT1111473 | The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes | 17.1.0, 16.1.4, 15.1.9 |
1109953-3 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry | 17.1.0, 16.1.4, 15.1.9 |
1102429-3 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. | 17.1.0, 16.1.4, 15.1.9 |
1101181-1 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1099229-3 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1096893-2 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 16.1.4, 15.1.9 |
1091969-2 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. | 16.1.4, 15.1.9 |
1083621-4 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length | 15.1.9 |
1081085 | 3-Major | BT1081085 | MQTT with slow reading server cores on larger payload | 15.1.9 |
1080569-1 | 3-Major | BT1080569 | BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1079769-4 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers | 17.0.0, 16.1.4, 15.1.9 |
1077553-2 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration | 17.1.0, 16.1.4, 15.1.9 |
1076573-1 | 3-Major | BT1076573 | MQTT profile addition is different in GUI and TMSH | 17.0.0, 16.1.4, 15.1.9 |
1070389-3 | 3-Major | Tightening HTTP RFC enforcement | 17.1.0, 16.1.4, 15.1.9 | |
1068673-2 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. | 17.1.0, 16.1.4, 15.1.9 |
1062605 | 3-Major | BT1062605 | Support for MQTT functionality over websockets | 15.1.9 |
1060021-2 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. | 17.1.0, 16.1.4, 15.1.9 |
1059337 | 3-Major | BT1059337 | Potential data leak inside Ethernet padding field on VELOS architecture products | 17.1.0, 15.1.9 |
1046717 | 3-Major | BT1046717 | Tmm crash when utilizing one-connect with inband monitors and ECMP or pool routes. | 15.1.9 |
1043009-3 | 3-Major | BT1043009 | TMM dump capture for compression engine hang | 17.1.0, 16.1.4, 15.1.9 |
1037645-1 | 3-Major | BT1037645 | TMM may crash under memory pressure when using iRule 'AES::key' command | 17.0.0, 15.1.9 |
1000561-3 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 16.1.4, 15.1.9 |
1000069-1 | 3-Major | BT1000069 | Virtual server does not create the listener | 17.1.0, 16.1.4, 15.1.9 |
982993-4 | 4-Minor | BT982993 | Gateway ICMP monitors with IPv6 destination and IPV6 transparent nexthop might fail | 16.1.0, 15.1.9 |
960677-2 | 4-Minor | Improvement in handling accelerated TLS traffic | 16.1.4, 15.1.9 | |
932045-3 | 4-Minor | BT932045 | Memory leak when creating/deleting LTM node object | 16.1.0, 15.1.9 |
834217-7 | 4-Minor | BT834217 | Some init-rwnd and client-mss combinations may result in sub-optimal advertised TCP window. | 16.0.0, 15.1.9 |
1230753 | 4-Minor | BT1230753 | HTTP/2 sends RST_STREAM for completed streams | 15.1.9 |
1181345-1 | 4-Minor | BT1181345 | Fix for VLAN Group reconfiguration issue when an additional virutal-wire configuration is added on top of deployed tenant | 17.1.0, 15.1.9 |
1168309-1 | 4-Minor | BT1168309 | Virtual Wire traffic over trunk interface sometimes fail in Tenant based platforms | 17.1.0, 15.1.9 |
1156105-3 | 4-Minor | BT1156105 | Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition | 17.1.0, 16.1.4, 15.1.9 |
1132765-3 | 4-Minor | BT1132765 | Virtual server matching might fail in rare cases when using virtual server chaining. | 17.1.0, 16.1.4, 15.1.9 |
1122377-3 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response | 17.1.0, 16.1.4, 15.1.9 |
1111981-2 | 4-Minor | BT1111981 | Decrement in MQTT current connections even if the connection was never active | 17.1.0, 16.1.4, 15.1.9 |
1103617-3 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. | 17.1.0, 16.1.4, 15.1.9 |
1101369-2 | 4-Minor | BT1101369 | MQTT connection stats are not updated properly | 17.1.0, 16.1.4, 15.1.9 |
1037265-1 | 4-Minor | Improper handling of multiple cookies with the same name. | 17.1.0, 16.1.4, 15.1.9 | |
1034217-1 | 4-Minor | BT1034217 | Quic_update_rtt can leave ack_delay uninitialized. | 17.0.0, 16.1.4, 15.1.9 |
1030533-2 | 4-Minor | BT1030533 | The BIG-IP system may reject valid HTTP responses from OCSP servers. | 17.0.0, 16.1.4, 15.1.9 |
1027805-3 | 4-Minor | BT1027805 | DHCP flows crossing route-domain boundaries might fail. | 17.0.0, 16.1.4, 15.1.9 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1127445-2 | 2-Critical | BT1127445 | Performance degradation after Bug ID 1019853 | 17.1.0, 16.1.4, 15.1.9 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1137485-3 | 2-Critical | BT1137485 | Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly | 17.1.0, 16.1.4, 15.1.9 |
966461-6 | 3-Major | BT966461 | Tmm memory leak | 17.1.0, 16.1.4, 15.1.9 |
1182353-4 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 16.1.4, 15.1.9 |
1162081-4 | 3-Major | Upgrade the bind package to fix security vulnerabilities | 17.1.0, 16.1.4, 15.1.9 | |
1137677 | 3-Major | BT1137677 | GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources | 15.1.9 |
1122497-1 | 3-Major | BT1122497 | Rapid response not functioning after configuration changes | 17.1.0, 16.1.4, 15.1.9 |
1060145-2 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. | 17.1.0, 16.1.4, 15.1.9 |
808913-2 | 4-Minor | BT808913 | Big3d cannot log the full XML buffer data | 17.0.0, 16.1.4, 15.1.9 |
1025497-2 | 4-Minor | BT1025497 | BIG-IP may accept and forward invalid DNS responses | 17.1.0, 16.1.4, 15.1.9 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1105341-3 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON | 17.1.0, 16.1.4, 15.1.9 |
923821-3 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 16.1.4, 15.1.9 |
884945-2 | 2-Critical | BT884945 | Latency reduce in case of empty parameters. | 17.0.0, 16.1.4, 15.1.9 |
850141-1 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 16.1.4, 15.1.9 |
845953-1 | 2-Critical | BT845953 | BD crash on specific scenario | 16.0.0, 15.1.9 |
1132697-1 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 16.1.4, 15.1.9 |
1113161-4 | 2-Critical | BT1113161 | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★ | 17.1.0, 16.1.4, 15.1.9 |
1095185-3 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync | 17.1.0, 16.1.4, 15.1.9 |
974985-2 | 3-Major | BT974985 | Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable | 17.0.0, 16.1.4, 15.1.9 |
928997-2 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 16.1.4, 15.1.9 |
841285-1 | 3-Major | BT841285 | Sometimes apply policy is stuck in Applying state | 16.0.0, 15.1.9 |
1196537-2 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 16.1.4, 15.1.9 |
1194173-3 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 16.1.4, 15.1.9 |
1186401-3 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 16.1.4, 15.1.9 |
1156889-2 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 16.1.4, 15.1.9 |
1148009-4 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 16.1.4, 15.1.9 |
1144497-3 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 16.1.4, 15.1.9 |
1141665-3 | 3-Major | BT1141665 | Significant slowness in policy creation following Threat Campaign LU installation | 17.1.0, 16.1.4, 15.1.9 |
1137993-3 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 16.1.4, 15.1.9 |
1132981-1 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 16.1.4, 15.1.9 |
1132741-4 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 16.1.4, 15.1.9 |
1128689-3 | 3-Major | BT1128689 | Performance improvement in signature engine | 16.1.4, 15.1.9 |
1127809-4 | 3-Major | BT1127809 | Due to incorrect URI parsing, the system does not extract the expected domain name | 17.1.0, 16.1.4, 15.1.9 |
1126409-4 | 3-Major | BT1126409 | BD process crash | 17.1.0, 16.1.4, 15.1.9 |
1113881-3 | 3-Major | BT1113881 | Headers without a space after the colon, trigger an HTTP RFC violation | 17.1.0, 16.1.4, 15.1.9 |
1112805-1 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 | 17.1.0, 16.1.4, 15.1.9 |
1110281-4 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 16.1.4, 15.1.9 |
1106937-1 | 3-Major | BT1106937 | ASM may skip signature matching | 17.1.0, 16.1.4, 15.1.9 |
1100669-1 | 3-Major | BT1100669 | Brute force captcha loop | 17.1.0, 16.1.4, 15.1.9 |
1099193-3 | 3-Major | BT1099193 | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | 17.1.0, 16.1.4, 15.1.9 |
1098609-5 | 3-Major | BT1098609 | BD crash on specific scenario | 16.1.4, 15.1.9 |
1091185-3 | 3-Major | Issue with input normalization | 17.1.0, 15.1.9 | |
1088849-3 | 3-Major | BT1088849 | Inconsistent behavior while sending malformed request to /TSbd URLs | 15.1.9 |
1080613-2 | 3-Major | BT1080613 | LU configurations revert to default and installations roll back to genesis files★ | 17.1.0, 16.1.4, 15.1.9 |
1078065-3 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 16.1.4, 15.1.9 |
1072165-1 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format | 17.1.0, 16.1.4, 15.1.9 |
1069729-2 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 16.1.4, 15.1.9 |
1067589-2 | 3-Major | BT1067589 | Memory leak in nsyncd | 17.1.0, 16.1.4, 15.1.9 |
1067557-3 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 16.1.4, 15.1.9 |
1058597-3 | 3-Major | BT1058597 | Bd crash on first request after system recovery. | 17.0.0, 16.1.4, 15.1.9 |
1048949-3 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 16.1.4, 15.1.9 |
1017557-3 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN | 17.1.0, 16.1.4, 15.1.9 |
937541-2 | 4-Minor | BT937541 | Wrong display of signature references in violation details | 17.0.0, 15.1.9 |
932893-2 | 4-Minor | BT932893 | Content profile cannot be updated after redirect from violation details in Request Log | 16.1.0, 15.1.9 |
1189865-3 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 16.1.4, 15.1.9 |
1132925-4 | 4-Minor | BT1132925 | Bot defense does not work with DNS Resolvers configured under non-zero route domains | 17.1.0, 16.1.4, 15.1.9 |
1123153-1 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 16.1.4, 15.1.9 |
1092965-3 | 4-Minor | BT1092965 | Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value | 17.1.0, 16.1.4, 15.1.9 |
1113333-2 | 5-Cosmetic | BT1113333 | Change ArcSight Threat Campaign key names to be camelCase | 17.1.0, 16.1.4, 15.1.9 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
990073 | 2-Critical | BT990073 | BIG-IP software v13.1.3.6, v14.1.4, v15.1.2.1, v16.0.1.1 or later require APM Clients 7.1.8.5, 7.1.9.8, or 7.2.1.1★ | 15.1.9 |
965837-2 | 2-Critical | BT965837 | When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection | 17.0.0, 16.1.4, 15.1.9 |
956913-2 | 2-Critical | BT956913 | HTTPS traffic may fail for Inbound topology gateway mode | 16.1.0, 15.1.9 |
856909-3 | 2-Critical | BT856909 | Apmd core occurs when it fails to retrieve agentInfo | 16.0.0, 15.1.9 |
1283645-2 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
1122473-3 | 2-Critical | BT1122473 | TMM panic while initializing URL DB | 17.1.0, 16.1.3.3, 15.1.9 |
1111149-1 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 16.1.4, 15.1.9 |
1110489-1 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 16.1.4, 15.1.9 |
1106757-2 | 2-Critical | BT1106757 | Horizon VDI clients are intermittently disconnected | 17.1.0, 16.1.4, 15.1.9 |
1082581-1 | 2-Critical | BT1082581 | Apmd sees large memory growth due to CRLDP Cache handling | 17.1.0, 16.1.4, 15.1.9, 14.1.5.3 |
1065501-3 | 2-Critical | BT1065501 | [API Protection]Per request policy is getting timed out | 17.0.0, 16.1.4, 15.1.9 |
1046633-2 | 2-Critical | BT1046633 | Rare tmm crash when sending packets to apmd fails | 17.0.0, 16.1.4, 15.1.9 |
963869-2 | 3-Major | BT963869 | Remote Desktop app fails to launch from webtop when Per-request Policy is added to virtual server. | 16.1.0, 15.1.9 |
957453-2 | 3-Major | BT957453 | Javascript parser incompatible with ECMAScript 6/7+ javascript versions | 17.1.0, 16.1.4, 15.1.9 |
956645-2 | 3-Major | BT956645 | Per-request policy execution may timeout. | 17.0.0, 16.1.4, 15.1.9, 14.1.4.5 |
904725-1 | 3-Major | BT904725 | Add new macro dialogue not working for AD auth and resources and password change | 16.0.0, 15.1.9 |
892861-3 | 3-Major | BT892861 | Cannot configure aaa OAuth provider - invalid x509 file | 16.1.0, 15.1.9 |
819645-2 | 3-Major | BT819645 | Reset Horizon View application does not work when accessing through F5 APM | 17.1.0, 16.1.4, 15.1.9 |
752077-1 | 3-Major | BT752077 | Kerberos replay cache leaks file descriptors | 17.0.0, 16.1.4, 15.1.9 |
592353-3 | 3-Major | BT592353 | Javascript parser incompatible with ECMA6/7+ | 16.1.0, 15.1.9 |
490138-2 | 3-Major | BT490138 | Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers | 17.1.0, 16.1.4, 15.1.9 |
1196401-3 | 3-Major | BT1196401 | Restarting TMM does not restart APM Daemon | 17.1.0, 16.1.4, 15.1.9 |
1173669-3 | 3-Major | BT1173669 | Unable to reach backend server with Per Request policy and Per Session together | 17.1.0, 16.1.4, 15.1.9 |
1166449-3 | 3-Major | BT1166449 | APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list | 17.1.0, 16.1.4, 15.1.9 |
1147621 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used | 15.1.9 |
1146017-2 | 3-Major | BT1146017 | WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile | 17.1.0, 16.1.4, 15.1.9 |
1111397 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 16.1.4, 15.1.9 |
1108109-1 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images★ | 17.1.0, 16.1.4, 15.1.9 |
1104409-2 | 3-Major | BT1104409 | Added Rewrite Control Lists builder to Admin UI | 17.1.0, 16.1.4, 15.1.9 |
1103481-3 | 3-Major | Unnecessary data present in APM URL | 17.1.0, 16.1.4, 15.1.9 | |
1101321 | 3-Major | BT1101321 | APM log files are flooded after a client connection fails. | 17.1.0, 16.1.4, 15.1.9 |
1100549-1 | 3-Major | BT1100549 | "Resource Administrator" role cannot change ACL order | 17.1.0, 16.1.4, 15.1.9 |
1099305-1 | 3-Major | BT1099305 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.0, 16.1.4, 15.1.9 |
1089101-1 | 3-Major | BT1089101 | Apply Access Policy notification in UI after auto discovery | 17.1.0, 16.1.4, 15.1.9 |
1067609-3 | 3-Major | Static keys were used while generating UUIDs under OAuth module | 17.1.0, 16.1.4, 15.1.9 | |
1064001-2 | 3-Major | BT1064001 | POST request to a virtual server with stream profile and a access policy is aborted. | 17.0.0, 16.1.4, 15.1.9 |
1063345-3 | 3-Major | BT1063345 | Urldbmgrd may crash while downloading the database. | 17.0.0, 16.1.3.1, 15.1.9 |
1060477 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 16.1.4, 15.1.9 |
1050165-1 | 3-Major | BT1050165 | APM - users end up with SSO disabled for their session, admin intervention required to clear session | 17.1.0, 16.1.4, 15.1.9 |
1042505-2 | 3-Major | BT1042505 | Session variable "session.user.agent" does not get populated for edge clients | 17.0.0, 16.1.4, 15.1.9 |
1039725-2 | 3-Major | BT1039725 | Reverse proxy traffic fails when a per-request policy is attached to a virtual server. | 17.0.0, 16.1.3.1, 15.1.9 |
1038753-3 | 3-Major | OAuth Bearer with SSO does not process headers as expected | 17.1.0, 16.1.4, 15.1.9 | |
1037877-2 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE | 17.1.0, 16.1.4, 15.1.9 |
1024437-3 | 3-Major | BT1024437 | Urldb index building fails to open index temp file | 17.0.0, 16.1.3.1, 15.1.9 |
1018877-1 | 3-Major | BT1018877 | Subsession variable values mixing between sessions | 17.0.0, 16.1.4, 15.1.9 |
1010809-2 | 3-Major | BT1010809 | Connection is reset when sending a HTTP HEAD request to APM Virtual Server | 17.1.0, 16.1.4, 15.1.9 |
1000669-2 | 3-Major | BT1000669 | Tmm memory leak 'string cache' leading to SIGFPE | 17.0.0, 16.1.4, 15.1.9 |
1218813-3 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag | 15.1.9 |
1088389 | 4-Minor | BT1088389 | Admin to define the AD Query/LDAP Query page-size globally | 17.1.0, 16.1.4, 15.1.9 |
1079441-1 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries | 17.1.0, 16.1.4, 15.1.9 |
1050009-1 | 4-Minor | BT1050009 | Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs | 17.1.0, 16.1.4, 15.1.9 |
1041985-3 | 4-Minor | BT1041985 | TMM memory utilization increases after upgrade★ | 16.1.4, 15.1.9 |
1028081 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 16.1.4, 15.1.9 |
824073 | 5-Cosmetic | BT824073 | Incorrect error message when uploading OpenAPI 3.0 file | 15.1.9 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1239901-1 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 16.1.4, 15.1.9 |
1141853-1 | 2-Critical | BT1141853 | SIP MRF ALG can lead to a TMM core | 17.1.0, 16.1.4, 15.1.9 |
755033-1 | 3-Major | BT755033 | Dynamic Routes stats row does not appear in the UI | 16.0.0, 15.1.9 |
1189513-3 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 16.1.4, 15.1.9 |
1167941-2 | 3-Major | BT1167941 | CGNAT SIP ALG INVITE loops between BIG-IP and Server | 17.1.0, 16.1.4, 15.1.9 |
1038057-1 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 16.1.4, 15.1.9 |
862337-2 | 4-Minor | BT862337 | Message Routing Diameter profile fails to forward messages with zero length AVPs | 16.0.0, 15.1.9 |
1184629-3 | 4-Minor | BT1184629 | Validate content length with respective to SIP header offset instead of parser offset | 17.1.0, 15.1.9 |
1116941-3 | 4-Minor | BT1116941 | Need larger Content-Length value supported for SIP | 17.1.0, 16.1.4, 15.1.9 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
897137 | 2-Critical | BT897137 | NAT traffic across BIG-IP was dropped and TMM can crash if attached FW policy with subscriber ID enabled to the virtual server | 15.1.9 |
1106273-1 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 16.1.4, 15.1.9 |
1069809-1 | 2-Critical | BT1069809 | AFM rules with ipi-category src do not match traffic after failover. | 16.1.4, 15.1.9 |
1067405-1 | 2-Critical | BT1067405 | TMM crash while offloading / programming bad actor connections to hardware. | 17.0.0, 15.1.9 |
997429 | 3-Major | BT997429 | When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled | 17.1.0, 16.1.4, 15.1.9 |
993269-1 | 3-Major | BT993269 | DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option | 17.0.0, 16.1.4, 15.1.9 |
952521-2 | 3-Major | BT952521 | Memory allocation error while creating an address list with a large range of IPv6 addresses★ | 17.0.0, 16.1.4, 15.1.9 |
950253-1 | 3-Major | BT950253 | Source address translation occurs with self IP after NAT policy removal from Virtual Server | 16.1.0, 15.1.9 |
929913-2 | 3-Major | BT929913 | External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events | 17.0.0, 16.1.4, 15.1.9 |
818705-1 | 3-Major | BT818705 | The daemon afm_cmi.py can cause high BIG-IP CPU utilization (>90%) | 16.1.0, 15.1.9 |
1167949 | 3-Major | BT1167949 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware | 15.1.9 |
1141597-1 | 3-Major | BT1141597 | DOS stats are not updating for IPv4-all and IPv6-all vectors | 17.1.0, 15.1.9 |
1137133-4 | 3-Major | BT1137133 | Stats rate is showing incorrect data for broadcast, multicast and arp flood vectors | 17.1.0, 15.1.9 |
1127117 | 3-Major | BT1127117 | High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes | 17.1.0, 16.1.4, 15.1.9 |
1126401 | 3-Major | BT1126401 | Variables are not displayed in Debug log messages for MGMT network firewall rules | 15.1.9 |
1124149 | 3-Major | BT1124149 | Increase the configuration for the PCCD Max Blob size from 4GB to 8GB | 17.1.0, 16.1.4, 15.1.9 |
1112781-1 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 16.1.4, 15.1.9 |
1104741-1 | 3-Major | BT1104741 | ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on zone | 17.1.0, 15.1.9 |
1082453 | 3-Major | BT1082453 | Dwbld stops working after adding an IP address to IPI category manually | 15.1.9 |
1069321-1 | 3-Major | BT1069321 | High iowait and pgstat wait every hour on the hour, due to excessive logging in autodosd.out | 15.1.9 |
1039993-2 | 3-Major | BT1039993 | AFM NAT Excessive number of logs "Port Block Updated" and "LSN_PB_UPDATE" | 15.1.9 |
1020061-1 | 3-Major | BT1020061 | Nested address lists can increase configuration load time | 17.0.0, 16.1.4, 15.1.9 |
760355-3 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1 |
1215401 | 4-Minor | BT1215401 | Under Shared Objects, some country names are not available to select in the Address List | 16.1.4, 15.1.9 |
1211885-1 | 4-Minor | BT1211885 | Zone Based DDoS upgrade fails from 15.1.8 to 15.1.8.1 | 17.1.0, 15.1.9 |
1086309 | 4-Minor | BT1086309 | Legitimate traffic gets blocked on detecting Bad Destination IP of virtual server subnet | 15.1.9 |
1003377-1 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option | 16.1.4, 15.1.9 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1159397-2 | 1-Blocking | BT1159397 | The high utilization of memory when blade turns offline results in core | 17.1.0, 16.1.4, 15.1.9 |
904509-1 | 2-Critical | BT904509 | TMM crash SIGSEGV - spmdb_subscriber_info_deserialize() in spm/spmdb_deser.c | 16.0.0, 15.1.9 |
1186925-3 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 16.1.4, 15.1.9 |
1091565 | 2-Critical | BT1091565 | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | 17.1.0, 16.1.3.1, 15.1.9 |
1226121-3 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 16.1.4, 15.1.9 |
1207381-5 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 16.1.4, 15.1.9 |
1174085 | 3-Major | BT1174085 | spmdb_session_hash_entry_delete releases the hash's reference | 16.1.4, 15.1.9 |
1174033-3 | 3-Major | BT1174033 | The UPDATE EVENT is triggered with faulty session_info and resulting in core | 17.1.0, 16.1.4, 15.1.9 |
1108681-1 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline | 17.1.0, 16.1.4, 15.1.9 |
1089829 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers | 17.1.0, 16.1.4, 15.1.9 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023461 | 3-Major | BT1023461 | Multiple entries for CGNAT when PBA pools allocation is defined: for each request, a new entry is created | 17.0.0, 15.1.9 |
1016045-3 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. | 16.1.4, 15.1.9 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211297 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 16.1.4, 15.1.9 |
1060057-1 | 3-Major | BT1060057 | Enable or Disable APM dynamically with Bados generates APM error | 17.1.0, 16.1.4, 15.1.9 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1161965-4 | 3-Major | BT1161965 | File descriptor(fd) and shared memory leak in wr_urldbd | 17.1.0, 16.1.4, 15.1.9 |
1013629-3 | 3-Major | BT1013629 | URLCAT: Scan finds many Group/User Read/Write (666/664/662) files | 17.0.0, 16.1.2, 15.1.9 |
776285-1 | 4-Minor | BT776285 | No stats returned for 'ltm classification stats urlcat-cloud' component at system startup | 16.1.0, 15.1.9 |
1168137-2 | 4-Minor | BT1168137 | PEM Classification Auto-Update for month is working as hourly | 17.1.0, 16.1.4, 15.1.9 |
1167889-3 | 4-Minor | BT1167889 | PEM classification signature scheduled updates do not complete | 17.1.0, 16.1.4, 15.1.9 |
1117297 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts★ | 17.1.0, 16.1.4, 15.1.9 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1196477-2 | 3-Major | BT1196477 | Request timeout in restnoded | 16.1.4, 15.1.9 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
972545-2 | 3-Major | iApps LX does not follow best practices in appliance mode | 16.1.4, 15.1.9 | |
889605-3 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath | 17.1.0, 16.1.4, 15.1.9 |
1093933-2 | 4-Minor | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 16.1.4, 15.1.9 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1098837 | 4-Minor | BT1098837 | Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables | 17.1.0, 16.1.4, 15.1.9 |
1135073-2 | 5-Cosmetic | BT1135073 | IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled | 17.1.0, 16.1.4, 15.1.9 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1110241-3 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory | 17.1.0, 16.1.4, 15.1.9 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
890721-2 | 3-Major | BT890721 | SSL Orchestrator sends reset to the client when an initial ingress data arrives 5 seconds after tcp connection establishment | 16.1.0, 15.1.9 |
1017053-1 | 3-Major | BT1017053 | [SSL Orchestrator] Policy fails to complete when URL branching is configured | 17.0.0, 15.1.9 |
F5OS Messaging Agent Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1182613 | 2-Critical | BT1182613 | BIG-IP Version 15.1.8 installed as a tenant on CX410 or rSeries systems see continuous 'Unable to Notify Tenant stats' log in /var/log/ltm | 15.1.9 |
1133869 | 3-Major | BT1133869 | Distribution hash configuration done on platform shall not be published to a BIG-IP tenant on R2800/R4800 platforms | 17.1.0, 15.1.9 |
Cumulative fixes from BIG-IP v15.1.8.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1213305-2 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208989-5 | CVE-2023-27378 | K000132726, BT1208989 | Improper value handling in DOS Profile properties page | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208001-6 | CVE-2023-22374 | K000130415, BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961-3 | CVE-2023-27378 | K000132726 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793-3 | CVE-2023-27378 | K000132726 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1196033-3 | CVE-2023-27378 | K000132726, BT1196033 | Improper value handling in DataSafe UI | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1106989-2 | CVE-2023-29163 | K20145107, BT1106989 | Certain configuration settings may lead to memory accumulation | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086293-5 | CVE-2023-22358 | K76964818, BT1086293 | Untrusted search path vulnerability in APM Windows Client installer processes | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086289-5 | CVE-2023-22358 | K76964818, BT1086289 | BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1207661-2 | CVE-2023-28406 | K000132768, BT1207661 | Datasafe UI hardening | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1096373-3 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1075849-6 | 3-Major | APM client hardening | 17.1.0, 16.1.4, 15.1.8.2 |
Cumulative fixes from BIG-IP v15.1.8.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
890917-2 | CVE-2023-22323 | K56412001, BT890917 | Performance may be reduced while processing SSL traffic | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1143073-3 | CVE-2022-41622 | K94221585, BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1107437-5 | CVE-2023-22839 | K37708118, BT1107437 | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1106161-3 | CVE-2022-41800 | K13325942, BT1106161 | Securing iControlRest API for appliance mode | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1083225-1 | CVE-2023-22842 | K08182564, BT1083225 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1073005-1 | CVE-2023-22326 | K83284425, BT1073005 | iControl REST use of the dig command does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1113385-3 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1103369-3 | 3-Major | BT1103369 | DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1134085-1 | 2-Critical | BT1134085 | Intermittent TMM core when iRule is configured with SSL persistence | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1 |
1215165 | 3-Major | BT1215165 | Support added for Microsoft Azure Managed HSM | 15.1.8.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1174873-1 | 3-Major | BT1174873 | Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
F5OS Messaging Agent Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1183553 | 3-Major | BT1183553 | The platform_mgr core dumps on token renewal intermittently | 17.1.0, 15.1.8.1 |
Cumulative fixes from BIG-IP v15.1.8 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982785-3 | CVE-2022-25946 | K52322100 | Guided Configuration hardening | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
982777-10 | CVE-2022-27230 | K21317311, BT982777 | APM hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982769-11 | CVE-2022-27806 | K68647001, BT982769 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982753-5 | CVE-2022-27806 | K68647001, BT982753 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982745-4 | CVE-2022-27806 | K68647001, BT982745 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
968729-4 | CVE-2017-18344 | K07020416, BT968729 | Kernel CVE-2017-18344 out-of-bounds access in the show_timer function | 16.1.0, 15.1.8 |
963625-6 | CVE-2022-27806 | K68647001, BT963625 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
959153-4 | CVE-2022-27806 | K68647001, BT959153 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
1107481 | CVE-2023-23555 | K24572686, BT1107481 | TMM restarting repeatedly after upgrade 15.1.5.1 | 15.1.8, 14.1.5.3 |
1107293-5 | CVE-2021-22555 | K06524534, BT1107293 | CVE-2021-22555: Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.8 |
1105389-5 | CVE-2023-23552 | K17542533, BT1105389 | Incorrect HTTP request handling may lead to resource leak | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1091453-5 | CVE-2022-23308 | K32760744, BT1091453 | libxml2 vulnerability CVE-2022-23308 | 17.1.0, 16.1.4, 15.1.8 |
1089225-3 | CVE-2021-4034 | K46015513, BT1089225 | Polkit pkexec vulnerability CVE-2021-4034 | 17.1.0, 16.1.4, 15.1.8 |
1085077-3 | CVE-2023-22340 | K34525368, BT1085077 | TMM may crash while processing SIP-ALG traffic | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
1077301-3 | CVE-2021-23133 | K67416037, BT1077301 | CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del | 17.1.0, 16.1.4, 15.1.8 |
1075689-4 | CVE-2020-25692,CVE-2020-25709,CVE-2020-12243,CVE-2019-13565,CVE-2020-25710,CVE-2020-36222,CVE-2020-36226,CVE-2020-36228,CVE-2020-36227,CVE-2021-27212,CVE-2020-36223,CVE-2020-36221,CVE-2020-36225,CVE-2020-36224,CVE-2019-13057 | K56241216, BT1075689 | Multiple CVE fixes for OpenLDAP library | 17.1.0, 16.1.4, 15.1.8 |
1057393-2 | CVE-2019-18197 | K10812540, BT1057393 | CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText | 17.0.0, 16.1.4, 15.1.8 |
1032553-3 | CVE-2023-22281 | K46048342, BT1032553 | Core when virtual server with destination NATing receives multicast | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1004881-3 | CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 | K12492858, BT1004881 | Update angular, jquery, moment, axios, and lodash libraries in AGC | 17.0.0, 16.1.3.2, 15.1.8 |
960845-5 | CVE-2021-23046 | K70652532, BT960845 | Secure properties were logged in restnoded logs | 16.1.0, 15.1.8, 14.1.5.3 |
1057445-2 | CVE-2019-13118 | K96300145, BT1057445 | CVE-2019-13118 libxslt vulnerability: uninitialized stack data | 17.0.0, 16.1.4, 15.1.8 |
1057437-2 | CVE-2019-13117 | K96300145, BT1057437 | CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers | 17.0.0, 16.1.4, 15.1.8 |
1057149-2 | CVE-2019-11068 | K30444545, BT1057149 | CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite | 17.0.0, 16.1.4, 15.1.8 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1088037 | 3-Major | BT1088037 | VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers | 17.1.0, 16.1.4, 15.1.8 |
1053589 | 3-Major | BT1053589 | DDoS functionality cannot be configured at a Zone level | 16.1.4, 15.1.8 |
1049213-1 | 3-Major | BT1049213 | A new disaggregation (DAG) mode based on TEID field in GTP-U header is introduced | 17.0.0, 15.1.8 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1098009 | 2-Critical | BT1098009 | DAG context synchronization problem in high availability (HA) mirroring on VELOS platforms | 17.1.0, 15.1.8 |
1117637-2 | 3-Major | BT1117637 | FastL4 traffic traversing the tunnels such as VXLAN, may fail on VELOS and rSeries tenants | 17.1.0, 15.1.8 |
1048709-1 | 3-Major | BT1048709 | FCS errors between the switch and HSB | 17.1.0, 16.1.4, 15.1.8 |
1057457-2 | 4-Minor | CVE-2015-9019: libxslt vulnerability: math.random() | 17.0.0, 16.1.4, 15.1.8 | |
1057449-2 | 4-Minor | CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS | 17.0.0, 16.1.4, 15.1.8 | |
1057441-2 | 4-Minor | An out-of-bounds access flawb in the libxslt component | 17.0.0, 16.1.4, 15.1.8 | |
1057433-2 | 4-Minor | Integer overflow in libxslt component | 17.0.0, 16.1.4, 15.1.8 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1135041 | 1-Blocking | BT1135041 | Performance issue related to crypto and compression | 17.1.0, 15.1.8 |
1154465-1 | 2-Critical | BT1154465 | Error attaching QAT devices to TMM on F5OS | 17.1.0, 15.1.8 |
1076805 | 2-Critical | BT1076805 | Tmm crash SIGSEGV | 17.1.0, 15.1.8 |
1053741-3 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason | 17.1.0, 16.1.4, 15.1.8 |
1128721 | 4-Minor | BT1128721 | L2 wire support on vCMP architecture platform | 17.1.0, 16.1.4, 15.1.8 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1128977 | 3-Major | BT1128977 | When the device DoS vector rate-limit setting is configured to a low value, sampled attack log messages are not logged | 17.1.0, 15.1.8 |
1121521-1 | 3-Major | BT1121521 | Libssh upgrade from v0.7.7 to v0.9.6 | 17.1.0, 16.1.4, 15.1.8 |
Guided Configuration Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1009157-3 | 3-Major | AGC hardening | 16.1.4, 15.1.8 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1107549-3 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak | 17.1.0, 16.1.4, 15.1.8 |
1046917-3 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes | 17.1.0, 16.1.4, 15.1.8 |
Cumulative fixes from BIG-IP v15.1.7 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1106289-3 | CVE-2022-41624 | K43024307, BT1106289 | TMM may leak memory when processing sideband connections. | 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
1085729-3 | CVE-2022-41836 | K47204506, BT1085729 | bd may crash while processing specific request | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1051305-3 | CVE-2021-34798 | K72382141, BT1051305 | CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests | 17.0.0, 16.1.4, 15.1.7 |
919357-1 | CVE-2022-41770 | K22505850, BT919357 | iControl REST hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
881809-2 | CVE-2022-41983 | K31523465, BT881809 | Client SSL and Server SSL profile hardening | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
1084013-3 | CVE-2022-36795 | K52494562, BT1084013 | TMM does not follow TCP best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1065917-3 | CVE-2023-22418 | K95503300, BT1065917 | BIG-IP APM Virtual Server does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1025261-2 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
957637-2 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1102837-3 | 2-Critical | BT1102837 | Use native driver for e810 instead of sock | 17.1.0, 15.1.7 |
1048853-2 | 2-Critical | BT1048853 | TMM memory leak of "IKE VBUF" | 17.0.0, 16.1.3.1, 15.1.7 |
1041865-3 | 2-Critical | K16392416, BT1041865 | Correctable machine check errors [mce] should be suppressed | 17.0.0, 16.1.3.1, 15.1.7 |
1064357-2 | 3-Major | BT1064357 | execute_post_install: EPSEC: Installation of EPSEC package failed | 17.0.0, 16.1.3, 15.1.7 |
1042737-3 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1021773-3 | 3-Major | BT1021773 | Mcpd core. | 17.0.0, 16.1.2, 15.1.7 |
1080317-2 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1067105-1 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
967249-2 | 2-Critical | BT967249 | TMM may leak memory early during its startup process, and may continue to do so indefinitely. | 16.1.0, 15.1.7 |
864897-2 | 2-Critical | BT864897 | TMM may crash when using "SSL::extensions insert" | 16.0.0, 15.1.7 |
1086677-3 | 2-Critical | BT1086677 | TMM Crashes in xvprintf() because of NULL Flow Key | 17.0.0, 16.1.3.1, 15.1.7 |
1074517-2 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
999881-4 | 3-Major | BT999881 | Tcl command 'string first' not working if payload contains Unicode characters. | 17.0.0, 16.1.3.1, 15.1.7 |
995201-4 | 3-Major | BT995201 | IP fragments for the same flow are dropped if they are received on different VLANs and route domains. | 16.1.0, 15.1.7 |
977153-1 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
922413-2 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1112745 | 3-Major | BT1112745 | System CPU Usage detailed graph is not accessible on Cerebrus+ | 17.1.0, 16.1.4, 15.1.7 |
1104553 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up | 15.1.7 |
1101697-1 | 3-Major | BT1101697 | TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). | 17.1.0, 16.1.4, 15.1.7 |
1091761-2 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1088173 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile | 17.1.0, 16.1.4, 15.1.7 |
1082225-3 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1076577-2 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' | 17.1.0, 16.1.4, 15.1.7 |
1043805-2 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
1040017-3 | 3-Major | BT1040017 | Final ACK validation during flow accept might fail with hardware SYN Cookie | 17.0.0, 16.1.4, 15.1.7 |
1022453-2 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1006157-1 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1104073-3 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
984749-2 | 3-Major | BT984749 | Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." | 17.0.0, 16.1.3.1, 15.1.7 |
961229-1 | 3-Major | BT961229 | The responses for EDNS/Non-EDNS UDP queries against DNS Express zone were truncated | 16.1.0, 15.1.7 |
933577-1 | 3-Major | BT933577 | Changes to support DNS Flag Day | 16.1.0, 15.1.7 |
887749-2 | 3-Major | BT887749 | Observed crash when resetting stats for GTM server devices in a GTM sync group. | 16.0.0, 15.1.7 |
1078669-4 | 3-Major | BT1078669 | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. | 17.0.0, 16.1.3.1, 15.1.7 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1048685-2 | 2-Critical | BT1048685 | Rare TMM crash when using Bot Defense Challenge | 17.0.0, 16.1.3.1, 15.1.7 |
1015881-3 | 2-Critical | BT1015881 | TMM might crash after configuration failure | 17.1.0, 16.1.3.1, 15.1.7 |
1084257-4 | 3-Major | New HTTP RFC Compliance check in headers | 17.1.0, 17.0.0.1, 16.1.4, 15.1.7 | |
1078765-2 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1062493-2 | 3-Major | BT1062493 | BD crash close to it's startup | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1030133-3 | 3-Major | BT1030133 | BD core on XML out of memory | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1014973-3 | 3-Major | BT1014973 | ASM changed cookie value. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1111793-3 | 4-Minor | BT1111793 | New HTTP RFC Compliance check for incorrect newline separators between request line and first header | 17.1.0, 16.1.4, 15.1.7 |
1058297-3 | 4-Minor | BT1058297 | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★ | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1014573-2 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1029689-3 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1121657 | 1-Blocking | BT1121657 | EAM is down after APM is provisioned | 17.1.0, 15.1.7 |
1034041-1 | 3-Major | BT1034041 | Microsoft Intune Azure AD Graph cannot cannot migrate to Microsoft Graph. | 17.0.0, 15.1.7 |
1006509 | 3-Major | BT1006509 | TMM memory leak★ | 15.1.7 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
921441-2 | 3-Major | BT921441 | MR_INGRESS iRules that change diameter messages corrupt diam_msg | 17.0.0, 16.1.3.1, 15.1.7 |
1103233-4 | 4-Minor | BT1103233 | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1106341 | 3-Major | BT1106341 | /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition | 15.1.7 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1090649 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1084993-4 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
911585-3 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
815901-1 | 4-Minor | BT815901 | Add rule to the disabled pem policy is not allowed | 17.0.0, 16.1.3.1, 15.1.7 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
832133-1 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Cumulative fixes from BIG-IP v15.1.6.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
996233-2 | CVE-2022-33947 | K38893457, BT996233 | Tomcat may crash while processing TMUI requests | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
937777-2 | CVE-2022-34655 | K93504311, BT937777 | HTTP::payload may cause the TMM to crash | 16.1.0, 16.0.1.1, 15.1.6.1, 14.1.5 |
1093621-1 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
1079505-2 | CVE-2022-33203 | K52534925, BT1079505 | TMM may consume excessive resources while processing SSL Orchestrator traffic | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1076397-2 | CVE-2022-35735 | K13213418, BT1076397 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1073841-2 | CVE-2022-34862 | K66510514, BT1073841 | URI normalization does not function as expected | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073357-1 | CVE-2022-34862 | K66510514, BT1073357 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1071593-1 | CVE-2022-32455 | K16852653, BT1071593 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067505-3 | CVE-2022-34651 | K59197053, BT1067505 | TMM may crash while processing TLS traffic with HTTP::respond | 17.0.0, 16.1.3.1, 15.1.6.1 |
1066673-2 | CVE-2022-35728 | K55580033, BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1055737-2 | CVE-2022-35236 | K79933541, BT1055737 | TMM may consume excessive resources while processing HTTP/2 traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1032513-2 | CVE-2022-35240 | K28405643, BT1032513 | TMM may consume excessive resources while processing MRF traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1024029-3 | CVE-2022-35245 | K58235223, BT1024029 | TMM may crash when processing traffic with per-session APM Access Policy | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
947057-2 | CVE-2022-34865 | K25046752, BT947057 | Traffic intelligence feeds to do not follow best practices | 16.1.0, 15.1.6.1, 14.1.5, 12.1.6 |
740321-2 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1081201-2 | CVE-2022-41694 | K64829234, BT1081201 | MCPD certification import hardening | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1081153 | CVE-2022-41813 | K93723284, BT1081153 | TMM may crash while processing administrative requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073549-2 | CVE-2022-35735 | K13213418, BT1073549 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1055925-2 | CVE-2022-34844 | K34511555, BT1055925 | TMM may crash while processing traffic on AWS | 17.0.0, 16.1.3.1, 15.1.6.1 |
1043281-1 | CVE-2021-3712 | K19559038, BT1043281 | OpenSSL vulnerability CVE-2021-3712 | 17.0.0, 16.1.3.1, 15.1.6.1 |
1006921-3 | CVE-2022-33962 | K80970653, BT1006921 | iRules Hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063641-3 | CVE-2022-33968 | K23465404, BT1063641 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063637-3 | CVE-2022-33968 | K23465404, BT1063637 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1078821-2 | 2-Critical | BT1078821 | Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
971217-2 | 3-Major | BT971217 | AFM HTTP security profiles may treat POST requests with Content-Length: 0 as "Unparsable Request Content" violations. | 16.1.0, 15.1.6.1, 14.1.5 |
882709-4 | 3-Major | BT882709 | Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
874941-2 | 3-Major | BT874941 | HTTP authentication in the access policy times out after 60 seconds | 16.1.2.2, 15.1.6.1, 14.1.5 |
669046-5 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1036057-2 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071621-3 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
992097-2 | 2-Critical | BT992097 | Incorrect hostname is seen in logging files | 16.1.0, 15.1.6.1, 14.1.5 |
989517-2 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
943109-2 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
940225-2 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1108181-1 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1107689 | 2-Critical | BT1107689 | IPI is not dropping traffic from IPREP database malicious IPs | 15.1.6.1 |
1084213 | 2-Critical | BT1084213 | [rseries]: VLAN member not restored post loading default configuration in BIG-IP tenant | 17.1.0, 15.1.6.1 |
1079817-2 | 2-Critical | BT1079817 | Java null pointer exception when saving UCS with iAppsLX installed★ | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
1076921-2 | 2-Critical | BT1076921 | Hostname in BootMarker logs and /var/log/ltm logs that are sourced from TMM are getting truncated | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1034329-2 | 2-Critical | BT1034329 | SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
992121-1 | 3-Major | BT992121 | REST "/mgmt/tm/services" endpoint is not accessible | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
977657-2 | 3-Major | BT977657 | SELinux errors when deploying a vCMP guest. | 16.1.0, 15.1.6.1, 14.1.5 |
959985-1 | 3-Major | BT959985 | Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. | 17.0.0, 16.1.2.2, 15.1.6.1 |
943653-2 | 3-Major | BT943653 | Allow 32-bit processes to use larger area of virtual address space | 16.1.0, 15.1.6.1, 14.1.5 |
935177-2 | 3-Major | BT935177 | IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm | 17.0.0, 16.1.2.2, 15.1.6.1 |
930825-4 | 3-Major | BT930825 | System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors | 16.1.0, 15.1.6.1 |
886649-2 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
862693-6 | 3-Major | BT862693 | PAM_RHOST not set when authenticating BIG-IP using iControl REST | 16.0.0, 15.1.6.1, 14.1.5.1 |
724653-3 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
720610-3 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3 |
1091345-3 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1087621-2 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1086517-1 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1085837-1 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1084873 | 3-Major | BT1084873 | Packets are dropped when a masquerade MAC is on a shared VLAN | 17.1.0, 15.1.6.1 |
1071609-1 | 3-Major | BT1071609 | IPsec IKEv1: Log Key Exchange payload in racoon.log. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1064461-3 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1060009 | 3-Major | BT1060009 | Platform Agent may run out of file descriptors | 17.1.0, 15.1.6.1, 14.1.5 |
1024661-2 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1020789-3 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1019357-1 | 3-Major | BT1019357 | Active fails to resend ipsec ikev2_message_id_sync if no response received | 17.0.0, 16.1.2.2, 15.1.6.1 |
758105-6 | 4-Minor | BT758105 | Drive model WDC WD1005FBYZ-01YCBB2 must be added to pendsect drives.xml | 15.1.6.1 |
742753-5 | 4-Minor | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1090569 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1072237-2 | 4-Minor | BT1072237 | Retrieval of policy action stats causes memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067617-3 | 4-Minor | BT1067617 | BGP default route not advertised after mid-session OPEN. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1062333-2 | 4-Minor | Linux kernel vulnerability: CVE-2019-19523 | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1011217-3 | 4-Minor | BT1011217 | TurboFlex Profile setting reverts to turboflex-base after upgrade★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944381-1 | 2-Critical | BT944381 | Dynamic CRL checking for client certificate is not working when TLS1.3 is used. | 17.0.0, 16.1.3.1, 15.1.6.1 |
1088049 | 2-Critical | BT1088049 | The fix for ID841469 became broken in the 15.1.x branch for some platforms. | 17.1.0, 15.1.6.1 |
1087469-1 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. | 17.1.0, 16.1.3.1, 15.1.6.1 |
1073609-1 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071449-3 | 2-Critical | BT1071449 | The statsd memory leak on platforms with license disabled processors. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1047581-2 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
993517-3 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
976525-3 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5 |
972517-2 | 3-Major | Appliance mode hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 | |
953601-3 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
948985-2 | 3-Major | BT948985 | Workaround to address Nitrox 3 compression engine hang | 17.0.0, 16.1.3.1, 15.1.6.1 |
934697-3 | 3-Major | BT934697 | Route domain is not reachable (strict mode) | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
883049-2 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
873677-7 | 3-Major | BT873677 | LTM policy matching does not work as expected | 16.0.0, 15.1.6.1 |
780857-2 | 3-Major | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
748886-3 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1083989-2 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1074505-2 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1 |
1072953-3 | 3-Major | BT1072953 | Memory leak in traffic management interface. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1071701 | 3-Major | BT1071701 | VE rate limit should not count packet that does not have a matched vlan or matched MAC address | 15.1.6.1 |
1068445-2 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1064157-2 | 3-Major | BT1064157 | Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows | 17.0.0, 16.1.2.2, 15.1.6.1 |
1063453-2 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1053149-2 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1043017-3 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1042913 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1036169-3 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1024225 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1017721-3 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1 |
1017533-2 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1004897-4 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4 |
1004689-3 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
987885-4 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1080341-3 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993921-4 | 2-Critical | BT993921 | TMM SIGSEGV | 16.1.0, 15.1.6.1, 14.1.5.1 |
1077701-2 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1011433-3 | 2-Critical | BT1011433 | TMM may crash under memory pressure when performing DNS resolution | 17.0.0, 16.1.2.2, 15.1.6.1 |
950069-2 | 3-Major | BT950069 | Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" | 17.0.0, 16.1.3.1, 15.1.6.1 |
876677-1 | 3-Major | BT876677 | When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1091249-3 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084173-2 | 3-Major | BT1084173 | Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). | 17.0.0, 16.1.3, 15.1.6.1 |
1076401-3 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1071301-2 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071233-2 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084673-3 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1079909-2 | 2-Critical | K82724554, BT1079909 | The bd generates a core file | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1069501-2 | 2-Critical | K22251611, BT1069501 | ASM may not match certain signatures | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1068237-2 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1000789-2 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
923221-4 | 3-Major | BT923221 | BD does not use all the CPU cores | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
886533-3 | 3-Major | BT886533 | Icap server connection adjustments | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1083913-1 | 3-Major | BT1083913 | Missing error check in ICAP handling | 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1082461-3 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1077281-4 | 3-Major | BT1077281 | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | 17.1.0, 16.1.2.2, 15.1.6.1 |
1070833-1 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning | 17.1.0, 16.1.3, 15.1.6.1 |
1070273-2 | 3-Major | BT1070273 | OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1070073 | 3-Major | BT1070073 | ASM Signature Set accuracy filter is wrong on GUI. | 15.1.6.1, 14.1.5 |
1069133-3 | 3-Major | BT1069133 | ASMConfig memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1061617-3 | 3-Major | BT1061617 | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1056365-3 | 3-Major | BT1056365 | Bot Defense injection does not follow best SOP practice. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1036305-4 | 3-Major | BT1036305 | "Mandatory request body is missing" violation in staging but request is unexpectedly blocked | 17.0.0, 16.1.3.1, 15.1.6.1 |
1033017-4 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1028473-2 | 3-Major | BT1028473 | URL sent with trailing slash might not be matched in ASM policy | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
948241-2 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1073625-3 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1048445-3 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name | 17.1.0, 16.1.2.2, 15.1.6.1 |
1046317-1 | 4-Minor | BT1046317 | Violation details are not populated with staged URLs for some violation types | 17.0.0, 16.1.3.1, 15.1.6.1 |
1040513-1 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1021637-2 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | 17.1.0, 16.1.2.2, 15.1.6.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
987341-2 | 2-Critical | BT987341 | BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
965777-2 | 2-Critical | BT965777 | Per-request policy authentication becomes unresponsive | 16.1.0, 15.1.6.1 |
831737-1 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile | 15.1.6.1 |
1020349-2 | 2-Critical | BT1020349 | APM daemon may crash if CRLDP agent cannot find a certificate to validate CRL | 16.1.0, 15.1.6.1, 14.1.4.4 |
858005-2 | 3-Major | BT858005 | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
849029-5 | 3-Major | BT849029 | No configurable setting for maximum entries in CRLDP cache | 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
470916-3 | 3-Major | BT470916 | Launching resources that are published on an apm webtop from multiple VMWare servers will fail when the Native View client is selected. | 16.0.0, 15.1.6.1, 14.1.5 |
1097821-3 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
1053309-2 | 3-Major | BT1053309 | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1043217-2 | 3-Major | BT1043217 | NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1010597-2 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain★ | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
990461-3 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
964625-3 | 3-Major | BT964625 | Improper processing of firewall-rule metadata | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
959609 | 3-Major | BT959609 | Autodiscd daemon keeps crashing | 17.0.0, 16.1.2.2, 15.1.6.1 |
1012581-3 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1064217-2 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071181-1 | 3-Major | BT1071181 | Improving Signature Detection Accuracy | 16.1.2.2, 15.1.6.1, 14.1.5 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1094177-3 | 1-Blocking | BT1094177 | Analytics iApp installation fails | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1072733-3 | 2-Critical | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1070677 | 3-Major | BT1070677 | Learning phase does not take traffic into account - dropping all. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
854129-2 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1076729-4 | 2-Critical | BT1076729 | TMM restarts when SSL Orchestrator processes traffic | 15.1.6.1 |
1029869-3 | 3-Major | BT1029869 | Use of ha-sync script may cause gossip communications to fail | 17.0.0, 16.1.2.2, 15.1.6.1 |
1029585-3 | 3-Major | BT1029585 | Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync | 17.0.0, 16.1.2.2, 15.1.6.1 |
Cumulative fixes from BIG-IP v15.1.6 that are included in this release
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1021005 | 3-Major | BT1021005 | IPI IPV6 traffic Reputation. | 17.0.0, 15.1.6 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1058509 | 1-Blocking | BT1058509 | Platform_agent crash on tenant token renewal | 17.1.0, 15.1.6 |
1075229 | 3-Major | BT1075229 | Jumbo frames not supported | 17.1.0, 15.1.6 |
1073165 | 3-Major | BT1073165 | Add IPv6 prefix length | 17.1.0, 15.1.6 |
1048977 | 3-Major | BT1048977 | IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled | 17.1.0, 15.1.6 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1084953 | 2-Critical | BT1084953 | CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition | 17.1.0, 15.1.6 |
1084929 | 2-Critical | BT1084929 | Performance drop observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition | 15.1.6 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1063173-1 | 2-Critical | BT1063173 | Blob size consistency after changes to pktclass. | 15.1.6 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1082885-2 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic | 17.0.0, 16.1.2.2, 15.1.6, 14.1.5 |
Cumulative fixes from BIG-IP v15.1.5.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
965853-2 | CVE-2022-28695 | K08510472, BT965853 | IM package file hardening★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
964489-2 | CVE-2022-28695 | K08510472, BT964489 | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1051561-2 | CVE-2022-1388 | K23605346, BT1051561 | BIG-IP iControl REST vulnerability CVE-2022-1388 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
993981-1 | CVE-2022-28705 | K52340447, BT993981 | TMM may crash when ePVA is enabled | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982697-5 | CVE-2022-26071 | K41440465, BT982697 | ICMP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
972489-2 | CVE-2022-35243 | K11010341, BT972489 | BIG-IP Appliance Mode iControl hardening | 17.0.0, 16.1.3, 15.1.5.1, 14.1.5 |
951257-3 | CVE-2022-26130 | K82034427, BT951257 | FTP active data channels are not established | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
946325-2 | CVE-2022-28716 | K25451853, BT946325 | PEM subscriber GUI hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
830361-2 | CVE-2012-6711 | K05122252, BT830361 | CVE-2012-6711 Bash Vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1087201-5 | CVE-2022-0778 | K31323265, BT1087201 | OpenSSL Vulnerability: CVE-2022-0778 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078721-2 | CVE-2022-27189 | K16187341, BT1078721 | TMM may consume excessive resources while processing ICAP traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1069629-3 | CVE-2022-32455 | K16852653, BT1069629 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1067993-5 | CVE-2022-28714 | K54460845, BT1067993 | APM Windows Client installer hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059185-2 | CVE-2022-26415 | K81952114, BT1059185 | iControl REST Hardening | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1057801-5 | CVE-2022-28707 | K70300233, BT1057801 | TMUI does not follow current best practices | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1051797-2 | CVE-2018-18281 | K36462841, BT1051797 | Linux kernel vulnerability: CVE-2018-18281 | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1029629-2 | CVE-2022-28706 | K03755971, BT1029629 | TMM may crash while processing DNS lookups | 17.0.0, 16.1.2, 15.1.5.1 |
1021713-3 | CVE-2022-41806 | K00721320, BT1021713 | TMM may crash when processing AFM NAT64 policy | 17.0.0, 16.1.2, 15.1.5.1 |
1019161-4 | CVE-2022-29263 | K33552735, BT1019161 | Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1002565-3 | CVE-2021-23840 | K24624116, BT1002565 | OpenSSL vulnerability CVE-2021-23840 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
992073-4 | CVE-2022-27181 | K93543114, BT992073 | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982757-5 | CVE-2022-26835 | K53197140 | APM Access Guided Configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982341-5 | CVE-2022-26835 | K53197140, BT982341 | iControl REST endpoint hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
975593-3 | CVE-2022-29473 | K06323049, BT975593 | TMM may crash while processing IPSec traffic | 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5 |
968725-3 | CVE-2017-10661 | K04337834, BT968725 | Linux Kernel Vulnerability CVE-2017-10661 | 16.1.0, 15.1.5.1, 14.1.5 |
931677-5 | CVE-2022-29479 | K64124988, BT931677 | IPv6 hardening | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
919249-2 | CVE-2022-28859 | K47662005, BT919249 | NETHSM installation script hardening | 16.1.0, 15.1.5.1, 14.1.4.6 |
915981-3 | CVE-2022-26340 | K38271531, BT915981 | BIG-IP SCP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
823877-5 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1071365-4 | CVE-2022-29474 | K59904248, BT1071365 | iControl SOAP WSDL hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066729-3 | CVE-2022-28708 | K85054496, BT1066729 | TMM may crash while processing DNS traffic | 17.0.0, 16.1.2.2, 15.1.5.1 |
1057809-5 | CVE-2022-27659 | K41877405, BT1057809 | Saved dashboard hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1016657-3 | CVE-2022-26517 | K54082580, BT1016657 | TMM may crash while processing LSN traffic | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
1009049-5 | CVE-2022-27636 | K57110035, BT1009049 | browser based vpn did not follow best practices while logging.★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1001937-3 | CVE-2022-27634 | K57555833, BT1001937 | APM configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1 |
713754-2 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050537-2 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
930633-3 | 3-Major | BT930633 | Delay in using new route updates by existing connections on BIG-IP. | 16.1.0, 15.1.5.1, 14.1.4.5 |
1046669-2 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033837-2 | 4-Minor | K23605346, BT1033837 | REST authentication tokens persist on reboot★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060149-1 | 1-Blocking | BT1060149 | BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. | 17.0.0, 16.1.2.2, 15.1.5.1 |
976669-2 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6 |
957897-1 | 2-Critical | BT957897 | Unable to modify gateway-ICMP monitor fields in the GUI | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
894133-1 | 2-Critical | BT894133 | After ISO upgrade the SSL Orchestrator guided configuration user interface is not available.★ | 16.0.0, 15.1.5.1, 14.1.5 |
865329-1 | 2-Critical | BT865329 | WCCP crashes on "ServiceGroup size exceeded" exception | 16.0.0, 15.1.5.1 |
718573-3 | 2-Critical | BT718573 | Internal SessionDB invalid state | 16.1.0, 15.1.5.1, 14.1.4.4 |
1075905-1 | 2-Critical | BT1075905 | TCP connections may fail when hardware SYN Cookie is active | 17.1.0, 15.1.5.1, 14.1.5 |
1048141-2 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
999125-2 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
994305-1 | 3-Major | BT994305 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 | 17.0.0, 16.1.2.1, 15.1.5.1 |
988165-2 | 3-Major | BT988165 | VMware CPU reservation is now enforced. | 17.0.0, 16.1.2.2, 15.1.5.1 |
984585-1 | 3-Major | BT984585 | IP Reputation option not shown in GUI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
968657-2 | 3-Major | BT968657 | Added support for IMDSv2 on AWS | 17.0.0, 16.1.2.1, 15.1.5.1 |
963541-2 | 3-Major | BT963541 | Net-snmp5.8 crash | 17.0.0, 16.1.2.2, 15.1.5.1 |
943793-2 | 3-Major | BT943793 | Neurond continuously restarting. | 16.1.0, 15.1.5.1, 14.1.4 |
943577-2 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
919317-5 | 3-Major | BT919317 | NSM consumes 100% CPU processing nexthops for recursive ECMP routes | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
918409-2 | 3-Major | BT918409 | BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
912253-1 | 3-Major | BT912253 | Non-admin users cannot run show running-config or list sys | 17.0.0, 16.1.2.2, 15.1.5.1 |
901669-4 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
755976-4 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
741702-2 | 3-Major | BT741702 | TMM crash | 16.1.0, 15.1.5.1, 14.1.4.4 |
730852-1 | 3-Major | BT730852 | The tmrouted repeatedly crashes and produces core when new peer device is added | 16.1.0, 15.1.5.1, 14.1.4.4 |
1076785 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 16.1.4, 15.1.5.1 |
1075729-1 | 3-Major | BT1075729 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 15.1.5.1, 14.1.5.1 |
1066285-3 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1063473-2 | 3-Major | BT1063473 | While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly | 17.1.0, 15.1.5.1, 14.1.5 |
1061797-2 | 3-Major | BT1061797 | Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 | 17.0.0, 16.1.2.2, 15.1.5.1 |
1060181 | 3-Major | BT1060181 | SSL handshakes fail when using CRL certificate validator. | 17.0.0, 15.1.5.1 |
1056993-1 | 3-Major | BT1056993 | 404 error is raised on GUI when clicking "App IQ." | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056741 | 3-Major | BT1056741 | ECDSA certificates signed by RSA CA are not selected based by SNI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1048541-2 | 3-Major | BT1048541 | Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1047169-2 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1036613-1 | 3-Major | BT1036613 | Client flow might not get offloaded to PVA in embryonic state | 17.1.0, 15.1.5.1 |
1032257-2 | 3-Major | BT1032257 | Forwarded PVA offload requests fail on platforms with multiple PDE/TMM | 17.1.0, 15.1.5.1 |
1019085-1 | 3-Major | BT1019085 | Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.★ | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
1008269-3 | 3-Major | BT1008269 | Error: out of stack space | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
976337-1 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. | 16.1.2.2, 15.1.5.1 |
1058677-1 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1046693-3 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045549-3 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1040821-3 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034589-2 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1031425-2 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1030645-3 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1024621-3 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1023817-1 | 4-Minor | BT1023817 | Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning | 17.0.0, 15.1.5.1 |
1002809-1 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
946481-1 | 2-Critical | BT946481 | Virtual Edition FIPS not compatible with TLS 1.3 | 16.1.0, 15.1.5.1, 14.1.4.6 |
910213-2 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
881401-1 | 2-Critical | BT881401 | TMM crash at Tcl_AfterCancelByUF() while deleting connections. | 16.0.0, 15.1.5.1 |
1080581-3 | 2-Critical | BT1080581 | Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.★ | 17.0.0, 16.1.3.1, 15.1.5.1 |
1067397 | 2-Critical | BT1067397 | TMM cored after response, due to receipt of GOAWAY frame from server post TCP FIN. | 15.1.5.1 |
1064617-2 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059053-1 | 2-Critical | BT1059053 | Tmm crash when passing traffic over some configurations with L2 virtual wire | 17.0.0, 16.1.2.2, 15.1.5.1 |
1009161-1 | 2-Critical | BT1009161 | SSL mirroring protect for null sessions | 15.1.5.1, 14.1.4.5 |
999901-3 | 3-Major | K68816502, BT999901 | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
987077-1 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure | 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6 |
967101-2 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
955617-2 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
939085-2 | 3-Major | BT939085 | /config/ssl/ssl.csr directory disappears after creating certificate archive | 16.1.0, 15.1.5.1, 14.1.4.6 |
937769-2 | 3-Major | BT937769 | SSL connection mirroring failure on standby with sslv2 records | 16.1.0, 15.1.5.1 |
936441-2 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
927713-1 | 3-Major | BT927713 | Clsh reboot hangs when executed from the primary blade. | 16.1.0, 15.1.5.1, 14.1.5 |
912517-2 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
910905-1 | 3-Major | BT910905 | TMM crash when processing virtual server traffic with TLS/SSL session cache enabled | 15.1.5.1, 14.1.4.4 |
910673-4 | 3-Major | BT910673 | Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' | 17.0.0, 16.1.2.1, 15.1.5.1 |
902377-2 | 3-Major | BT902377 | HTML profile forces re-chunk even though HTML::disable | 17.0.0, 16.1.2.2, 15.1.5.1 |
892485-2 | 3-Major | BT892485 | A wrong OCSP status cache may be looked up and re-used during SSL handshake. | 16.1.0, 15.1.5.1, 14.1.4.6 |
892073-3 | 3-Major | BT892073 | TLS1.3 LTM policy rule based on SSL SNI is not triggered | 16.0.0, 15.1.5.1, 14.1.4.6 |
872721-3 | 3-Major | BT872721 | SSL connection mirroring intermittent failure with TLS1.3 | 16.0.0, 15.1.5.1, 14.1.4.5 |
838353-1 | 3-Major | BT838353 | MQTT monitor is not working in route domain. | 16.0.0, 15.1.5.1, 14.1.4.6 |
825245-4 | 3-Major | BT825245 | SSL::enable does not work for server side ssl | 16.0.0, 15.1.5.1, 14.1.4.6 |
803109-3 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
794385-3 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
793669-5 | 3-Major | BT793669 | FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
760406-1 | 3-Major | BT760406 | HA connection might stall on Active device when the SSL session cache becomes out-of-sync. | 16.0.0, 15.1.5.1, 14.1.4.1 |
672963-2 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1068561 | 3-Major | BT1068561 | Can't create key on the second netHSM partition. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1058469-2 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056401-3 | 3-Major | BT1056401 | Valid clients connecting under active syncookie mode might experience latency. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1052929-3 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1043357-3 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1031609 | 3-Major | BT1031609 | Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1029897-2 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1024841-1 | 3-Major | BT1024841 | SSL connection mirroring with ocsp connection failure on standby | 17.0.0, 16.1.2.2, 15.1.5.1 |
1023341-2 | 3-Major | HSM hardening | 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5 | |
1019609 | 3-Major | BT1019609 | No Error logging when BIG-IP device's IP address is not added in client list on netHSM.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1017513-3 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
1016449-2 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1016049-4 | 3-Major | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1015161-2 | 3-Major | BT1015161 | Ephemeral pool member may not be created when FQDN resolves to address that matches static node | 16.1.0, 15.1.5.1, 14.1.4.5, 13.1.5 |
1008501-3 | 3-Major | BT1008501 | TMM core | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008009-2 | 3-Major | BT1008009 | SSL mirroring null hs during session sync state | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
838305-7 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
801705-6 | 4-Minor | BT801705 | When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC | 16.0.0, 15.1.5.1, 14.1.3.1, 13.1.3.6 |
717806-1 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1064669-2 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1048433 | 4-Minor | BT1048433 | Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.★ | 16.1.2.1, 15.1.5.1 |
1045913-3 | 4-Minor | BT1045913 | COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression | 15.1.5.1, 14.1.4.5 |
1026605-4 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1026005-2 | 4-Minor | BT1026005 | BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1016441-3 | 4-Minor | RFC Enforcement Hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 | |
968581-2 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
873249-1 | 5-Cosmetic | BT873249 | Switching from fast_merge to slow_merge can result in incorrect tmm stats | 16.1.0, 15.1.5.1, 14.1.4.6, 13.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1062513-3 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1027657-3 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1010617-3 | 2-Critical | BT1010617 | String operation against DNS resource records cause tmm memory corruption | 17.0.0, 16.1.2.2, 15.1.5.1 |
874221-1 | 3-Major | BT874221 | DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd | 16.1.0, 15.1.5.1 |
872037-2 | 3-Major | BT872037 | DNS::header rd does not set the Recursion desired | 16.1.0, 15.1.5.1 |
1046785-3 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5 |
1044425-3 | 3-Major | K85021277, BT1044425 | NSEC3 record improvements for NXDOMAIN | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1039205 | 3-Major | BT1039205 | DNSSEC key stored on netHSM fails to generate if the key name length is > 24 | 15.1.5.1, 14.1.4.6 |
1020337-1 | 3-Major | BT1020337 | DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator | 17.0.0, 16.1.2.2, 15.1.5.1 |
1018613-3 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
885869-2 | 4-Minor | BT885869 | Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime | 16.0.0, 15.1.5.1, 14.1.4 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1069449-2 | 2-Critical | K39002226, BT1069449 | ASM attack signatures may not match cookies as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
965785-2 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
961509-2 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
926845-5 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
921697-3 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error.★ | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6 |
818889-2 | 3-Major | BT818889 | False positive malformed json or xml violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1072197-2 | 3-Major | K94142349, BT1072197 | Issue with input normalization in WebSocket. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1067285-2 | 3-Major | BT1067285 | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066829-2 | 3-Major | BT1066829 | Memory leak for xml/json auto-detected parameter with signature patterns. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1060933-2 | 3-Major | K49237345 | Issue with input normalization. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1051213-2 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1051209-2 | 3-Major | K53593534, BT1051209 | BD may not process certain HTTP payloads as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047389-2 | 3-Major | BT1047389 | Bot Defense challenge hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043533-1 | 3-Major | BT1043533 | Unable to pick up the properties of the parameters from audit reports. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1043385-3 | 3-Major | BT1043385 | No Signature detected If Authorization header is missing padding. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1042605-3 | 3-Major | BT1042605 | ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above★ | 17.0.0, 16.1.2.2, 15.1.5.1 |
1041149-2 | 3-Major | BT1041149 | Staging of URL does not affect apply value signatures | 17.0.0, 16.1.2.2, 15.1.5.1 |
1038733-3 | 3-Major | BT1038733 | Attack signature not detected for unsupported authorization types. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1037457-2 | 3-Major | BT1037457 | High CPU during specific dos mitigation | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1030853-2 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1023993-3 | 3-Major | BT1023993 | Brute Force is not blocking requests, even when auth failure happens multiple times | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1012221-2 | 3-Major | BT1012221 | Message: childInheritanceStatus is not compatible with parentInheritanceStatus★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1011069-3 | 3-Major | BT1011069 | Group/User R/W permissions should be changed for .pid and .cfg files. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1008849-3 | 3-Major | BT1008849 | OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. | 17.0.0, 16.1.2.2, 15.1.5.1 |
844045-3 | 4-Minor | BT844045 | ASM Response event logging for "Illegal response" violations. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
842029-2 | 4-Minor | BT842029 | Unable to create policy: Inherited values may not be changed. | 16.0.0, 15.1.5.1, 14.1.5 |
1050697-5 | 4-Minor | BT1050697 | Traffic learning page counts Disabled signatures when they are ready to be enforced | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1038741-3 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1036521-3 | 4-Minor | BT1036521 | TMM crash in certain cases | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1035361-2 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1034941-2 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1020717-3 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038913-3 | 3-Major | BT1038913 | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
883841-1 | 3-Major | BT883841 | APM now displays icons of all sizes what Horizon VCS supports. | 16.0.0, 15.1.5.1 |
827393-2 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
423519-3 | 3-Major | K74302282, BT423519 | Bypass disabling the redirection controls configuration of APM RDP Resource. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045229-2 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1044121-2 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1007109-1 | 2-Critical | BT1007109 | Flowmap entry is deleted before updating its timeout to INDEFINITE | 16.1.0, 15.1.5.1, 14.1.4.6 |
957905-2 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1061929 | 2-Critical | BT1061929 | Unable to perform IPI update (through proxy) after upgrade to 15.1.4.★ | 17.0.0, 15.1.5.1 |
1058645-1 | 2-Critical | BT1058645 | ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. | 17.0.0, 15.1.5.1, 14.1.4.6 |
980593 | 3-Major | BT980593 | LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table | 16.1.0, 15.1.5.1 |
929909-2 | 3-Major | BT929909 | TCP Packets are not dropped in IP Intelligence | 17.0.0, 16.1.2.2, 15.1.5.1 |
1079637 | 3-Major | BT1079637 | Incorrect Neuron rule order | 17.0.0, 16.1.3, 15.1.5.1 |
1067393-1 | 3-Major | BT1067393 | MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool.★ | 17.0.0, 15.1.5.1 |
1063681-1 | 3-Major | BT1063681 | PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn. | 17.0.0, 15.1.5.1 |
1008265-3 | 3-Major | K92306170, BT1008265 | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1072057-2 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1028269-1 | 2-Critical | BT1028269 | Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1019613-3 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
873617-2 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060409-3 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1033829-1 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1052153 | 3-Major | BT1052153 | Signature downloads for traffic classification updates via proxy fail | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
940261-3 | 4-Minor | BT940261 | Support IPS package downloads via HTTP proxy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944121-1 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050969-2 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1055361-2 | 2-Critical | BT1055361 | Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. | 17.0.0, 16.1.2.1, 15.1.5.1 |
Cumulative fixes from BIG-IP v15.1.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1056933-5 | CVE-2022-26370 | K51539421, BT1056933 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1047053-2 | CVE-2022-28691 | K37155600, BT1047053 | TMM may consume excessive resources while processing RTSP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1045101-3 | CVE-2022-26890 | K03442392, BT1045101 | Bd may crash while processing ASM traffic | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5 |
997193-1 | CVE-2022-23028 | K16101409, BT997193 | TCP connections may fail when AFM global syncookies are in operation. | 16.1.0, 15.1.5, 14.1.4.5, 13.1.5 |
940185-2 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1065789-2 | CVE-2023-24594 | K000133132, BT1065789 | TMM may send duplicated alerts while processing SSL connections | 17.0.0, 16.1.2.1, 15.1.5 |
1047089 | CVE-2022-29491 | K14229426, BT1047089 | TMM may terminate while processing TLS/DTLS traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1000021-5 | CVE-2022-27182 | K31856317, BT1000021 | TMM may consume excessive resources while processing packet filters | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1015133-3 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749332-2 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4 |
1040929 | 2-Critical | BT1040929 | Change F5OS BIG-IP tenant name from VELOS to F5OS. | 15.1.5 |
1004929-2 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 17.0.0, 15.1.5, 14.1.4.5, 13.1.5 |
996001-1 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
940177-1 | 3-Major | BT940177 | Certificate instances tab shows incorrect number of instances in certain conditions | 16.1.0, 15.1.5 |
888869-2 | 3-Major | BT888869 | GUI reports General Database Error when accessing Instances Tab of SSL Certificates | 16.1.0, 15.1.5 |
1055785 | 3-Major | BT1055785 | SmartNIC 2.0: stats throughput logging is broken on Virtual Edition dashboard. | 15.1.5 |
1048917 | 3-Major | BT1048917 | Image2disk does not work on F5OS BIG-IP tenant.★ | 15.1.5 |
1032949 | 3-Major | BT1032949 | Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. | 17.0.0, 16.1.2.1, 15.1.5 |
1022637-2 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1019793 | 3-Major | BT1019793 | Image2disk does not work on F5OS BIG-IP tenant.★ | 17.1.0, 15.1.5 |
528894-6 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1053809 | 1-Blocking | BT1053809 | TMM crashes while running L4 Max concurrent connections | 17.1.0, 15.1.5 |
1064649-1 | 2-Critical | BT1064649 | Tmm crash after upgrade.★ | 17.0.0, 15.1.5 |
1060093 | 2-Critical | BT1060093 | Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues.★ | 17.1.0, 15.1.5 |
1056213 | 2-Critical | BT1056213 | TMM core due to freeing of connflow, assuming it as http data. | 15.1.5 |
1040361-2 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5 |
1013181-2 | 2-Critical | BT1013181 | TMM may produce core when dynamic CRL check is enabled on the client SSL profile | 16.1.0, 15.1.5 |
999097-3 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
967093-1 | 3-Major | BT967093 | In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail | 17.0.0, 15.1.5 |
686395-3 | 3-Major | BT686395 | With DTLS version1, when client hello uses version1.2, handshake shall proceed | 15.1.5, 12.1.3.4 |
608952-1 | 3-Major | BT608952 | MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 | 16.0.0, 15.1.5, 14.1.2.7, 13.1.3.6, 12.1.5.3 |
1038629 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1034365-2 | 3-Major | BT1034365 | DTLS handshake fails with DTLS1.2 client version | 15.1.5, 14.1.4.5, 13.1.5 |
1015201 | 3-Major | BT1015201 | HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. | 15.1.5, 14.1.4.4 |
1007749-1 | 3-Major | BT1007749 | URI TCL parse functions fail when there are interior segments with periods and semi-colons | 17.0.0, 16.1.2.1, 15.1.5 |
1024761-3 | 4-Minor | BT1024761 | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | 17.0.0, 16.1.2.1, 15.1.5 |
1005109-2 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
898929-4 | 5-Cosmetic | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1035853-3 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
935249-2 | 3-Major | BT935249 | GTM virtual servers have the wrong status | 17.0.0, 16.1.2.1, 15.1.5 |
1039553-2 | 3-Major | BT1039553 | Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors | 17.0.0, 16.1.2.1, 15.1.5 |
1024553-2 | 3-Major | BT1024553 | GTM Pool member set to monitor type "none" results in big3d: timed out | 15.1.5, 14.1.4.5, 13.1.5 |
1021061-3 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1011285-2 | 3-Major | BT1011285 | The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. | 16.1.0, 15.1.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993613-5 | 2-Critical | BT993613 | Device fails to request full sync | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
984593-2 | 3-Major | BT984593 | BD crash | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
907025-3 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
885765-3 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
580715-2 | 3-Major | BT580715 | ASM is not sending 64 KB remote logs over UDP | 17.0.0, 15.1.5 |
1004069-1 | 3-Major | BT1004069 | Brute force attack is detected too soon | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
886865-1 | 4-Minor | BT886865 | P3P header is added for all browsers, but required only for Internet Explorer | 16.1.0, 15.1.5, 14.1.4.5 |
1016033-2 | 4-Minor | BT1016033 | Remote logging of WS/WSS shows date_time equal to Unix epoch start time | 17.0.0, 15.1.5 |
1002385-3 | 4-Minor | K67397230, BT1002385 | Fixing issue with input normalization | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1009093-1 | 2-Critical | BT1009093 | GUI widgets pages are not functioning correctly | 17.0.0, 16.1.2.1, 15.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
883889-3 | 2-Critical | BT883889 | Tmm might crash when under memory pressure | 16.0.0, 15.1.5, 14.1.4.5 |
997761-2 | 3-Major | BT997761 | Subsessionlist entries leak if there is no RADIUS accounting agent in policy | 16.1.0, 15.1.5 |
973673-1 | 3-Major | BT973673 | CPU spikes when the LDAP operational timeout is set to 180 seconds | 16.1.0, 15.1.5 |
926973-1 | 3-Major | BT926973 | APM / OAuth issue with larger JWT validation | 16.1.0, 15.1.5 |
828761-1 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
738593-2 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1020561-1 | 3-Major | BT1020561 | Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case | 17.0.0, 15.1.5 |
942965-2 | 4-Minor | BT942965 | Local users database can sometimes take more than 5 minutes to sync to the standby device | 16.1.0, 15.1.5, 14.1.4.5 |
886841-1 | 4-Minor | BT886841 | Allow LDAP Query and HTTP Connector for API Protection policies | 16.0.0, 15.1.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1029397-1 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1039329-1 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
919465-2 | 2-Critical | BT919465 | A dwbld core on configuration changes on IP Intelligence policy | 16.0.0, 15.1.5 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
956013-1 | 3-Major | BT956013 | System reports{{validation_errors}} | 16.1.2.1, 15.1.5, 14.1.4.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
922665-2 | 3-Major | BT922665 | The admd process is terminated by watchdog on some heavy load configuration process | 16.1.0, 15.1.5, 14.1.4.5 |
1023437-3 | 3-Major | Buffer overflow during attack with large HTTP Headers | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050273-2 | 3-Major | BT1050273 | ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator. | 17.0.0, 16.1.3.1, 15.1.5 |
1038669-2 | 3-Major | BT1038669 | Antserver keeps restarting. | 17.0.0, 16.1.2, 15.1.5 |
1032797-2 | 3-Major | BT1032797 | Tmm continuously cores when parsing custom category URLs | 17.0.0, 16.1.2, 15.1.5 |
Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
999933-3 | CVE-2022-23017 | K28042514, BT999933 | TMM may crash while processing DNS traffic on certain platforms | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
991421-3 | CVE-2022-23016 | K91013510, BT991421 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2, 15.1.4.1 |
989701-5 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
989637-3 | CVE-2022-23015 | K08476614, BT989637 | TMM may crash while processing SSL traffic | 16.1.0, 15.1.4.1, 14.1.4.5 |
988549-5 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
968893-2 | CVE-2022-23014 | K93526903, BT968893 | TMM crash when processing APM traffic | 17.0.0, 16.1.2, 15.1.4.1 |
966901-2 | CVE-2020-14364 | K09081535, BT966901 | CVE-2020-14364: Qemu Vulnerability | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
940317-4 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
910517-1 | CVE-2022-23012 | K26310765, BT910517 | TMM may crash while processing HTTP traffic | 15.1.4.1, 14.1.4.5 |
550928-5 | CVE-2022-23010 | K34360320, BT550928 | TMM may crash when processing HTTP traffic with a FastL4 virtual server | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1032405-3 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1030689-2 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1028669-5 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028573-5 | CVE-2020-10878 | K40508224, BT1028573 | Perl vulnerability: CVE-2020-10878 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1028497-5 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1012365-2 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1007489-5 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
988589-5 | CVE-2019-25013 | K68251873 | CVE-2019-25013 glibc vulnerability: buffer over-read in iconv | 15.1.4.1 |
981693-1 | CVE-2022-23024 | K54892865, BT981693 | TMM may consume excessive resources while processing IPSec ALG traffic | 16.1.0, 15.1.4.1, 14.1.4.2, 13.1.5 |
975589-4 | CVE-2020-8277 | K07944249, BT975589 | CVE-2020-8277 Node.js vulnerability | 16.1.0, 15.1.4.1, 14.1.4.4 |
974341-2 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
973409-5 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
941649-2 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1009725-3 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1008077-5 | CVE-2022-23029 | K50343028, BT1008077 | TMM may crash while processing TCP traffic with a FastL4 VS | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1001369-2 | CVE-2020-12049 | K16729408 | D-Bus vulnerability CVE-2020-12049 | 15.1.4.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
754335-3 | 3-Major | BT754335 | Install ISO does not boot on BIG-IP VE★ | 16.1.0, 15.1.4.1, 14.1.4.4 |
985953-3 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1042993-2 | 1-Blocking | K19272127, BT1042993 | Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' | 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
1039049 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
997313-3 | 2-Critical | BT997313 | Unable to create APM policies in a sync-only folder★ | 17.0.0, 16.1.2, 15.1.4.1 |
942549-2 | 2-Critical | BT942549 | Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 | 16.1.0, 15.1.4.1, 14.1.4.4 |
897509-1 | 2-Critical | BT897509 | IPsec SAs are missing on HA standby, leading to packet drops after failover | 16.1.0, 15.1.4.1 |
831821-1 | 2-Critical | BT831821 | Corrupted DAG packets causes bcm56xxd core on VCMP host | 16.0.0, 15.1.4.1, 14.1.4.5 |
1043277-3 | 2-Critical | BT1043277 | 'No access' error page displays for APM policy export and apply options. | 17.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
992053-1 | 3-Major | BT992053 | Pva_stats for server side connections do not update for redirected flows | 17.1.0, 15.1.4.1 |
965205-2 | 3-Major | BT965205 | BIG-IP dashboard downloads unused widgets | 16.1.0, 15.1.4.1, 14.1.4.4 |
958093-3 | 3-Major | BT958093 | IPv6 routes missing after BGP graceful restart | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
947529-2 | 3-Major | BT947529 | Security tab in virtual server menu renders slowly | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
940885-2 | 3-Major | BT940885 | Add embedded SR-IOV support for Mellanox CX5 Ex adapter | 16.1.0, 15.1.4.1, 14.1.4.4 |
922185-1 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
909197-3 | 3-Major | BT909197 | The mcpd process may become unresponsive | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4 |
900933-1 | 3-Major | BT900933 | IPsec interoperability problem with ECP PFS | 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.5 |
887117-2 | 3-Major | BT887117 | Invalid SessionDB messages are sent to Standby | 17.0.0, 16.1.1, 15.1.4.1 |
881085-3 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
873641-1 | 3-Major | BT873641 | Re-offloading of TCP flows to hardware does not work | 16.0.0, 15.1.4.1 |
856953-4 | 3-Major | BT856953 | IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 | 16.0.0, 15.1.4.1, 14.1.2.8, 13.1.5 |
809657-7 | 3-Major | BT809657 | HA Group score not computed correctly for an unmonitored pool when mcpd starts | 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1045421-2 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032737-1 | 3-Major | BT1032737 | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | 17.0.0, 16.1.2, 15.1.4.1 |
1032077-2 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1027713 | 3-Major | BT1027713 | SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment. | 15.1.4.1 |
1026549-3 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1024877-2 | 3-Major | BT1024877 | Systemd[]: systemd-ask-password-serial.service failed. | 16.1.0, 15.1.4.1, 14.1.4.4 |
1019429-3 | 3-Major | BT1019429 | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated | 17.0.0, 15.1.4.1 |
1018309-3 | 3-Major | BT1018309 | Loading config file with imish removes the last character | 17.0.0, 16.1.1, 15.1.4.1 |
1015093-3 | 3-Major | BT1015093 | The "iq" column is missing from the ndal_tx_stats table | 15.1.4.1, 14.1.4.5 |
1010245-1 | 3-Major | BT1010245 | Duplicate ipsec-sa SPI values shown by tmsh command | 16.1.0, 15.1.4.1 |
1009949-2 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1003257-4 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
988533-1 | 4-Minor | BT988533 | GRE-encapsulated MPLS packet support | 17.0.0, 15.1.4.1, 14.1.4.5 |
966073-1 | 4-Minor | BT966073 | GENEVE protocol support | 16.1.0, 15.1.4.1 |
884165-3 | 4-Minor | BT884165 | Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG | 16.0.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1030845-2 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
862885-2 | 2-Critical | BT862885 | Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error | 16.1.0, 15.1.4.1, 14.1.4.5 |
1020645-1 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | 17.1.0, 16.1.3.1, 15.1.4.1 |
985433-2 | 3-Major | BT985433 | Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset. | 16.1.0, 15.1.4.1 |
978833-2 | 3-Major | BT978833 | Use of CRL-based Certificate Monitoring Causes Memory Leak | 16.1.0, 15.1.4.1, 14.1.4.4 |
965037-1 | 3-Major | BT965037 | SSL Orchestrator does not send HTTP CONNECT tunnel payload to services | 16.1.0, 15.1.4.1 |
963705-3 | 3-Major | BT963705 | Proxy ssl server response not forwarded | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
915773-1 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
904041-2 | 3-Major | BT904041 | Ephemeral pool members may be incorrect when modified via various actions | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
803629-7 | 3-Major | BT803629 | SQL monitor fails with 'Analyze Response failure' message even if recv string is correct | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4.5, 13.1.5 |
758041-1 | 3-Major | BT758041 | LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. | 16.0.0, 15.1.4.1, 14.1.2.7, 13.1.3.5 |
723112-8 | 3-Major | BT723112 | LTM policies does not work if a condition has more than 127 matches | 16.1.0, 15.1.4.1, 14.1.4.4 |
1023365-1 | 3-Major | BT1023365 | SSL server response could be dropped on immediate client shutdown. | 17.0.0, 16.1.2, 15.1.4.1 |
1018577-3 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1012009-1 | 3-Major | BT1012009 | MQTT Message Routing virtual may result in TMM crash | 15.1.4.1 |
1008017-5 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1006781-1 | 3-Major | BT1006781 | Server SYN is sent on VLAN 0 when destination MAC is multicast | 17.0.0, 16.1.2.2, 15.1.4.1 |
949721-2 | 4-Minor | BT949721 | QUIC does not send control frames in PTO packets | 16.1.0, 16.0.1.2, 15.1.4.1 |
936773-2 | 4-Minor | BT936773 | Improve logging for "double flow removal" TMM Oops | 16.1.0, 15.1.4.1, 14.1.4.4 |
936557-2 | 4-Minor | BT936557 | Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
890881-4 | 4-Minor | BT890881 | ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address | 16.1.0, 15.1.4.1, 14.1.4.5 |
1031901-1 | 4-Minor | BT1031901 | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | 17.0.0, 16.1.2, 15.1.4.1 |
1002945-2 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
933405-2 | 1-Blocking | K34257075, BT933405 | Zonerunner GUI hangs when attempting to list Resource Records | 16.1.0, 16.0.1.1, 15.1.4.1, 14.1.4 |
1009037-3 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
847105-2 | 3-Major | BT847105 | The bigip_gtm.conf is reverted to default after rebooting with license expired★ | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1021417-3 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
997137-3 | 2-Critical | K80945213, BT997137 | CSRF token modification may allow WAF bypass on GET requests | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
912149-5 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
879841-4 | 2-Critical | BT879841 | Domain cookie same-site option is missing the "None" as value in GUI and rest | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
1019853-2 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1011065-2 | 2-Critical | K39002226, BT1011065 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1 |
1011061-2 | 2-Critical | K39002226, BT1011061 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
948805-1 | 3-Major | BT948805 | False positive "Null in Request" | 16.1.0, 15.1.4.1, 14.1.4.5 |
945789-1 | 3-Major | BT945789 | Live update cannot resolve hostname if IPv6 is configured. | 16.1.0, 15.1.4.1 |
932133-2 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
920149-1 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4 |
914277-2 | 3-Major | BT914277 | [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU | 16.1.0, 16.0.1.2, 15.1.4.1, 14.1.4.4 |
904133-1 | 3-Major | BT904133 | Creating a user-defined signature via iControl REST occasionally fails with a 400 response code | 16.0.0, 15.1.4.1, 14.1.4.4 |
882377-3 | 3-Major | BT882377 | ASM Application Security Editor Role User can update/install ASU | 16.0.0, 15.1.4.1, 14.1.2.5 |
857633-7 | 3-Major | BT857633 | Attack Type (SSRF) appears incorrectly in REST result | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
842013-3 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
753715-2 | 3-Major | BT753715 | False positive JSON max array length violation | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1042069-2 | 3-Major | Some signatures are not matched under specific conditions. | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5 | |
1017153-2 | 3-Major | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1039805 | 4-Minor | BT1039805 | Save button in Response and Blocking Pages section is enabled when there are no changes to save. | 15.1.4.1 |
1003765-1 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled | 17.1.0, 16.1.4, 15.1.4.1 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932137-5 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
922105-3 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
832805-2 | 3-Major | BT832805 | AVR should make sure file permissions are correct (tmstat_tables.xml) | 16.0.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
787677-5 | 3-Major | BT787677 | AVRD stays at 100% CPU constantly on some systems | 16.1.0, 15.1.4.1, 14.1.4.5, 13.1.5 |
1035133-3 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
948113-3 | 4-Minor | BT948113 | User-defined report scheduling fails | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1027217 | 1-Blocking | BT1027217 | Script errors in Network Access window using browser. | 17.0.0, 16.1.2, 15.1.4.1 |
860617-3 | 2-Critical | BT860617 | Radius sever pool without attaching the load balancing algorithm will result into core | 16.0.0, 15.1.4.1, 14.1.4.5 |
817137-1 | 2-Critical | BT817137 | SSO setting for Portal Access resources in webtop sections cannot be updated. | 16.0.0, 15.1.4.1 |
1006893-2 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
998473-2 | 3-Major | BT998473 | NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) | 16.1.0, 15.1.4.1 |
993457-2 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
969317-3 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
964037 | 3-Major | BT964037 | Error: Exception response while loading properties from server | 15.1.4.1 |
949477-1 | 3-Major | BT949477 | NTLM RPC exception: Failed to verify checksum of the packet | 16.1.0, 15.1.4.1, 14.1.4.4 |
933129-2 | 3-Major | BT933129 | Portal Access resources are visible when they should not be | 16.0.0, 15.1.4.1 |
932213-2 | 3-Major | BT932213 | Local user db not synced to standby device when it is comes online after forced offline state | 16.1.0, 15.1.4.1, 14.1.4.5 |
918717-2 | 3-Major | BT918717 | Exception at rewritten Element.innerHTML='<a href></a>' | 16.1.0, 15.1.4.1 |
915509-1 | 3-Major | BT915509 | RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true | 16.1.0, 15.1.4.1, 14.1.4.5 |
891613-1 | 3-Major | BT891613 | RDP resource with user-defined address cannot be launched from webtop with modern customization | 16.1.0, 15.1.4.1 |
1021485-2 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1017233-1 | 3-Major | BT1017233 | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | 17.0.0, 16.1.2, 15.1.4.1 |
1007677-1 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | 17.0.0, 16.1.2.1, 15.1.4.1 |
1007629-1 | 3-Major | BT1007629 | APM policy configured with many ACL policies can create APM memory pressure | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1002557-2 | 3-Major | BT1002557 | Tcl free object list growth | 16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5 |
1001337-1 | 3-Major | BT1001337 | Cannot read single sign-on configuration from GUI when logged in as guest | 15.1.4.1, 14.1.4.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1012721-1 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5 |
1012533-1 | 2-Critical | BT1012533 | `HTTP2::disable serverside` can cause cores | 15.1.4.1 |
1007113-1 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1025529-1 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
1018285-1 | 4-Minor | BT1018285 | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | 17.0.0, 16.1.2, 15.1.4.1 |
1003633-3 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968533 | 2-Critical | BT968533 | Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector. | 15.1.4.1 |
1049229-2 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
997169 | 3-Major | BT997169 | AFM rule not triggered | 15.1.4.1 |
995433 | 3-Major | BT995433 | IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT | 16.1.0, 15.1.4.1, 14.1.4.5 |
1032329 | 3-Major | BT1032329 | A user with low privileges cannot open the Rule List editor. | 15.1.4.1 |
1031909-1 | 3-Major | BT1031909 | NAT policies page unusable due to the page load time | 15.1.4.1 |
987345-1 | 5-Cosmetic | BT987345 | Disabling periodic-refresh-log has no effect | 16.1.0, 15.1.4.1 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
981689-2 | 2-Critical | BT981689 | TMM memory leak with IPsec ALG | 16.1.0, 15.1.4.1, 14.1.4.2 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
984657-3 | 3-Major | BT984657 | Sysdb variable not working from tmsh | 16.0.1.2, 15.1.4.1 |
686783-2 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032689-3 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 16.1.2, 15.1.4.1, 14.1.4.5 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
929213-1 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
946185-1 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
949933-1 | CVE-2021-22980 | K29282483, BT949933 | BIG-IP APM CTU vulnerability CVE-2021-22980 | 16.1.0, 16.0.1.1, 15.1.4, 14.1.4, 13.1.3.6 |
937333-2 | CVE-2022-23013 | K29500533, BT937333 | Incomplete validation of input in unspecified forms | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
889045-3 | CVE-2022-23011 | K68755210, BT889045 | Virtual server may stop responding while processing TCP traffic | 16.0.0, 15.1.4 |
1017973-2 | CVE-2021-25215 | K96223611, BT1017973 | BIND Vulnerability CVE-2021-25215 | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1017965-2 | CVE-2021-25214 | K11426315, BT1017965 | BIND Vulnerability CVE-2021-25214 | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
981273-2 | CVE-2021-23054 | K41997459, BT981273 | APM webtop hardening | 16.1.0, 15.1.4, 14.1.5, 13.1.5 |
979877-10 | CVE-2020-1971 | K42910051, BT979877 | CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information | 16.1.1, 15.1.4, 14.1.5.1 |
965485-3 | CVE-2019-5482 | K41523201 | CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
954425-2 | CVE-2022-23031 | K61112120, BT954425 | Hardening of Live-Update | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
949889-3 | CVE-2019-3900 | K04107324, BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
887965-1 | CVE-2022-23027 | K30573026, BT887965 | Virtual server may stop responding while processing TCP traffic | 16.0.0, 15.1.4, 14.1.4.4, 13.1.5 |
819053 | CVE-2019-13232 | K80311892, BT819053 | CVE-2019-13232 unzip: overlapping of files in ZIP container | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
803965-7 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
797797-4 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3 |
797769-9 | CVE-2019-11599 | K51674118 | Linux vulnerability : CVE-2019-11599 | 16.1.0, 16.0.1.2, 15.1.4, 13.1.4.1 |
1013569 | CVE-2022-31473 | K34893234, BT1013569 | Hardening of iApps processing | 17.0.0, 16.1.1, 15.1.4 |
1008561-1 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
968733-6 | CVE-2018-1120 | K42202505, BT968733 | CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
939421-2 | CVE-2020-10029 | K38481791, BT939421 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
913729-5 | 2-Critical | BT913729 | Support for DNSSEC Lookaside Validation (DLV) has been removed. | 16.1.0, 16.0.1.2, 15.1.4 |
907765-1 | 2-Critical | BT907765 | BIG-IP system does not respond to ARP requests if it has a route to the source IP address | 16.1.0, 15.1.4 |
1014433 | 2-Critical | BT1014433 | Time stamp format is not the same for all LTM logs | 15.1.4 |
948073-2 | 3-Major | BT948073 | Dual stack download support for IP Intelligence Database | 17.0.0, 15.1.4 |
923301-2 | 3-Major | BT923301 | ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
911141-3 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
876937-3 | 3-Major | BT876937 | DNS Cache not functioning | 16.0.0, 15.1.4, 14.1.4.3 |
866073-2 | 3-Major | BT866073 | Add option to exclude stats collection in qkview to avoid very large data files | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
1001865-2 | 3-Major | No platform trunk information passed to tenant | 17.1.0, 15.1.4 | |
751032-5 | 4-Minor | BT751032 | TCP receive window may open too slowly after zero-window | 16.0.0, 15.1.4, 14.1.4.4 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1032761 | 1-Blocking | BT1032761 | HA mirroring may not function correctly. | 17.1.0, 15.1.4 |
1004833-2 | 1-Blocking | BT1004833 | NIST SP800-90B compliance | 17.0.0, 16.1.3, 15.1.4, 14.1.4.2 |
1002109-3 | 1-Blocking | BT1002109 | Xen binaries do not follow security best practices | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
988645 | 2-Critical | BT988645 | Traffic may be affected after tmm is aborted and restarted | 17.1.0, 15.1.4 |
987113-1 | 2-Critical | BT987113 | CMP state degraded while under heavy traffic | 17.1.0, 15.1.4, 14.1.5 |
980325-5 | 2-Critical | BT980325 | Chmand core due to memory leak from dossier requests. | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
974241-1 | 2-Critical | BT974241 | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | 17.0.0, 16.1.1, 15.1.4 |
967905-2 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
950673-3 | 2-Critical | BT950673 | Hardware Syncookie mode not cleared when deleting/changing virtual server config. | 16.1.0, 15.1.4 |
944513-2 | 2-Critical | BT944513 | Apache configuration file hardening | 16.1.0, 15.1.4, 14.1.4.6 |
941893-3 | 2-Critical | BT941893 | VE performance tests in Azure causes loss of connectivity to objects in configuration | 16.1.0, 15.1.4 |
928029-2 | 2-Critical | BT928029 | Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis | 17.1.0, 15.1.4, 14.1.3 |
1027637 | 2-Critical | BT1027637 | System controller failover may cause dropped requests | 17.1.0, 15.1.4 |
1016633 | 2-Critical | BT1016633 | iprep.protocol with auto-detect fails when DNS takes time to resolve | 15.1.4 |
1004517-2 | 2-Critical | BT1004517 | BIG-IP tenants on VELOS cannot install EHFs | 17.1.0, 15.1.4, 14.1.4.3 |
1000973-3 | 2-Critical | BT1000973 | Unanticipated restart of TMM due to heartbeat failure | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
998221-3 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3 |
996593-2 | 3-Major | BT996593 | Password change through REST or GUI not allowed if the password is expired | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
992865 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 17.1.0, 16.1.2.2, 15.1.4 |
988793 | 3-Major | BT988793 | SecureVault on BIG-IP tenant does not store unit key securely | 17.1.0, 15.1.4 |
985537-1 | 3-Major | BT985537 | Upgrade Microsoft Hyper-V driver★ | 16.1.0, 15.1.4 |
976505-2 | 3-Major | BT976505 | Rotated restnoded logs will fail logintegrity verification. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
975809-1 | 3-Major | BT975809 | Rotated restjavad logs fail logintegrity verification. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
973201-2 | 3-Major | BT973201 | F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions★ | 16.1.0, 15.1.4, 14.1.4 |
969713-1 | 3-Major | BT969713 | IPsec interface mode tunnel may fail to pass packets after first IPsec rekey | 16.1.0, 15.1.4 |
969105-2 | 3-Major | BT969105 | HA failover connections via the management address do not work on vCMP guests running on VIPRION | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
964941-1 | 3-Major | BT964941 | IPsec interface-mode tunnel does not initiate or respond after config change | 16.1.0, 15.1.4 |
959629-2 | 3-Major | BT959629 | Logintegrity script for restjavad/restnoded fails | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
958353-2 | 3-Major | BT958353 | Restarting the mcpd messaging service renders the PAYG VE license invalid. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
956293-2 | 3-Major | BT956293 | High CPU from analytics-related REST calls - Dashboard TMUI | 16.1.0, 15.1.4, 14.1.4.4 |
946089-2 | 3-Major | BT946089 | BIG-IP might send excessive multicast/broadcast traffic. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
932497-3 | 3-Major | BT932497 | Autoscale groups require multiple syncs of datasync-global-dg | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
928697-2 | 3-Major | BT928697 | Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT | 16.1.0, 16.0.1.2, 15.1.4 |
919305-2 | 3-Major | BT919305 | Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS. | 17.1.0, 15.1.4 |
913849-1 | 3-Major | BT913849 | Syslog-ng periodically logs nothing for 20 seconds | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
908601-2 | 3-Major | BT908601 | System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
895781-2 | 3-Major | BT895781 | Round Robin disaggregation does not disaggregate globally | 16.0.0, 15.1.4 |
880289 | 3-Major | BT880289 | FPGA firmware changes during configuration loads★ | 16.1.0, 15.1.4 |
850193-4 | 3-Major | BT850193 | Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues | 16.0.0, 15.1.4, 14.1.4.4 |
849157-2 | 3-Major | BT849157 | An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck | 16.0.0, 15.1.4 |
841277-7 | 3-Major | BT841277 | C4800 LCD fails to load after annunciator hot-swap | 16.0.0, 15.1.4, 14.1.4.3 |
827033-1 | 3-Major | BT827033 | Boot marker is being logged before shutdown logs | 16.0.0, 15.1.4, 14.1.4.4 |
746861-3 | 3-Major | BT746861 | SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated★ | 16.0.0, 15.1.4, 14.1.2.5 |
1029105 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address | 17.1.0, 16.1.4, 15.1.4 |
1024853 | 3-Major | BT1024853 | Platform Agent logs to ERROR severity on success | 15.1.4 |
1013649-4 | 3-Major | BT1013649 | Leftover files in /var/run/key_mgmt after key export | 16.1.0, 15.1.4 |
1010393-4 | 3-Major | BT1010393 | Unable to relax AS-path attribute in multi-path selection | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1008837-2 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4 |
1002761-1 | 3-Major | BT1002761 | SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure | 17.0.0, 16.0.1.2, 15.1.4 |
962249-2 | 4-Minor | BT962249 | Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm | 17.1.0, 15.1.4 |
921365-1 | 4-Minor | BT921365 | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | 17.0.0, 16.1.2, 15.1.4 |
921065 | 4-Minor | BT921065 | BIG-IP systems not responding to DPD requests from initiator after failover | 16.1.0, 15.1.4 |
898441-1 | 4-Minor | BT898441 | Enable logging of IKE keys | 16.1.0, 15.1.4, 14.1.4.4 |
1004417-3 | 4-Minor | BT1004417 | Provisioning error message during boot up★ | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1029357 | 1-Blocking | BT1029357 | Performance drop during traffic test on VIPRION (B2250, C2400) platforms | 15.1.4 |
945997-2 | 2-Critical | BT945997 | LTM policy applied to HTTP/2 traffic may crash TMM | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
943101-2 | 2-Critical | BT943101 | Tmm crash in cipher group delete. | 17.1.0, 15.1.4, 14.1.3 |
942185-2 | 2-Critical | BT942185 | Non-mirrored persistence records may accumulate over time | 16.1.0, 16.0.1.2, 15.1.4 |
934461-2 | 2-Critical | BT934461 | Connection error with server with TLS1.3 single-dh-use. | 17.1.0, 15.1.4, 14.1.3 |
1039145-3 | 2-Critical | BT1039145 | Tenant mirroring channel disconnects with peer and never reconnects after failover. | 17.0.0, 15.1.4 |
1005489-2 | 2-Critical | BT1005489 | iRules with persist command might result in tmm crash. | 16.1.0, 16.0.1.2, 15.1.4 |
997929-3 | 3-Major | BT997929 | Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
969637-2 | 3-Major | BT969637 | Config may fail to load with "FIPS 140 operations not available on this system" after upgrade★ | 16.1.0, 15.1.4, 14.1.4.4 |
963713-1 | 3-Major | BT963713 | HTTP/2 virtual server with translate-disable can core tmm | 16.1.0, 15.1.4 |
956133-3 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading.★ | 17.0.0, 16.1.4, 15.1.4, 14.1.4.4 |
944641-1 | 3-Major | BT944641 | HTTP2 send RST_STREAM when exceeding max streams | 16.1.0, 16.0.1.1, 15.1.4, 14.1.4 |
941481-2 | 3-Major | BT941481 | iRules LX - nodejs processes consuming excessive memory | 16.1.0, 15.1.4, 14.1.4.4 |
941257-1 | 3-Major | BT941257 | Occasional Nitrox3 ZIP engine hang | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
940665-1 | 3-Major | BT940665 | DTLS 1.0 support for PFS ciphers | 16.1.0, 16.0.1.2, 15.1.4 |
930385-3 | 3-Major | BT930385 | SSL filter does not re-initialize when an OCSP object is modified | 17.1.0, 15.1.4, 14.1.3 |
912425-3 | 3-Major | BT912425 | Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
891373-2 | 3-Major | BT891373 | BIG-IP does not shut a connection for a HEAD request | 16.1.0, 16.0.1.2, 15.1.4 |
882549-2 | 3-Major | BT882549 | Sock driver does not use multiple queues in unsupported environments | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
819329-4 | 3-Major | BT819329 | Specific FIPS device errors will not trigger failover | 16.1.0, 16.0.1.2, 15.1.4, 14.1.3.1, 13.1.5 |
818833-1 | 3-Major | BT818833 | TCP re-transmission during SYN Cookie activation results in high latency | 16.0.0, 15.1.4, 14.1.4.4 |
760050-8 | 3-Major | BT760050 | "cwnd too low" warning message seen in logs | 16.0.0, 15.1.4, 14.1.2.7, 13.1.4.1 |
1020941-2 | 3-Major | BT1020941 | HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags | 16.1.0, 15.1.4, 14.1.4.5 |
1016113-3 | 3-Major | BT1016113 | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | 17.0.0, 16.1.2, 15.1.4 |
962433-4 | 4-Minor | BT962433 | HTTP::retry for a HEAD request fails to create new connection | 15.1.4, 14.1.4.3, 13.1.4.1 |
962177-2 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1 |
912945-2 | 4-Minor | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
895557-2 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2 |
751586-3 | 4-Minor | BT751586 | Http2 virtual does not honour translate-address disabled | 16.0.0, 15.1.4, 14.1.2.1, 13.1.3.4, 12.1.4.1 |
1018493-2 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
910633-1 | 2-Critical | BT910633 | Continuous 'neurond restart' message on console | 16.0.0, 15.1.4 |
1004633-3 | 2-Critical | BT1004633 | Performance degradation on KVM and VMware platforms. | 16.1.0, 15.1.4 |
948417-2 | 3-Major | BT948417 | Network Management Agent (Azure NMAgent) updates causes Kernel Panic | 16.1.0, 15.1.4 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039069-2 | 1-Blocking | BT1039069 | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★ | 17.0.0, 16.1.1, 15.1.4 |
995853-2 | 2-Critical | BT995853 | Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
918597-5 | 2-Critical | BT918597 | Under certain conditions, deleting a topology record can result in a crash. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
993489-3 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
973261-2 | 3-Major | BT973261 | GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
912001-3 | 3-Major | BT912001 | TMM cores on secondary blades of the Chassis system. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
864797-2 | 3-Major | BT864797 | Cached results for a record are sent following region modification | 16.1.0, 15.1.4, 14.1.4.4 |
857953-2 | 4-Minor | BT857953 | Non-functional disable/enable buttons present in GTM wide IP members page | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
996381-3 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
970329-3 | 2-Critical | K70134152, BT970329 | ASM hardening | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
965229-2 | 2-Critical | BT965229 | ASM Load hangs after upgrade★ | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
957965-1 | 2-Critical | BT957965 | Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent' | 16.1.0, 15.1.4 |
898365-1 | 2-Critical | BT898365 | XML Policy cannot be imported | 16.0.0, 15.1.4 |
854001-2 | 2-Critical | BT854001 | TMM might crash in case of trusted bot signature and API protected url | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
791669-2 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3 |
1017645-2 | 2-Critical | BT1017645 | False positive HTTP compliance violation | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
986937-1 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4 |
981785-3 | 3-Major | BT981785 | Incorrect incident severity in Event Correlation statistics | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
981069-1 | 3-Major | BT981069 | Reset cause: "Internal error ( requested abort (payload release error))" | 17.0.0, 16.1.1, 15.1.4 |
964245-2 | 3-Major | BT964245 | ASM reports and enforces username always | 16.1.0, 15.1.4, 14.1.4.4, 13.1.5 |
963485-1 | 3-Major | BT963485 | Performance issue with data guard | 16.1.0, 15.1.4 |
963461-1 | 3-Major | BT963461 | ASM performance drop on the response side | 16.1.0, 16.0.1.2, 15.1.4 |
962589-2 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
962497 | 3-Major | BT962497 | BD crash after ICAP response | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
955017-2 | 3-Major | BT955017 | Excessive CPU consumption by asm_config_event_handler | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
951133-2 | 3-Major | BT951133 | Live Update does not work properly after upgrade★ | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4 |
950917-1 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1 |
946081-1 | 3-Major | BT946081 | Getcrc tool help displays directory structure instead of version | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
928717-3 | 3-Major | BT928717 | [ASM - AWS] - ASU fails to sync | 16.1.0, 15.1.4, 14.1.4.4 |
922261-2 | 3-Major | BT922261 | WebSocket server messages are logged even it is not configured | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
920197-3 | 3-Major | BT920197 | Brute force mitigation can stop mitigating without a notification | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
912089-2 | 3-Major | BT912089 | Some roles are missing necessary permission to perform Live Update | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
907337-2 | 3-Major | BT907337 | BD crash on specific scenario | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
888289-1 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
883853-2 | 3-Major | BT883853 | Bot Defense Profile with staged signatures prevents signature update★ | 16.0.0, 15.1.4, 14.1.4.2 |
867825-4 | 3-Major | BT867825 | Export/Import on a parent policy leaves children in an inconsistent state | 16.0.0, 15.1.4, 14.1.4.4, 13.1.5 |
862793-1 | 3-Major | BT862793 | ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation | 16.0.0, 15.1.4 |
846181-3 | 3-Major | BT846181 | Request samples for some of the learning suggestions are not visible | 16.0.0, 15.1.4, 14.1.4.2 |
837333-1 | 3-Major | BT837333 | User cannot update blocking response pages after upgrade★ | 16.0.0, 15.1.4 |
830341-2 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
802873-2 | 3-Major | BT802873 | Manual changes to policy imported as XML may introduce corruption for Login Pages | 16.0.0, 15.1.4, 14.1.2.7 |
673272-2 | 3-Major | BT673272 | Search by "Signature ID is" does not return results for some signature IDs | 17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4 |
1022269-2 | 3-Major | BT1022269 | False positive RFC compliant violation | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1005105-1 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 17.0.0, 16.1.1, 15.1.4, 14.1.4.5 |
1000741-3 | 3-Major | K67397230, BT1000741 | Fixing issue with input normalization | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
952509-2 | 4-Minor | BT952509 | Cross origin AJAX requests are blocked in case there is no Origin header | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
944441-2 | 4-Minor | BT944441 | BD_XML logs memory usage at TS_DEBUG level | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
941929-2 | 4-Minor | BT941929 | Google Analytics shows incorrect stats, when Google link is redirected. | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
941625-1 | 4-Minor | BT941625 | BD sometimes encounters errors related to TS cookie building | 17.0.0, 16.1.1, 15.1.4 |
941249-2 | 4-Minor | BT941249 | Improvement to getcrc tool to print cookie names when cookie attributes are involved | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
911729-2 | 4-Minor | BT911729 | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | 17.0.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
1004537-1 | 4-Minor | BT1004537 | Traffic Learning: Accept actions for multiple suggestions not localized | 17.0.0, 16.1.2, 15.1.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
965581-2 | 2-Critical | BT965581 | Statistics are not reported to BIG-IQ | 17.1.0, 15.1.4, 14.1.4 |
932485-3 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
926341-2 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★ | 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5 |
913085-1 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
909161-3 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
833113-6 | 3-Major | BT833113 | Avrd core when sending large messages via https | 16.0.0, 15.1.4, 15.0.1.3, 14.1.4.3, 13.1.3.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
934393-2 | 1-Blocking | BT934393 | APM authentication fails due to delay in sessionDB readiness | 17.1.0, 15.1.4, 14.1.3 |
995029-3 | 2-Critical | BT995029 | Configuration is not updated during auto-discovery | 16.1.0, 15.1.4, 14.1.4.2 |
891505-3 | 2-Critical | BT891505 | TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. | 16.0.0, 15.1.4, 14.1.2.8 |
874949-1 | 2-Critical | BT874949 | TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent. | 16.0.0, 15.1.4 |
997641 | 3-Major | BT997641 | APM policy ending with redirection results in policy execution failure | 15.1.4 |
984765-1 | 3-Major | BT984765 | APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)★ | 16.1.0, 15.1.4, 14.1.4.4 |
946125-2 | 3-Major | BT946125 | Tmm restart adds 'Revoked' tokens to 'Active' token count | 16.1.0, 15.1.4, 14.1.4.4 |
924521-2 | 3-Major | BT924521 | OneConnect does not work when WEBSSO is enabled/configured. | 16.1.0, 15.1.4, 14.1.4.3 |
903573 | 3-Major | BT903573 | AD group cache query performance | 16.1.0, 15.1.4 |
896125-2 | 3-Major | BT896125 | Reuse Windows Logon Credentials feature does not work with modern access policies | 16.1.0, 15.1.4 |
894885-3 | 3-Major | BT894885 | [SAML] SSO crash while processing client SSL request | 16.1.0, 15.1.4, 14.1.4.2 |
881641 | 3-Major | BT881641 | Errors on VPN client status window in non-English environment | 16.0.0, 15.1.4 |
869653-1 | 3-Major | BT869653 | VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction | 16.0.0, 15.1.4 |
866109-2 | 3-Major | BT866109 | JWK keys frequency does not support fewer than 60 minutes | 16.0.0, 15.1.4, 14.1.4.2, 13.1.4.1 |
827325-1 | 3-Major | BT827325 | JWT token verification failure | 16.0.0, 15.1.4 |
825493-1 | 3-Major | BT825493 | JWT token verification failure | 16.0.0, 15.1.4 |
738865-6 | 3-Major | BT738865 | MCPD might enter into loop during APM config validation | 16.0.0, 15.1.4, 14.1.4.2 |
470346-3 | 3-Major | BT470346 | Some IPv6 client connections get RST when connecting to APM virtual | 16.0.0, 15.1.4, 14.1.4.3, 13.1.5 |
1001041-3 | 3-Major | BT1001041 | Reset cause 'Illegal argument' | 16.1.0, 15.1.4, 14.1.4.4 |
939877-1 | 4-Minor | BT939877 | OAuth refresh token not found | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4 |
747234-7 | 4-Minor | BT747234 | Macro policy does not find corresponding access-profile directly | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993913-2 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
974881-2 | 2-Critical | BT974881 | Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
1007821-1 | 2-Critical | BT1007821 | SIP message routing may cause tmm crash | 17.0.0, 16.1.1, 15.1.4 |
996113-1 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
989753-2 | 3-Major | BT989753 | In HA setup, standby fails to establish connection to server | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
957029-1 | 3-Major | BT957029 | MRF Diameter loop-detection is enabled by default | 16.1.0, 16.0.1.2, 15.1.4 |
805821-3 | 3-Major | BT805821 | GTP log message contains no useful information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
788625-1 | 3-Major | BT788625 | A pool member is not marked up by the inband monitor even after successful connection to the pool member | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3 |
919301-3 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
916781-1 | 4-Minor | BT916781 | Validation error while attaching DoS profile to GTP virtual | 16.1.0, 16.0.1, 15.1.4 |
913413-3 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913409-3 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913393-3 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
987637-2 | 1-Blocking | BT987637 | DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware | 17.1.0, 17.0.0, 15.1.4 |
992213-2 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 17.0.0, 16.1.1, 15.1.4, 14.1.4.2 |
988761-1 | 3-Major | BT988761 | Cannot create Protected Object in GUI | 16.1.0, 15.1.4 |
988005-1 | 3-Major | BT988005 | Zero active rules counters in GUI | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
987605-2 | 3-Major | BT987605 | DDoS: ICMP attacks are not hardware-mitigated | 15.1.4 |
759799-3 | 3-Major | BT759799 | New rules cannot be compiled | 16.1.0, 15.1.4 |
685904-1 | 3-Major | BT685904 | Firewall Rule hit counts are not auto-updated after a Reset is done | 16.0.0, 15.1.4, 14.1.4.2 |
1016309-1 | 3-Major | BT1016309 | When two policies with the same properties are configured with geo property, the geo for the second policy is ignored. | 17.0.0, 15.1.4 |
1012521-2 | 3-Major | BT1012521 | BIG-IP UI file permissions | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
1012413-3 | 3-Major | BT1012413 | Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled | 17.0.0, 15.1.4 |
1000405-2 | 3-Major | BT1000405 | VLAN/Tunnels not listed when creating a new rule via GUI | 17.0.0, 16.1.1, 15.1.4 |
977005-1 | 4-Minor | BT977005 | Network Firewall Policy rules-list showing incorrect 'Any' for source column | 16.1.0, 15.1.4, 14.1.4.2 |
1038117 | 4-Minor | BT1038117 | TMM SIGSEGV with BDoS attack signature | 17.1.0, 15.1.4 |
1014609 | 4-Minor | BT1014609 | Tunnel_src_ip support for dslite event log for type field list | 15.1.4 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1019481 | 2-Critical | BT1019481 | Unable to provision PEM on VELOS platform | 17.1.0, 15.1.4 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
994985-2 | 3-Major | BT994985 | CGNAT GUI shows blank page when applying SIP profile | 17.0.0, 15.1.4, 14.1.4.2 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968741-1 | 2-Critical | BT968741 | Traffic Intelligence pages not visible | 16.1.0, 15.1.4 |
913453-5 | 2-Critical | BT913453 | URL Categorization: wr_urldbd cores while processing urlcat-query | 16.1.0, 15.1.4, 14.1.4.4 |
901041-3 | 2-Critical | BT901041 | CEC update using incorrect method of determining number of blades in VIPRION chassis★ | 16.1.0, 16.0.1.2, 15.1.4 |
893721-2 | 2-Critical | BT893721 | PEM-provisioned systems may suffer random tmm crashes after upgrading★ | 16.1.0, 15.1.4, 14.1.4.2 |
958085-3 | 3-Major | BT958085 | IM installation fails with error: Spec file not found★ | 16.1.0, 15.1.4, 14.1.4.4 |
948573-4 | 3-Major | BT948573 | Wr_urldbd list of valid TLDs needs to be updated | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
846601-4 | 3-Major | BT846601 | Traffic classification does not update when an inactive slot becomes active after upgrade★ | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2 |
974205-3 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
970829-5 | 2-Critical | K03310534, BT970829 | iSeries LCD incorrectly displays secure mode | 16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1018145-1 | 3-Major | BT1018145 | Firewall Manager user role is not allowed to configure/view protocol inspection profiles | 16.1.1, 15.1.4 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
822245-2 | 4-Minor | BT822245 | Large number of in-TMM monitors results in some monitors being marked down or delay in marking node down | 16.1.0, 15.1.4, 14.1.4.4 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
947925-1 | 3-Major | BT947925 | TMM may crash when executing L7 Protocol Lookup per-request policy agent | 16.1.0, 15.1.4, 14.1.4.3 |
918317-2 | 3-Major | BT918317 | SSL Orchestrator resets subsequent requests when HTTP services are being used. | 16.1.0, 15.1.4, 14.1.4.4 |
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
989317-12 | CVE-2021-23023 | K33757590, BT989317 | Windows Edge Client does not follow best practice | 16.1.0, 15.1.3.1 |
989009-3 | CVE-2021-23033 | K05314769, BT989009 | BD daemon may crash while processing WebSocket traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
981461-4 | CVE-2021-23032 | K45407662, BT981461 | Unspecified DNS responses cause TMM crash | 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5 |
980125-3 | CVE-2021-23030 | K42051445, BT980125 | BD Daemon may crash while processing WebSocket traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
962341 | CVE-2021-23028 | K00602225, BT962341 | BD crash while processing JSON content | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4 |
946377-2 | CVE-2021-23027 | K24301698, BT946377 | HSM WebUI Hardening | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
1007049-3 | CVE-2021-23034 | K30523121, BT1007049 | TMM may crash while processing DNS traffic | 16.1.0, 15.1.3.1 |
996753-2 | CVE-2021-23050 | K44553214, BT996753 | ASM BD process may crash while processing HTML traffic | 16.1.0, 16.0.1.2, 15.1.3.1 |
984613-11 | CVE-2021-23022 | K08503505, BT984613 | CVE-2020-5896 - Edge Client Installer Vulnerability | 16.1.0, 15.1.3.1 |
968349 | CVE-2021-23048 | K19012930, BT968349 | TMM crashes with unspecified message | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
962069-3 | CVE-2021-23047 | K79428827, BT962069 | Excessive resource consumption while processing OSCP requests via APM | 16.1.0, 15.1.3.1, 14.1.4.4, 13.1.5 |
950017-2 | CVE-2021-23045 | K94941221, BT950017 | TMM may crash while processing SCTP traffic | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 |
942701-2 | CVE-2021-23044 | K35408374, BT942701 | TMM may consume excessive resources while processing HTTP traffic | 16.1.0, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
906377-2 | CVE-2021-23038 | K61643620, BT906377 | iRulesLX hardening | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
1015381-5 | CVE-2021-23022 | K08503505, BT1015381 | Windows Edge Client does not follow best practices while installing | 16.1.0, 15.1.3.1 |
1009773 | CVE-2021-23051 | K01153535, BT1009773 | AWS deployments of TMM may crash while processing traffic | 15.1.3.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
737692-4 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 15.1.3.1 |
1024421-1 | 3-Major | BT1024421 | At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log | 17.1.0, 15.1.3.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
994801-3 | 3-Major | SCP file transfer system | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1 | |
958465-2 | 3-Major | BT958465 | in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.4 |
950849-4 | 3-Major | BT950849 | B4450N blades report page allocation failure.★ | 16.1.0, 15.1.3.1, 14.1.4.4 |
948717-3 | 3-Major | BT948717 | F5-pf_daemon_cond_restart uses excessive CPU★ | 16.1.0, 15.1.3.1 |
1032001-1 | 3-Major | BT1032001 | Statemirror address can be configured on management network or clusterd restarting | 15.1.3.1 |
1006345-1 | 3-Major | BT1006345 | Static mac entry on trunk is not programmed on CPU-only blades | 15.1.3.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1019081-3 | 2-Critical | K97045220, BT1019081 | HTTP/2 hardening | 16.1.0, 15.1.3.1, 14.1.4.5, 13.1.5 |
1008525-2 | 2-Critical | BT1008525 | The partition text field becomes unusable when the user enters an invalid entry such as, "<, >, &, ", ', ', etc. | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
994125-2 | 3-Major | BT994125 | NetHSM Sanity results are not reflecting in GUI test output box | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3 |
980821-2 | 3-Major | BT980821 | Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
943913-3 | 2-Critical | K30150004, BT943913 | ASM attack signature does not match | 16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.2, 13.1.4.1 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1020705-1 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
999317-8 | 2-Critical | K03544414, BT999317 | Running Diagnostics report for Edge Client on Windows does not follow best practice | 17.0.0, 15.1.3.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1019453-3 | 3-Major | BT1019453 | Core generated for autodosd daemon when synchronization process is terminated | 17.0.0, 15.1.3.1 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
976365 | 3-Major | BT976365 | Traffic Classification hardening★ | 16.1.0, 15.1.3.1, 14.1.4.3 |
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
980809-2 | CVE-2021-23031 | K41351250, BT980809 | ASM REST Signature Rule Keywords Tool Hardening | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
959121-4 | CVE-2021-23015 | K74151369, BT959121 | Not following best practices in Guided Configuration Bundle Install worker | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
943081-3 | CVE-2021-23009 | K90603426, BT943081 | Unspecified HTTP/2 traffic may cause TMM to crash | 16.1.0, 16.0.1.1, 15.1.3 |
935433-2 | CVE-2021-23026 | K53854428, BT935433 | iControl SOAP | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
882633-2 | CVE-2021-23008 | K51213246, BT882633 | Active Directory authentication does not follow current best practices | 16.1.0, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
990333-5 | CVE-2021-23016 | K75540265, BT990333 | APM may return unexpected content when processing HTTP requests | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
975465-2 | CVE-2021-23049 | K65397301, BT975465 | TMM may consume excessive resources while processing DNS iRules | 16.1.0, 16.0.1.2, 15.1.3 |
954429-2 | CVE-2021-23014 | K23203045, BT954429 | User authorization changes for live update | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
948769-5 | CVE-2021-23013 | K05300051, BT948769 | TMM panic with SCTP traffic | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3 |
945109-2 | CVE-2015-9382 | K46641512, BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
938233-2 | CVE-2021-23042 | K93231374 | An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
937637-3 | CVE-2021-23002 | K71891773, BT937637 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
937365-2 | CVE-2021-23041 | K42526507, BT937365 | LTM UI does not follow best practices | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
907245-1 | CVE-2021-23040 | K94255403, BT907245 | AFM UI Hardening | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
907201-2 | CVE-2021-23039 | K66782293, BT907201 | TMM may crash when processing IPSec traffic | 16.1.0, 16.0.1.2, 15.1.3, 14.1.2.8, 13.1.5 |
877109-1 | CVE-2021-23012 | K04234247 | Unspecified input can break intended functionality in iHealth proxy | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4 |
842829-1 | CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 | K04367730, BT842829 | Multiple tcpdump vulnerabilities | 16.0.0, 15.1.3, 14.1.3.1, 13.1.4.1 |
832757 | CVE-2017-18551 | K48073202, BT832757 | Linux kernel vulnerability CVE-2017-18551 | 15.1.3, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
803933-7 | CVE-2018-20843 | K51011533, BT803933 | Expat XML parser vulnerability CVE-2018-20843 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
718189-9 | CVE-2021-23011 | K10751325, BT718189 | Unspecified IP traffic can cause low-memory conditions | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6, 11.6.5.3 |
1003557-3 | CVE-2021-23015 | K74151369, BT1003557 | Not following best practices in Guided Configuration Bundle Install worker | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4 |
1003105-3 | CVE-2021-23015 | K74151369, BT1003105 | iControl Hardening | 16.1.0, 16.0.1.2, 15.1.3 |
1002561-5 | CVE-2021-23007 | K37451543, BT1002561 | TMM vulnerability CVE-2021-23007 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6 |
825413-4 | CVE-2021-23053 | K36942191, BT825413 | ASM may consume excessive resources when matching signatures | 16.0.0, 15.1.3, 14.1.3.1, 13.1.3.6 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
776393-3 | 2-Critical | BT776393 | Restjavad restarts frequently due to insufficient memory with relatively large configurations | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
945265-4 | 3-Major | BT945265 | BGP may advertise default route with incorrect parameters | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
933777-1 | 3-Major | BT933777 | Context use and syntax changes clarification | 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
930005-2 | 3-Major | BT930005 | Recover previous QUIC cwnd value on spurious loss | 16.1.0, 16.0.1.1, 15.1.3 |
913829-4 | 3-Major | BT913829 | i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
794417-4 | 3-Major | BT794417 | Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not★ | 16.1.3, 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
918097-3 | 4-Minor | BT918097 | Cookies set in the URI on Safari | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
995629-3 | 2-Critical | BT995629 | Loading UCS files may hang if ASM is provisioned★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1 |
990849-2 | 2-Critical | BT990849 | Loading UCS with platform-migrate option hangs and requires exiting from the command★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1 |
908517-3 | 2-Critical | BT908517 | LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
888341-7 | 2-Critical | BT888341 | HA Group failover may fail to complete Active/Standby state transition | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
886693-3 | 2-Critical | BT886693 | System might become unresponsive after upgrading.★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
860349-3 | 2-Critical | BT860349 | Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication | 16.0.0, 15.1.3, 14.1.2.8 |
785017-3 | 2-Critical | BT785017 | Secondary blades go offline after new primary is elected | 16.1.0, 15.1.3, 14.1.4, 13.1.4 |
969213-1 | 3-Major | BT969213 | VMware: management IP cannot be customized via net.mgmt.addr property | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
963049-1 | 3-Major | BT963049 | Unexpected config loss when modifying protected object | 16.1.0, 15.1.3 |
963017-2 | 3-Major | BT963017 | The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed | 16.1.0, 15.1.3, 14.1.4 |
946745-2 | 3-Major | BT946745 | 'System Integrity: Invalid' after Engineering Hotfix installation | 16.1.0, 15.1.3, 14.1.4 |
939541-2 | 3-Major | BT939541 | TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
936125-2 | 3-Major | BT936125 | SNMP request times out after configuring IPv6 trap destination | 16.1.0, 16.0.1.1, 15.1.3 |
934941-2 | 3-Major | BT934941 | Platform FIPS power-up self test failures not logged to console | 16.1.0, 15.1.3, 14.1.3.1 |
934065-1 | 3-Major | BT934065 | The turboflex-low-latency and turboflex-dns are missing in early 15.1.x and 16.0.x releases | 16.1.0, 16.0.1.2, 15.1.3 |
927941-5 | 3-Major | BT927941 | IPv6 static route BFD does not come up after OAMD restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
922297-2 | 3-Major | BT922297 | TMM does not start when using more than 11 interfaces with more than 11 vCPUs | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
914245-2 | 3-Major | BT914245 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
914081-1 | 3-Major | BT914081 | Engineering Hotfixes missing bug titles | 16.0.0, 15.1.3, 14.1.4 |
913433-3 | 3-Major | BT913433 | On blade failure, some trunked egress traffic is dropped. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
908021-1 | 3-Major | BT908021 | Management and VLAN MAC addresses are identical | 16.1.0, 15.1.3, 14.1.3.1, 13.1.3.5 |
896553-3 | 3-Major | BT896553 | On blade failure, some trunked egress traffic is dropped. | 16.0.0, 15.1.3, 14.1.4, 13.1.3.6 |
896473-2 | 3-Major | BT896473 | Duplicate internal connections can tear down the wrong connection | 16.0.0, 15.1.3 |
893885-3 | 3-Major | BT893885 | The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation | 16.1.0, 15.1.3, 14.1.4 |
891337-1 | 3-Major | BT891337 | 'save_master_key(master): Not ready to save yet' errors in the logs | 16.0.0, 15.1.3, 14.1.4 |
889029-2 | 3-Major | BT889029 | Unable to login if LDAP user does not have search permissions | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
879829-2 | 3-Major | BT879829 | HA daemon sod cannot bind to ports numbered lower than 1024 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
876805-3 | 3-Major | BT876805 | Modifying address-list resets the route advertisement on virtual servers. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
862937-3 | 3-Major | BT862937 | Running cpcfg after first boot can result in daemons stuck in restart loop★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
839121-3 | 3-Major | K74221031, BT839121 | A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
829821-1 | 3-Major | BT829821 | Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
820845-3 | 3-Major | BT820845 | Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
809205-6 | 3-Major | CVE-2019-3855: libssh2 Vulnerability | 16.0.1.2, 15.1.3, 15.0.1.1, 14.1.2.3, 13.1.3.2, 12.1.5.1 | |
803237-2 | 3-Major | BT803237 | PVA does not validate interface MTU when setting MSS | 16.0.0, 15.1.3, 14.1.4 |
799001-1 | 3-Major | BT799001 | Sflow agent does not handle disconnect from SNMPD manager correctly | 16.1.0, 15.1.3, 14.1.4 |
787885-2 | 3-Major | BT787885 | The device status is falsely showing as forced offline on the network map while actual device status is not. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
749007-1 | 3-Major | BT749007 | South Sudan is missing in the GTM region list | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
692218-1 | 3-Major | BT692218 | Audit log messages sent from the primary blade to the secondaries should not be logged. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
675911-12 | 3-Major | K13272442, BT675911 | Different sections of the GUI can report incorrect CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
615934-6 | 3-Major | BT615934 | Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. | 16.1.0, 15.1.3, 14.1.4, 13.1.3.5 |
569859-7 | 3-Major | BT569859 | Password policy enforcement for root user when mcpd is not available | 16.0.0, 15.1.3, 14.1.4.1 |
966277-1 | 4-Minor | BT966277 | BFD down on multi-blade system | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
959889-2 | 4-Minor | BT959889 | Cannot update firewall rule with ip-protocol property as 'any' | 16.1.0, 15.1.3, 14.1.4 |
947865-2 | 4-Minor | BT947865 | Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read | 16.1.0, 15.1.3, 14.1.4 |
887505-1 | 4-Minor | BT887505 | Coreexpiration script improvement | 16.1.0, 15.1.3 |
879189-1 | 4-Minor | BT879189 | Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
910653-5 | 2-Critical | BT910653 | iRule parking in clientside/serverside command may cause tmm restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
882157-1 | 2-Critical | BT882157 | One thread of pkcs11d consumes 100% without any traffic. | 16.0.0, 15.1.3, 14.1.4 |
738964-4 | 2-Critical | Instruction logger debugging enhancement | 16.1.0, 15.1.3, 14.1.4.1 | |
1001509 | 2-Critical | K11162395, BT1001509 | Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates | 15.1.3, 14.1.4.3 |
968641-2 | 3-Major | BT968641 | Fix for zero LACP priority | 16.0.1.2, 15.1.3, 14.1.4 |
953845-1 | 3-Major | BT953845 | After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4, 12.1.6 |
946953-1 | 3-Major | BT946953 | HTTP::close used in iRule might not close connection. | 16.1.0, 16.0.1.1, 15.1.3 |
928857-2 | 3-Major | BT928857 | Use of OCSP responder may leak X509 store instances | 16.1.0, 15.1.3, 14.1.4 |
928805-2 | 3-Major | BT928805 | Use of OCSP responder may cause memory leakage | 16.1.0, 15.1.3, 14.1.4 |
928789-2 | 3-Major | BT928789 | Use of OCSP responder may leak SSL handshake instances | 16.1.0, 15.1.3, 14.1.4 |
921881-2 | 3-Major | BT921881 | Use of IPFIX log destination can result in increased CPU utilization | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
921721-1 | 3-Major | BT921721 | FIPS 140-2 SP800-56Arev3 compliance | 16.1.0, 15.1.3, 14.1.3 |
889601-3 | 3-Major | K14903688, BT889601 | OCSP revocation not properly checked | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
889165-3 | 3-Major | BT889165 | "http_process_state_cx_wait" errors in log and connection reset | 16.1.0, 15.1.3, 14.1.4 |
888517-2 | 3-Major | BT888517 | Busy polling leads to high CPU★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4 |
858701-1 | 3-Major | BT858701 | Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
845333-6 | 3-Major | BT845333 | An iRule with a proc referencing a datagroup cannot be assigned to Transport Config | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
842517-2 | 3-Major | BT842517 | CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails | 16.1.0, 15.1.3 |
785877-5 | 3-Major | BT785877 | VLAN groups do not bridge non-link-local multicast traffic. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
767341-1 | 3-Major | BT767341 | If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
756812-3 | 3-Major | BT756812 | Nitrox 3 instruction/request logger may fail due to SELinux permission error | 16.1.0, 15.1.3, 14.1.4.1 |
696755-5 | 3-Major | BT696755 | HTTP/2 may truncate a response body when served from cache | 16.1.0, 16.0.1.2, 15.1.3, 14.1.0.6, 13.1.0.8 |
804157-3 | 4-Minor | BT804157 | ICMP replies are forwarded with incorrect checksums causing them to be dropped | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
748333-5 | 4-Minor | BT748333 | DHCP Relay does not retain client source IP address for chained relay mode | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
743253-2 | 4-Minor | BT743253 | TSO in software re-segments L3 fragments. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
960749-2 | 1-Blocking | BT960749 | TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3 |
960437-2 | 2-Critical | BT960437 | The BIG-IP system may initially fail to resolve some DNS queries | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5, 12.1.6, 11.6.5.3 |
971297-2 | 3-Major | BT971297 | DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade★ | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
921625-2 | 3-Major | BT921625 | The certs extend function does not work for GTM/DNS sync group | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.6 |
863917-2 | 3-Major | BT863917 | The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.5, 13.1.4.1 |
858973-1 | 3-Major | BT858973 | DNS request matches less specific WideIP when adding new wildcard wideips | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
835209-3 | 3-Major | BT835209 | External monitors mark objects down | 16.0.0, 15.1.3, 14.1.4.2 |
896861-2 | 4-Minor | BT896861 | PTR query enhancement for RESOLVER::name_lookup | 16.1.0, 16.0.1.1, 15.1.3 |
885201-2 | 4-Minor | BT885201 | BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log | 16.1.0, 15.1.3, 14.1.4.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
846057-3 | 2-Critical | BT846057 | UCS backup archive may include unnecessary files | 16.0.0, 15.1.3, 14.1.4, 13.1.4 |
960369-2 | 3-Major | BT960369 | Negative value suggested in Traffic Learning as max value | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
956373-2 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1 |
947341-1 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1 |
941621-2 | 3-Major | K91414704, BT941621 | Brute Force breaks server's Post-Redirect-Get flow | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.4 |
929077-2 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4 |
929001-3 | 3-Major | K48321015, BT929001 | ASM form handling improvements | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
928685-2 | 3-Major | K49549213, BT928685 | ASM Brute Force mitigation not triggered as expected | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4.1 |
921677-2 | 3-Major | BT921677 | Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
910253-2 | 3-Major | BT910253 | BD error on HTTP response after upgrade★ | 16.1.0, 16.0.1.1, 15.1.3 |
884425-2 | 3-Major | BT884425 | Creation of new allowed HTTP URL is not possible | 16.0.0, 15.1.3, 14.1.3.1 |
868053-3 | 3-Major | BT868053 | Live Update service indicates update available when the latest update was already installed | 16.0.0, 15.1.3, 14.1.3.1 |
867373-4 | 3-Major | BT867373 | Methods Missing From ASM Policy | 16.0.0, 15.1.3, 14.1.4 |
864677-1 | 3-Major | BT864677 | ASM causes high mcpd CPU usage | 16.0.0, 15.1.3, 14.1.4 |
856725-1 | 3-Major | BT856725 | Missing learning suggestion for "Illegal repeated parameter name" violation | 16.0.0, 15.1.3 |
964897-2 | 4-Minor | BT964897 | Live Update - Indication of "Update Available" when there is no available update | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4 |
962817-2 | 4-Minor | BT962817 | Description field of a JSON policy overwrites policy templates description | 17.0.0, 16.0.1.1, 15.1.3 |
956105-2 | 4-Minor | BT956105 | Websocket URLs content profiles are not created as expected during JSON Policy import | 16.1.0, 16.0.1.2, 15.1.3 |
935293-2 | 4-Minor | BT935293 | 'Detected Violation' Field for event logs not showing | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4, 13.1.3.5 |
922785-2 | 4-Minor | BT922785 | Live Update scheduled installation is not installing on set schedule | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4 |
824093-5 | 4-Minor | BT824093 | Parameters payload parser issue | 16.0.0, 15.1.3, 14.1.4.1, 13.1.4, 12.1.6, 11.6.5.3 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
981385-3 | 3-Major | BT981385 | AVRD does not send HTTP events to BIG-IQ DCD | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.4 |
949593-3 | 3-Major | BT949593 | Unable to load config if AVR widgets were created under '[All]' partition★ | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4 |
924945-3 | 3-Major | BT924945 | Fail to detach HTTP profile from virtual server | 17.0.0, 16.1.1, 16.0.1.2, 15.1.3 |
869049-4 | 3-Major | BT869049 | Charts discrepancy in AVR reports | 17.0.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
894565-1 | 2-Critical | BT894565 | Autodosd.default crash with SIGFPE | 16.0.0, 15.1.3, 14.1.4 |
879401-1 | 2-Critical | K90423190, BT879401 | Memory corruption during APM SAML SSO | 16.0.0, 15.1.3, 14.1.2.5 |
976501-2 | 3-Major | BT976501 | Failed to establish VPN connection | 16.1.0, 15.1.3, 14.1.4, 13.1.3.6 |
952557-2 | 3-Major | BT952557 | Azure B2C Provider OAuth URLs are updated for B2Clogin.com | 16.1.0, 15.1.3, 14.1.4 |
925573-6 | 3-Major | BT925573 | SIGSEGV: receiving a sessiondb callback response after the flow is aborted | 15.1.3, 14.1.4 |
916969-3 | 3-Major | BT916969 | Support of Microsoft Identity 2.0 platform | 16.1.0, 15.1.3, 14.1.4 |
888145-2 | 3-Major | BT888145 | When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property | 16.1.0, 15.1.3 |
883577-4 | 3-Major | BT883577 | ACCESS::session irule command does not work in HTTP_RESPONSE event | 16.1.0, 15.1.3, 14.1.4.1 |
831517-2 | 3-Major | BT831517 | TMM may crash when Network Access tunnel is used | 16.0.0, 15.1.3, 14.1.2.7 |
WebAccelerator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
833213-1 | 3-Major | BT833213 | Conditional requests are served incorrectly with AAM policy in webacceleration profile | 15.1.3, 15.0.1.3, 14.1.2.3, 13.1.3.4 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
982869-1 | 3-Major | BT982869 | With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
977053-2 | 3-Major | BT977053 | TMM crash on standby due to invalid MR router instance | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
966701-2 | 3-Major | BT966701 | Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
952545-2 | 3-Major | BT952545 | 'Current Sessions' statistics of HTTP2 pool may be incorrect | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
913373-2 | 3-Major | BT913373 | No connection error after failover with MRF, and no connection mirroring | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
945853-2 | 2-Critical | BT945853 | Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession | 16.1.3, 15.1.3 |
969509-4 | 3-Major | BT969509 | Possible memory corruption due to DOS vector reset | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
965617-3 | 3-Major | BT965617 | HSB mitigation is not applied on BDoS signature with stress-based mitigation mode | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
963237-3 | 3-Major | BT963237 | Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
937749-3 | 3-Major | BT937749 | The 'total port blocks' value for NAT stats is limited to 64 bits of range | 16.1.0, 15.1.3 |
903561-3 | 3-Major | BT903561 | Autodosd returns small bad destination detection value when the actual traffic is high | 16.0.0, 15.1.3, 14.1.4 |
887017-3 | 3-Major | BT887017 | The dwbld daemon consumes a large amount of memory | 16.0.0, 15.1.3, 14.1.4 |
837233-3 | 3-Major | BT837233 | Application Security Administrator user role cannot use GUI to manage DoS profile | 16.0.0, 15.1.3, 14.1.4 |
716746-3 | 3-Major | BT716746 | Possible tmm restart when disabling single endpoint vector while attack is ongoing | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.2, 13.1.0.7 |
967889-1 | 4-Minor | BT967889 | Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) | 16.1.0, 15.1.3, 14.1.4 |
748561-2 | 4-Minor | BT748561 | Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context | 16.0.0, 15.1.3, 14.1.4 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
928553-3 | 2-Critical | BT928553 | LSN64 with hairpinning can lead to a tmm core in rare circumstances | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
966681-1 | 3-Major | BT966681 | NAT translation failures while using SP-DAG in a multi-blade chassis | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
998085-1 | 3-Major | BT998085 | BIG-IP DataSafe GUI does not save changes | 16.1.0, 15.1.3 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932737-2 | 2-Critical | BT932737 | DNS & BADOS high-speed logger messages are mixed | 16.0.1.2, 15.1.3, 14.1.4 |
922597-2 | 3-Major | BT922597 | BADOS default sensitivity of 50 creates false positive attack on some sites | 16.1.0, 15.1.3, 14.1.4 |
914293-3 | 3-Major | BT914293 | TMM SIGSEGV and crash | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
874677-1 | 2-Critical | BT874677 | Traffic Classification auto signature update fails from GUI★ | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4.3 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
768085-4 | 4-Minor | BT768085 | Error in python script /usr/libexec/iAppsLX_save_pre line 79 | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
964585-3 | 3-Major | BT964585 | "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4 |
825501-3 | 3-Major | BT825501 | IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.★ | 16.1.0, 16.0.1.1, 15.1.3, 14.1.4 |
964577-3 | 4-Minor | BT964577 | IPS automatic IM download not working as expected | 16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1 |
BIG-IP Risk Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
969385-2 | 3-Major | BT969385 | Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers. | 16.0.1.2, 15.1.3 |
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
975233-2 | CVE-2021-22992 | K52510511, BT975233 | Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
973333-5 | CVE-2021-22991 | K56715231, BT973333 | TMM buffer-overflow vulnerability CVE-2021-22991 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
955145-2 | CVE-2021-22986 | K03009991, BT955145 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
954381-2 | CVE-2021-22986 | K03009991, BT954381 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
953677-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT953677 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3 |
951705-2 | CVE-2021-22986 | K03009991, BT951705 | iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
950077-2 | CVE-2021-22987, CVE-2021-22988 | K18132488 K70031188, BT950077 | TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
981169-2 | CVE-2021-22994 | K66851119, BT981169 | F5 TMUI XSS vulnerability CVE-2021-22994 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
953729-2 | CVE-2021-22989, CVE-2021-22990 | K56142644 K45056101, BT953729 | Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
931837-1 | CVE-2020-13817 | K55376430, BT931837 | NTP has predictable timestamps | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
976925-2 | CVE-2021-23002 | K71891773, BT976925 | BIG-IP APM VPN vulnerability CVE-2021-23002 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
935401-2 | CVE-2021-23001 | K06440657, BT935401 | BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
743105-2 | CVE-2021-22998 | K31934524, BT743105 | BIG-IP SNAT vulnerability CVE-2021-22998 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
867793-1 | 3-Major | BT867793 | BIG-IP sending the wrong trap code for BGP peer state | 16.0.0, 15.1.2.1, 14.1.4 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
942497-1 | 2-Critical | BT942497 | Declarative onboarding unable to download and install RPM | 16.1.0, 16.0.1.1, 15.1.2.1 |
940021-3 | 2-Critical | BT940021 | Syslog-ng hang may lead to unexpected reboot | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
932437-2 | 2-Critical | BT932437 | Loading SCF file does not restore files from tar file★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
915305-5 | 2-Critical | BT915305 | Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4 |
838713 | 2-Critical | BT838713 | LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test' | 15.1.2.1 |
829277-2 | 2-Critical | BT829277 | A Large /config folder can cause memory exhaustion during live-install★ | 16.0.0, 15.1.2.1, 14.1.3.1 |
739505-3 | 2-Critical | BT739505 | Automatic ISO digital signature checking not required when FIPS license active★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.1.2 |
967745 | 3-Major | BT967745 | Last resort pool error for the modify command for Wide IP | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.4 |
956589-1 | 3-Major | BT956589 | The tmrouted daemon restarts and produces a core file | 16.1.0, 15.1.2.1, 14.1.4.6, 13.1.5 |
930905-4 | 3-Major | BT930905 | Management route lost after reboot. | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
904785-1 | 3-Major | BT904785 | Remotely authenticated users might not be able to log in over the serial console | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
896817-2 | 3-Major | BT896817 | iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
895837-3 | 3-Major | BT895837 | Mcpd crash when a traffic-matching-criteria destination-port-list is modified | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
865177-4 | 3-Major | BT865177 | Cert-LDAP returning only first entry in the sequence that matches san-other oid | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1 |
842189-4 | 3-Major | BT842189 | Tunnels removed when going offline are not restored when going back online | 16.0.0, 15.1.2.1, 14.1.2.7, 13.1.3.6, 12.1.5.3 |
830413-3 | 3-Major | BT830413 | Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure★ | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
806073-1 | 3-Major | BT806073 | MySQL monitor fails to connect to MySQL Server v8.0 | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1 |
767737-4 | 3-Major | BT767737 | Timing issues during startup may make an HA peer stay in the inoperative state | 16.0.0, 15.1.2.1, 14.1.3.1, 13.1.3.5 |
853101-2 | 4-Minor | BT853101 | ERROR: syntax error at or near 'FROM' at character 17 | 16.0.0, 15.1.2.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
926929-3 | 1-Blocking | BT926929 | RFC Compliance Enforcement lacks configuration availability | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4, 13.1.4 |
911041-3 | 2-Critical | BT911041 | Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.3.1 |
846217-3 | 2-Critical | BT846217 | Translucent vlan-groups set local bit in destination MAC address | 16.0.0, 15.1.2.1, 14.1.4.4 |
841469-6 | 2-Critical | BT841469 | Application traffic may fail after an internal interface failure on a VIPRION system. | 16.0.0, 15.1.2.1, 14.1.5, 13.1.3.4 |
812525-1 | 2-Critical | K27551003, BT812525 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
974501-1 | 3-Major | BT974501 | Excessive memory usage by mirroring subsystem when remirroring | 16.1.0, 15.1.2.1 |
903581-1 | 3-Major | BT903581 | The pkcs11d process cannot recover under certain error condition | 16.1.0, 15.1.2.1 |
868209-3 | 3-Major | BT868209 | Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection | 16.1.0, 15.1.2.1, 14.1.4 |
863401-1 | 3-Major | BT863401 | QUIC congestion window sometimes increases inappropriately | 16.0.0, 15.1.2.1 |
858301-1 | 3-Major | K27551003, BT858301 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2 |
858297-1 | 3-Major | K27551003, BT858297 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4, 12.1.5.2 |
858289-1 | 3-Major | K27551003, BT858289 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
858285-1 | 3-Major | K27551003, BT858285 | The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it | 16.0.0, 15.1.2.1, 15.0.1.4, 14.1.4, 13.1.3.4 |
818109-1 | 3-Major | BT818109 | Certain plaintext traffic may cause SSL Orchestrator to hang | 16.0.0, 15.1.2.1, 14.1.4 |
773253-5 | 4-Minor | BT773253 | The BIG-IP may send VLAN failsafe probes from a disabled blade | 16.0.0, 15.1.2.1, 14.1.4.2, 13.1.4 |
738032-3 | 4-Minor | BT738032 | BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
953393-2 | 1-Blocking | BT953393 | TMM crashes when performing iterative DNS resolutions. | 16.1.0, 16.0.1.1, 15.1.2.1 |
891093-1 | 3-Major | BT891093 | iqsyncer does not handle stale pidfile | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
853585-1 | 4-Minor | BT853585 | REST Wide IP object presents an inconsistent lastResortPool value | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.6 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968421-2 | 2-Critical | K30291321, BT968421 | ASM attack signature doesn't matched | 16.1.0, 16.0.1.2, 15.1.2.1, 14.1.4.2, 13.1.4.1, 12.1.6, 11.6.5.3 |
865289-1 | 2-Critical | BT865289 | TMM crash following DNS resolve with Bot Defense profile | 16.0.0, 15.1.2.1 |
913757-1 | 3-Major | BT913757 | Error viewing security policy settings for virtual server with FTP Protocol Security | 16.1.0, 16.0.1.1, 15.1.2.1 |
758336-5 | 4-Minor | BT758336 | Incorrect recommendation in Online Help of Proactive Bot Defense | 16.1.0, 15.1.2.1, 14.1.4, 13.1.1.5, 12.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
934721-2 | 2-Critical | BT934721 | TMM core due to wrong assert | 16.1.0, 16.0.1.1, 15.1.2.1 |
743826-2 | 3-Major | BT743826 | Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) | 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6 |
648242-6 | 3-Major | K73521040, BT648242 | Administrator users unable to access all partition via TMSH for AVR reports | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 14.0.0.5, 13.1.0.8, 12.1.3.2 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
896709-3 | 2-Critical | BT896709 | Add support for Restart Desktop for webtop in VMware VDI | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6 |
924929-2 | 3-Major | BT924929 | Logging improvements for VDI plugin | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6 |
899009 | 3-Major | BT899009 | Azure Active Directory deployment fails on BIG-IP 15.1 | 15.1.2.1 |
760629-5 | 3-Major | BT760629 | Remove Obsolete APM keys in BigDB | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
939529-2 | 3-Major | BT939529 | Branch parameter not parsed properly when topmost via header received with comma separated values | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
870381-1 | 2-Critical | BT870381 | Network Firewall Active Rule page does not load | 16.0.0, 15.1.2.1 |
919381-1 | 3-Major | Extend AFM subscriber aware policy rule feature to support multiple subscriber groups | 16.1.0, 15.1.2.1 | |
870385-5 | 3-Major | BT870385 | TMM may restart under very heavy traffic load | 16.0.0, 15.1.2.1, 14.1.2.8 |
906885-1 | 5-Cosmetic | BT906885 | Spelling mistake on AFM GUI Flow Inspector screen | 16.1.0, 15.1.2.1, 14.1.2.8 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
845313-3 | 2-Critical | BT845313 | Tmm crash under heavy load | 16.0.0, 15.1.2.1, 14.1.4 |
941169-4 | 3-Major | BT941169 | Subscriber Management is not working properly with IPv6 prefix flows. | 16.1.0, 15.1.2.1, 14.1.4 |
875401-2 | 3-Major | BT875401 | PEM subcriber lookup can fail for internet side new connections | 16.0.0, 15.1.2.1, 14.1.4 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
915489-2 | 4-Minor | BT915489 | LTM Virtual Server Health is not affected by iRule Requests dropped | 16.1.0, 16.0.1.1, 15.1.2.1, 14.1.4 |
BIG-IP Risk Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
921181 | 3-Major | BT921181 | Wrong error message upon bad credential stuffing configuration | 15.1.2.1 |
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
943125-2 | CVE-2021-23010 | K18570111, BT943125 | ASM bd may crash while processing WebSocket traffic | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
941449-2 | CVE-2021-22993 | K55237223, BT941449 | BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
921337-2 | CVE-2021-22976 | K88230177, BT921337 | BIG-IP ASM WebSocket vulnerability CVE-2021-22976 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
916821-2 | CVE-2021-22974 | K68652018, BT916821 | iControl REST vulnerability CVE-2021-22974 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
882189-6 | CVE-2020-5897 | K20346072, BT882189 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
882185-6 | CVE-2020-5897 | K20346072, BT882185 | BIG-IP Edge Client Windows ActiveX | 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
881317-6 | CVE-2020-5896 | K15478554, BT881317 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
881293-6 | CVE-2020-5896 | K15478554, BT881293 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
939845-2 | CVE-2021-23004 | K31025212, BT939845 | BIG-IP MPTCP vulnerability CVE-2021-23004 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
939841-2 | CVE-2021-23003 | K43470422, BT939841 | BIG-IP MPTCP vulnerability CVE-2021-23003 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
924961-2 | CVE-2019-20892 | K45212738, BT924961 | CVE-2019-20892: SNMP Vulnerability | 16.1.0, 16.0.1.1, 15.1.2 |
919989-2 | CVE-2020-5947 | K64571774, BT919989 | TMM does not follow TCP best practices | 16.1.0, 16.0.1, 15.1.2 |
881445-7 | CVE-2020-5898 | K69154630, BT881445 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
880361-1 | CVE-2021-22973 | K13323323, BT880361 | iRules LX vulnerability CVE-2021-22973 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
842717-6 | CVE-2020-5855 | K55102004, BT842717 | BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
693360-2 | CVE-2020-27721 | K52035247, BT693360 | A virtual server status changes to yellow while still available | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
773693-7 | CVE-2020-5892 | K15838353, BT773693 | CVE-2020-5892: APM Client Vulnerability | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 11.6.5.2 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
920961-2 | 3-Major | BT920961 | Devices incorrectly report 'In Sync' after an incremental sync | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
756139-3 | 3-Major | BT756139 | Inconsistent logging of hostname files when hostname contains periods | 16.0.1.1, 15.1.2, 14.1.3.1 |
754924-1 | 3-Major | BT754924 | New VLAN statistics added. | 16.0.0, 15.1.2 |
921421-3 | 4-Minor | BT921421 | iRule support to get/set UDP's Maximum Buffer Packets | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
957337-1 | 2-Critical | BT957337 | Tab complete in 'mgmt' tree is broken | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
933409-2 | 2-Critical | BT933409 | Tomcat upgrade via Engineering Hotfix causes live-update files removal★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
927033-2 | 2-Critical | BT927033 | Installer fails to calculate disk size of destination volume★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
910201-3 | 2-Critical | BT910201 | OSPF - SPF/IA calculation scheduling might get stuck infinitely | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
829677-2 | 2-Critical | BT829677 | .tmp files in /var/config/rest/ may cause /var directory exhaustion | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.5 |
796601-2 | 2-Critical | BT796601 | Invalid parameter in errdefsd while processing hostname db_variable | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
943669-1 | 3-Major | BT943669 | B4450 blade reboot | 16.1.2.2, 15.1.2 |
935801-4 | 3-Major | BT935801 | HSB diagnostics are not provided under certain types of failures | 16.1.0, 15.1.2, 14.1.4.5 |
932233-2 | 3-Major | BT932233 | '@' no longer valid in SNMP community strings | 16.1.0, 16.0.1.1, 15.1.2 |
930741-2 | 3-Major | BT930741 | Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot | 16.1.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
920301-1 | 3-Major | BT920301 | Unnecessarily high number of JavaScript Obfuscator instances when device is busy | 15.1.2, 14.1.3.1 |
911809-2 | 3-Major | BT911809 | TMM might crash when sending out oversize packets. | 16.0.0, 15.1.2, 14.1.3.1 |
902401-5 | 3-Major | BT902401 | OSPFd SIGSEGV core when 'ospf clear' is done on remote device | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
898705-5 | 3-Major | BT898705 | IPv6 static BFD configuration is truncated or missing | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
889041-3 | 3-Major | BT889041 | Failover scripts fail to access resolv.conf due to permission issues | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
879405-1 | 3-Major | BT879405 | Incorrect value in Transparent Nexthop property | 16.1.0, 16.0.1.1, 15.1.2 |
867181-1 | 3-Major | BT867181 | ixlv: double tagging is not working | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
865241-1 | 3-Major | BT865241 | Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
860317-3 | 3-Major | BT860317 | JavaScript Obfuscator can hang indefinitely | 16.0.0, 15.1.2, 14.1.3.1 |
858197-2 | 3-Major | BT858197 | Merged crash when memory exhausted | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.5 |
846441-2 | 3-Major | BT846441 | Flow-control is reset to default for secondary blade's interface | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
846137-4 | 3-Major | BT846137 | The icrd returns incorrect route names in some cases | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
843597-1 | 3-Major | BT843597 | Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
841649-4 | 3-Major | BT841649 | Hardware accelerated connection mismatch resulting in tmm core | 16.0.0, 15.1.2, 14.1.4.1 |
838901-4 | 3-Major | BT838901 | TMM receives invalid rx descriptor from HSB hardware | 16.0.0, 15.1.2, 14.1.4, 13.1.4 |
826905-3 | 3-Major | BT826905 | Host traffic via IPv6 route pool uses incorrect source address | 16.0.0, 15.1.2, 14.1.3.1 |
816229-3 | 3-Major | BT816229 | Kernel Log Messages Logged Twice | 16.0.0, 15.1.2, 14.1.2.4 |
811053-6 | 3-Major | BT811053 | REBOOT REQUIRED prompt appears after failover and clsh reboot | 16.0.0, 15.1.2, 14.1.2.7 |
811041-7 | 3-Major | BT811041 | Out of shmem, increment amount in /etc/ha_table/ha_table.conf | 16.1.0, 15.1.2 |
810821-3 | 3-Major | BT810821 | Management interface flaps after rebooting the device. | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5 |
789181-5 | 3-Major | BT789181 | Link Status traps are not issued on BIG-IP VE systems | 16.0.0, 15.1.2 |
755197-5 | 3-Major | BT755197 | UCS creation might fail during frequent config save transactions | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
754932-1 | 3-Major | BT754932 | New SNMP MIB, sysVlanIfcStat, for VLAN statistics. | 16.0.0, 15.1.2 |
737098-1 | 3-Major | BT737098 | ASM Sync does not work when the configsync IP address is an IPv6 address | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
933461-4 | 4-Minor | BT933461 | BGP multi-path candidate selection does not work properly in all cases. | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
924429-2 | 4-Minor | BT924429 | Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
892677-1 | 4-Minor | BT892677 | Loading config file with imish adds the newline character | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
882713-3 | 4-Minor | BT882713 | BGP SNMP trap has the wrong sysUpTime value | 16.0.0, 15.1.2, 14.1.3.1 |
583084-6 | 4-Minor | K15101680, BT583084 | iControl produces 404 error while creating records successfully | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
941089-3 | 2-Critical | BT941089 | TMM core when using Multipath TCP | 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
915957-1 | 2-Critical | BT915957 | The wocplugin may get into a restart loop when AAM is provisioned | 15.1.2, 14.1.3 |
908873-1 | 2-Critical | BT908873 | Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core | 16.0.0, 15.1.2 |
908621-2 | 2-Critical | BT908621 | Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core | 16.0.0, 15.1.2, 14.1.4.1 |
876801-5 | 2-Critical | BT876801 | Tmm crash: invalid route type | 16.0.0, 15.1.2, 14.1.4, 13.1.4 |
866481-2 | 2-Critical | BT866481 | TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode | 16.0.0, 15.1.2 |
851345-1 | 2-Critical | BT851345 | The TMM may crash in certain rare scenarios involving HTTP/2 | 16.0.0, 15.1.2, 14.1.3.1 |
850873-3 | 2-Critical | BT850873 | LTM global SNAT sets TTL to 255 on egress. | 16.0.0, 15.1.2, 14.1.3.1 |
726518-1 | 2-Critical | BT726518 | Tmsh show command terminated with CTRL-C can cause TMM to crash. | 16.0.0, 15.1.2, 14.1.2.8, 13.1.3.6 |
705768-2 | 2-Critical | BT705768 | The dynconfd process may core and restart with multiple DNS name servers configured | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
949145-5 | 3-Major | BT949145 | Improve TCP's response to partial ACKs during loss recovery | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
948757-2 | 3-Major | BT948757 | A snat-translation address responds to ARP requests but not to ICMP ECHO requests. | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1 |
940209 | 3-Major | BT940209 | Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. | 15.1.2, 14.1.4 |
939961-2 | 3-Major | BT939961 | TCP connection is closed when necessary after HTTP::respond iRule. | 16.1.0, 16.0.1.2, 15.1.2 |
934993-2 | 3-Major | BT934993 | BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams | 16.1.0, 16.0.1.1, 15.1.2 |
932033 | 3-Major | BT932033 | Chunked response may have DATA frame with END_STREAM prematurely | 15.1.2, 14.1.4 |
915605-6 | 3-Major | K56251674, BT915605 | Image install fails if iRulesLX is provisioned and /usr mounted read-write★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5 |
913249-2 | 3-Major | BT913249 | Restore missing UDP statistics | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
901929-2 | 3-Major | BT901929 | GARPs not sent on virtual server creation | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
892941-2 | 3-Major | K20105555, BT892941 | F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4 |
888113-3 | 3-Major | BT888113 | TMM may core when the HTTP peer aborts the connection | 16.0.0, 15.1.2 |
879413-1 | 3-Major | BT879413 | Statsd fails to start if one or more of its *.info files becomes corrupted | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
878925-2 | 3-Major | BT878925 | SSL connection mirroring failover at end of TLS handshake | 16.0.0, 15.1.2, 14.1.4.1 |
860005-1 | 3-Major | BT860005 | Ephemeral nodes/pool members may be created for wrong FQDN name | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
857845-1 | 3-Major | BT857845 | TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
850145-1 | 3-Major | BT850145 | Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed | 16.0.0, 15.1.2, 14.1.3.1 |
820333-1 | 3-Major | BT820333 | LACP working member state may be inconsistent when blade is forced offline | 16.0.0, 15.1.2, 14.1.3.1 |
809701-7 | 3-Major | BT809701 | Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist | 16.0.0, 15.1.2, 15.0.1.3, 14.1.3.1 |
803233-1 | 3-Major | BT803233 | Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable | 16.1.0, 16.0.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
790845-4 | 3-Major | BT790845 | An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default | 16.0.0, 15.1.2, 14.1.4, 13.1.3.5 |
724824-1 | 3-Major | BT724824 | Ephemeral nodes on peer devices report as unknown and unchecked after full config sync | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
714642-2 | 3-Major | BT714642 | Ephemeral pool-member state on the standby is down | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6 |
935593-4 | 4-Minor | BT935593 | Incorrect SYN re-transmission handling with FastL4 timestamp rewrite | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5 |
895153 | 4-Minor | BT895153 | HTTP::has_responded returns incorrect values when using HTTP/2 | 15.1.2, 14.1.3.1 |
883105-1 | 4-Minor | BT883105 | HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect | 16.1.0, 15.1.2 |
808409-4 | 4-Minor | BT808409 | Unable to specify if giaddr will be modified in DHCP relay chain | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
859717-2 | 5-Cosmetic | BT859717 | ICMP-limit-related warning messages in /var/log/ltm | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
918169-1 | 2-Critical | BT918169 | The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7, 13.1.3.6 |
916753-2 | 2-Critical | BT916753 | RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core | 16.1.0, 16.0.1.1, 15.1.2 |
905557-1 | 2-Critical | BT905557 | Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure | 16.0.0, 15.1.2, 14.1.4, 13.1.5 |
850509-1 | 2-Critical | BT850509 | Zone Trusted Signature inadequately maintained, following change of master key | 16.0.0, 15.1.2, 14.1.4.4, 13.1.5 |
837637-1 | 2-Critical | K02038650, BT837637 | Orphaned bigip_gtm.conf can cause config load failure after upgrading★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
926593-2 | 3-Major | BT926593 | GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
852101-1 | 3-Major | BT852101 | Monitor fails. | 16.0.0, 15.1.2, 14.1.3.1, 13.1.3.6 |
844689-1 | 3-Major | BT844689 | Possible temporary CPU usage increase with unusually large named.conf file | 16.0.0, 15.1.2, 14.1.3.1 |
746348-4 | 3-Major | BT746348 | On rare occasions, gtmd fails to process probe responses originating from the same system. | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
644192-2 | 3-Major | K23022557, BT644192 | Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5, 11.6.5.3 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
940249-2 | 2-Critical | BT940249 | Sensitive data is not masked after "Maximum Array/Object Elements" is reached | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6, 11.6.5.3 |
927617-2 | 2-Critical | BT927617 | 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
941853-1 | 3-Major | BT941853 | Logging Profiles do not disassociate from virtual server when multiple changes are made | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
940897-3 | 3-Major | BT940897 | Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.6 |
918933-2 | 3-Major | K88162221, BT918933 | The BIG-IP ASM system may not properly perform signature checks on cookies | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8, 13.1.3.6, 12.1.5.3, 11.6.5.3 |
913137-1 | 3-Major | BT913137 | No learning suggestion on ASM policies enabled via LTM policy | 16.1.0, 16.0.1.1, 15.1.2 |
904053-2 | 3-Major | BT904053 | Unable to set ASM Main Cookie/Domain Cookie hashing to Never | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 13.1.3.6 |
893061-2 | 3-Major | BT893061 | Out of memory for restjavad | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
882769-1 | 3-Major | BT882769 | Request Log: wrong filter applied when searching by Response contains or Response does not contain | 16.0.0, 15.1.2, 14.1.2.7, 13.1.3.5 |
919001-2 | 4-Minor | BT919001 | Live Update: Update Available notification is shown twice in rare conditions | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.8 |
896285-2 | 4-Minor | BT896285 | No parent entity in suggestion to add predefined-filetype as allowed filetype | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.7 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
924301-1 | 3-Major | BT924301 | Incorrect values in REST response for DNS/SIP | 16.1.0, 16.0.1.1, 15.1.2 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
910097-2 | 2-Critical | BT910097 | Changing per-request policy while tmm is under traffic load may drop heartbeats | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
924857-1 | 3-Major | BT924857 | Logout URL with parameters resets TCP connection | 16.1.0, 16.0.1.2, 15.1.2, 14.1.4.5 |
914649-3 | 3-Major | BT914649 | Support USB redirection through VVC (VMware virtual channel) with BlastX | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6 |
739570-4 | 3-Major | BT739570 | Unable to install EPSEC package★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
833049-4 | 4-Minor | BT833049 | Category lookup tool in GUI may not match actual traffic categorization | 16.0.0, 15.1.2, 14.1.4, 13.1.3.5 |
766017-6 | 4-Minor | BT766017 | [APM][LocalDB] Local user database instance name length check inconsistencies★ | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4.2, 13.1.3.5, 12.1.5.3 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
942581-1 | 1-Blocking | BT942581 | Timestamp cookies do not work with hardware accelerated flows | 16.1.0, 15.1.2 |
938165-1 | 2-Critical | BT938165 | TMM Core after attempted update of IP geolocation database file | 16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1 |
938149-1 | 3-Major | BT938149 | Port Block Update log message is missing the "Start time" field | 16.1.0, 16.0.1.1, 15.1.2, 14.1.2.1 |
910417-2 | 3-Major | BT910417 | TMM core may be seen when reattaching a vector to a DoS profile | 16.1.0, 16.0.1.2, 15.1.2, 14.1.4 |
872049-1 | 3-Major | BT872049 | Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command | 16.0.0, 15.1.2 |
871985-1 | 3-Major | BT871985 | No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection | 16.0.0, 15.1.2 |
851745-3 | 3-Major | BT851745 | High cpu consumption due when enabling large number of virtual servers | 16.0.0, 15.1.2, 14.1.4.1 |
840809-2 | 3-Major | BT840809 | If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged | 16.0.0, 15.1.2, 14.1.4 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
842989-6 | 3-Major | BT842989 | PEM: tmm could core when running iRules on overloaded systems | 16.1.0, 15.1.2, 14.1.4 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944785-2 | 3-Major | BT944785 | Admd restarting constantly. Out of memory due to loading malformed state file | 16.1.0, 16.0.1.2, 15.1.2, 14.1.3.1 |
923125-2 | 3-Major | BT923125 | Huge amount of admd processes caused oom | 16.1.0, 15.1.2, 14.1.3.1 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
927993-1 | 1-Blocking | K97501254, BT927993 | Built-in SSL Orchestrator RPM installation failure | 16.1.0, 16.0.1.1, 15.1.2, 14.1.4, 14.1.3, 13.1.3.6, 12.1.5.3 |
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
935721-5 | CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | K82252291, BT935721 | ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 | 16.1.0, 16.0.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
935029-3 | CVE-2020-27720 | K04048104, BT935029 | TMM may crash while processing IPv6 NAT traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
933741-2 | CVE-2021-22979 | K63497634, BT933741 | BIG-IP FPS XSS vulnerability CVE-2021-22979 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
932065-2 | CVE-2021-22978 | K87502622, BT932065 | iControl REST vulnerability CVE-2021-22978 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
931513-3 | CVE-2021-22977 | K14693346, BT931513 | TMM vulnerability CVE-2021-22977 | 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1, 13.1.3.6 |
928321-1 | CVE-2020-27719 | K19166530, BT928321 | K19166530: XSS vulnerability CVE-2020-27719 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
917509-3 | CVE-2020-27718 | K58102101, BT917509 | BIG-IP ASM vulnerability CVE-2020-27718 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
911761-2 | CVE-2020-5948 | K42696541, BT911761 | F5 TMUI XSS vulnerability CVE-2020-5948 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
908673-5 | CVE-2020-27717 | K43850230, BT908673 | TMM may crash while processing DNS traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
904165-1 | CVE-2020-27716 | K51574311, BT904165 | BIG-IP APM vulnerability CVE-2020-27716 | 16.0.0, 15.1.1, 14.1.3.1, 13.1.5 |
879745-4 | CVE-2020-5942 | K82530456 | TMM may crash while processing Diameter traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
876353-1 | CVE-2020-5941 | K03125360, BT876353 | iRule command RESOLV::lookup may cause TMM to crash | 16.1.0, 16.0.1, 15.1.1 |
839453-6 | CVE-2019-10744 | K47105354, BT839453 | lodash library vulnerability CVE-2019-10744 | 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5, 12.1.5.2 |
834257-1 | CVE-2020-5931 | K25400442, BT834257 | TMM may crash when processing HTTP traffic | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.6 |
814953 | CVE-2020-5940 | K43310520, BT814953 | TMUI dashboard hardening | 16.1.0, 16.0.1, 15.1.1, 14.1.2.5 |
754855-7 | CVE-2020-27714 | K60344652, BT754855 | TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile | 16.0.0, 15.1.1, 14.1.3.1, 13.1.4 |
928037-2 | CVE-2020-27729 | K15310332, BT928037 | APM Hardening | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
919841-3 | CVE-2020-27728 | K45143221, BT919841 | AVRD may crash while processing Bot Defense traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
917469-2 | CVE-2020-5946 | K53821711, BT917469 | TMM may crash while processing FPS traffic | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
912969-2 | CVE-2020-27727 | K50343630, BT912969 | iAppsLX REST vulnerability CVE-2020-27727 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
910017-2 | CVE-2020-5945 | K21540525, BT910017 | Security hardening for the TMUI Interface page | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
905125-2 | CVE-2020-27726 | K30343902, BT905125 | Security hardening for APM Webtop | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
904937-2 | CVE-2020-27725 | K25595031, BT904937 | Excessive resource consumption in zxfrd | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
889557-1 | CVE-2019-11358 | K20455158, BT889557 | jQuery Vulnerability CVE-2019-11358 | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.6, 11.6.5.3 |
880001-1 | CVE-2020-5937 | K58290051, BT880001 | TMM may crash while processing L4 behavioral DoS traffic | 16.0.0, 15.1.1 |
870273-5 | CVE-2020-5936 | K44020030, BT870273 | TMM may consume excessive resources when processing SSL traffic | 16.0.0, 15.1.1, 14.1.2.8, 13.1.5, 12.1.5.2 |
868349-1 | CVE-2020-5935 | K62830532, BT868349 | TMM may crash while processing iRules with MQTT commands | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4 |
858349-3 | CVE-2020-5934 | K44808538, BT858349 | TMM may crash while processing SAML SLO traffic | 16.0.0, 15.1.1, 14.1.2.5 |
848405-2 | CVE-2020-5933 | K26244025, BT848405 | TMM may consume excessive resources while processing compressed HTTP traffic | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
839761-1 | CVE-2020-5932 | K12002065, BT839761 | Response Body preview hardening | 16.0.0, 15.1.1 |
825689-1 | CVE-2023-3470 | K000135449, BT825689 | Enhance FIPS crypto-user storage | 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6 |
778049-2 | CVE-2018-13405 | K00854051, BT778049 | Linux Kernel Vulnerability: CVE-2018-13405 | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5 |
639773-6 | CVE-2021-22983 | K76518456 | BIG-IP AFM vulnerability CVE-2021-22983 | 16.0.1, 15.1.1, 14.1.3.1 |
887637-2 | CVE-2019-3815 | K22040951, BT887637 | Systemd-journald Vulnerability: CVE-2019-3815 | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5 |
852929-6 | CVE-2020-5920 | K25160703, BT852929 | AFM WebUI Hardening | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
818213-4 | CVE-2019-10639 | K32804955, BT818213 | CVE-2019-10639: KASLR bypass using connectionless protocols | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
818177-6 | CVE-2019-12295 | K06725231, BT818177 | CVE-2019-12295 Wireshark Vulnerability | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
858537-2 | CVE-2019-1010204 | K05032915, BT858537 | CVE-2019-1010204: Binutilis Vulnerability | 16.0.0, 15.1.1, 14.1.2.8 |
834533-7 | CVE-2019-15916 | K57418558, BT834533 | Linux kernel vulnerability CVE-2019-15916 | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
822377-6 | CVE-2019-10092 | K30442259, BT822377 | CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability | 16.1.0, 15.1.1, 14.1.2.8 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
912289-1 | 2-Critical | BT912289 | Cannot roll back after upgrading on certain platforms★ | 16.0.0, 15.1.1, 14.1.4, 13.1.4, 12.1.6 |
890229-1 | 3-Major | BT890229 | Source port preserve setting is not honored | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
858189-3 | 3-Major | BT858189 | Make restnoded/restjavad/icrd timeout configurable with sys db variables. | 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.2 |
719338-1 | 4-Minor | BT719338 | Concurrent management SSH connections are unlimited | 16.1.0, 15.1.1, 14.1.4, 13.1.4 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
864513-1 | 1-Blocking | K48234609, BT864513 | ASM policies may not load after upgrading to 14.x or later from a previous major version★ | 16.0.0, 15.1.1, 14.1.2.7 |
896217-2 | 2-Critical | BT896217 | BIG-IP GUI unresponsive | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
876957-1 | 2-Critical | BT876957 | Reboot after tmsh load sys config changes sys FPGA firmware-config value | 16.0.0, 15.1.1, 14.1.4.1 |
871561-5 | 2-Critical | BT871561 | Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
860517-1 | 2-Critical | BT860517 | MCPD may crash on startup with many thousands of monitors on a system with many CPUs. | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
818253-3 | 2-Critical | BT818253 | Generate signature files for logs | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
805417-3 | 2-Critical | BT805417 | Unable to enable LDAP system auth profile debug logging | 16.0.0, 15.1.1, 14.1.2.7 |
706521-2 | 2-Critical | K21404407, BT706521 | The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
593536-9 | 2-Critical | K64445052, BT593536 | Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations | 16.0.0, 15.1.1, 14.1.2.8 |
924493-2 | 3-Major | BT924493 | VMware EULA has been updated | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
921361-2 | 3-Major | BT921361 | SSL client and SSL server profile names truncated in GUI | 16.1.0, 16.0.1.1, 15.1.1 |
915825-2 | 3-Major | BT915825 | Configuration error caused by Drafts folder in a deleted custom partition while upgrading. | 16.1.0, 15.1.1, 14.1.3.1, 13.1.3.5 |
904845-2 | 3-Major | BT904845 | VMware guest OS customization works only partially in a dual stack environment. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
904705-2 | 3-Major | BT904705 | Cannot clone Azure marketplace instances. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
898461-2 | 3-Major | BT898461 | Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' | 16.1.0, 16.0.1.1, 15.1.1, 14.1.3.1 |
886689-6 | 3-Major | BT886689 | Generic Message profile cannot be used in SCTP virtual | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1 |
880625-3 | 3-Major | BT880625 | Check-host-attr enabled in LDAP system-auth creates unusable config | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
880165-2 | 3-Major | BT880165 | Auto classification signature update fails | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
867013-2 | 3-Major | BT867013 | Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout | 16.0.0, 15.1.1, 14.1.2.7, 13.1.3.5 |
850777-3 | 3-Major | BT850777 | BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config | 16.0.0, 15.1.1, 14.1.3.1 |
838297-2 | 3-Major | BT838297 | Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication | 16.0.0, 15.1.1, 14.1.2.8 |
828789-1 | 3-Major | BT828789 | Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters | 16.1.0, 15.1.1, 14.1.2.8 |
807337-5 | 3-Major | BT807337 | Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
788577-7 | 3-Major | BT788577 | BFD sessions may be reset after CMP state change | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.2, 11.6.5.2 |
759564-2 | 3-Major | BT759564 | GUI not available after upgrade | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
740589-4 | 3-Major | BT740589 | MCPD crashes with core after 'tmsh edit /sys syslog all-properties' | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
719555-3 | 3-Major | BT719555 | Interface listed as 'disable' after SFP insertion and enable | 16.0.0, 15.1.1, 14.1.4, 13.1.5 |
489572-5 | 3-Major | K60934489, BT489572 | Sync fails if file object is created and deleted before sync to peer BIG-IP | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
431503-8 | 3-Major | K14838, BT431503 | TMSH crashes in rare initial tunnel configurations | 15.1.1, 14.1.2.8, 13.1.3.5, 11.5.0 |
921369 | 4-Minor | BT921369 | Signature verification for logs fails if the log files are modified during log rotation | 16.1.0, 15.1.1 |
914761-3 | 4-Minor | BT914761 | Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8 |
906889-4 | 4-Minor | BT906889 | Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
902417-2 | 4-Minor | BT902417 | Configuration error caused by Drafts folder in a deleted custom partition★ | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
890277-3 | 4-Minor | BT890277 | Full config sync to a device group operation takes a long time when there are a large number of partitions. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
864757-3 | 4-Minor | BT864757 | Traps that were disabled are enabled after configuration save | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
779857-2 | 4-Minor | BT779857 | Misleading GUI error when installing a new version in another partition★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
751103-2 | 4-Minor | BT751103 | TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
849085-1 | 5-Cosmetic | BT849085 | Lines with only asterisks filling message and user.log file | 16.0.0, 15.1.1, 14.1.3.1 |
714176-1 | 5-Cosmetic | BT714176 | UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
889209-2 | 2-Critical | BT889209 | Sflow receiver configuration may lead to egress traffic dropped after TMM starts. | 16.0.0, 15.1.1, 14.1.4 |
879409-3 | 2-Critical | BT879409 | TMM core with mirroring traffic due to unexpected interface name length | 16.0.0, 15.1.1, 14.1.3.1 |
858429-3 | 2-Critical | BT858429 | BIG-IP system sends ICMP packets on both virtual wire interfaces. | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.8 |
851857-1 | 2-Critical | BT851857 | HTTP 100 Continue handling does not work when it arrives in multiple packets | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.5 |
851581-3 | 2-Critical | BT851581 | Server-side detach may crash TMM | 16.0.0, 15.1.1, 14.1.2.8 |
842937-6 | 2-Critical | BT842937 | TMM crash due to failed assertion 'valid node' | 16.0.0, 15.1.1, 14.1.2.7, 12.1.5.3 |
932825-2 | 3-Major | BT932825 | Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device | 16.1.0, 15.1.1 |
915713-2 | 3-Major | BT915713 | Support QUIC and HTTP3 draft-29 | 16.1.0, 16.0.1.1, 15.1.1 |
915689-1 | 3-Major | BT915689 | HTTP/2 dynamic header table may fail to identify indexed headers on the response side. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
915281-2 | 3-Major | BT915281 | Do not rearm TCP Keep Alive timer under certain conditions | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
892385 | 3-Major | BT892385 | HTTP does not process WebSocket payload when received with server HTTP response | 16.1.0, 16.0.1, 15.1.1, 15.0.1.4, 14.1.3.1, 13.1.3.5 |
883529-1 | 3-Major | BT883529 | HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path | 16.0.0, 15.1.1 |
851789-2 | 3-Major | BT851789 | SSL monitors flap with client certs with private key stored in FIPS | 16.0.0, 15.1.1, 14.1.2.5, 12.1.5.3 |
851477-1 | 3-Major | BT851477 | Memory allocation failures during proxy initialization are ignored leading to TMM cores | 16.0.0, 15.1.1, 14.1.3.1 |
851045-1 | 3-Major | BT851045 | LTM database monitor may hang when monitored DB server goes down | 16.0.0, 15.1.1, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
830797-3 | 3-Major | BT830797 | Standby high availability (HA) device passes traffic through virtual wire | 16.0.0, 15.1.1, 15.0.1.1, 14.1.2.3 |
816881-2 | 3-Major | BT816881 | Serverside conection may use wrong VLAN when virtual wire is configured | 16.0.0, 15.1.1, 14.1.2.8 |
801497-3 | 3-Major | BT801497 | Virtual wire with LACP pinning to one link in trunk. | 16.0.0, 15.1.1, 14.1.2.1 |
932937-2 | 4-Minor | BT932937 | HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
926997-1 | 4-Minor | BT926997 | QUIC HANDSHAKE_DONE profile statistics are not reset | 16.1.0, 16.0.1, 15.1.1 |
852373-3 | 4-Minor | BT852373 | HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.5 |
814037-6 | 4-Minor | BT814037 | No virtual server name in Hardware Syncookie activation logs. | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
919553-2 | 2-Critical | BT919553 | GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5 |
788465-5 | 2-Critical | BT788465 | DNS cache idx synced across HA group could cause tmm crash | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
783125-1 | 2-Critical | BT783125 | iRule drop command on DNS traffic without Datagram-LB may cause TMM crash | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
898093-2 | 3-Major | BT898093 | Removing one member from a WideIP removes it from all WideIPs. | 16.0.0, 15.1.1 |
869361-1 | 3-Major | BT869361 | Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated | 16.0.0, 15.1.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
868641-3 | 2-Critical | BT868641 | Possible TMM crash when disabling bot profile for the entire connection | 16.0.0, 15.1.1, 14.1.2.7 |
843801-2 | 2-Critical | BT843801 | Like-named previous Signature Update installations block Live Update usage after upgrade★ | 16.0.0, 15.1.1, 14.1.2.7 |
918081-1 | 3-Major | BT918081 | Application Security Administrator role cannot create parent policy in the GUI | 16.1.0, 16.0.1.1, 15.1.1 |
913761-2 | 3-Major | BT913761 | Security - Options section in navigation menu is visible for only Administrator users | 16.1.0, 16.0.1.2, 15.1.1 |
903357-2 | 3-Major | BT903357 | Bot defense Profile list is loads too slow when there are 750 or more Virtual servers | 16.1.0, 16.0.1.1, 15.1.1, 14.1.2.7 |
901061-2 | 3-Major | BT901061 | Safari browser might be blocked when using Bot Defense profile and related domains. | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
898741-2 | 3-Major | BT898741 | Missing critical files causes FIPS-140 system to halt upon boot | 16.1.0, 15.1.1, 14.1.2.7 |
892637-1 | 3-Major | BT892637 | Microservices cannot be added or modified | 16.0.0, 15.1.1 |
888285-1 | 3-Major | K18304067, BT888285 | Sensitive positional parameter not masked in 'Referer' header value | 16.0.0, 15.1.1, 14.1.2.8 |
888261-1 | 3-Major | BT888261 | Policy created with declarative WAF does not use updated template. | 16.0.0, 15.1.1 |
881757-1 | 3-Major | BT881757 | Unnecessary HTML response parsing and response payload is not compressed | 16.1.0, 16.0.1.2, 15.1.1, 14.1.4.2 |
880753-3 | 3-Major | K38157961, BT880753 | Possible issues when using DoSL7 and Bot Defense profile on the same virtual server | 16.0.0, 15.1.1, 15.0.1.4, 14.1.2.7 |
879777-3 | 4-Minor | BT879777 | Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge | 16.0.0, 15.1.1, 14.1.2.8 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
908065-2 | 3-Major | BT908065 | Logrotation for /var/log/avr blocked by files with .1 suffix | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
819301-2 | 3-Major | BT819301 | Incorrect values in REST response for dos-l3 table | 16.1.0, 16.0.1, 15.1.1 |
866613-4 | 4-Minor | BT866613 | Missing MaxMemory Attribute | 16.0.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
886729-2 | 2-Critical | BT886729 | Intermittent TMM crash in per-request-policy allow-ending agent | 16.0.0, 15.1.1 |
838861-3 | 2-Critical | BT838861 | TMM might crash once after upgrading SSL Orchestrator★ | 16.0.0, 15.1.1, 14.1.2.7 |
579219-5 | 2-Critical | BT579219 | Access keys missing from SessionDB after multi-blade reboot. | 16.0.0, 15.1.1, 14.1.2.8, 13.1.5 |
892937-2 | 3-Major | K20105555, BT892937 | F5 SSL Orchestrator may fail to stop a malicious actor from exfiltrating data on a compromised client system (SNIcat) | 16.1.0, 16.0.1, 15.1.1, 14.1.4 |
857589-1 | 3-Major | BT857589 | On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed' | 16.0.0, 15.1.1 |
771961-3 | 3-Major | BT771961 | While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core | 16.0.0, 15.1.1, 14.1.3.1 |
747020-2 | 3-Major | BT747020 | Requests that evaluate to same subsession can be processed concurrently | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
679751-2 | 4-Minor | BT679751 | Authorization header can cause a connection reset | 16.1.0, 15.1.1, 14.1.2.8, 13.1.3.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
868781-1 | 2-Critical | BT868781 | TMM crashes while processing MRF traffic | 16.0.0, 15.1.1, 14.1.4.2, 13.1.4.1 |
898997-2 | 3-Major | BT898997 | GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes | 16.1.0, 16.0.1, 15.1.1, 14.1.2.7 |
891385-2 | 3-Major | BT891385 | Add support for URI protocol type "urn" in MRF SIP load balancing | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
697331-2 | 3-Major | BT697331 | Some TMOS tools for querying various DBs fail when only a single TMM is running | 16.0.0, 15.1.1, 14.1.3.1, 14.1.3 |
924349-2 | 4-Minor | DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
872645-2 | 3-Major | BT872645 | Protected Object Aggregate stats are causing elevated CPU usage | 16.0.0, 15.1.1, 14.1.3.1 |
852289-4 | 3-Major | K23278332, BT852289 | DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector | 16.0.0, 15.1.1, 14.1.2.5, 13.1.3.4 |
789857 | 3-Major | BT789857 | "TCP half open' reports drops made by LTM syn-cookies mitigation. | 15.1.1, 14.1.4 |
920361-2 | 4-Minor | BT920361 | Standby device name sent in Traffic Statistics syslog/Splunk messages | 16.1.0, 15.1.1, 14.1.3.1 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
876581-2 | 3-Major | BT876581 | JavaScript engine file is empty if the original HTML page cached for too long | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8, 13.1.3.5 |
891729-2 | 4-Minor | BT891729 | Errors in datasyncd.log★ | 16.1.0, 16.0.1, 15.1.1, 14.1.2.8 |
759988-2 | 4-Minor | BT759988 | Geolocation information inconsistently formatted | 16.1.0, 16.0.1, 15.1.1 |
940401-2 | 5-Cosmetic | BT940401 | Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' | 16.1.0, 16.0.1, 15.1.1, 14.1.3.1, 13.1.3.5, 12.1.5.3 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
937281-3 | 3-Major | BT937281 | SSL Orchestrator pool members are limited to 20 with Standalone license | 16.1.0, 16.0.0.1, 15.1.1 |
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
912221-1 | CVE-2020-12662 CVE-2020-12663 |
K37661551, BT912221 | CVE-2020-12662 & CVE-2020-12663 | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
900905-3 | CVE-2020-5926 | K42830212, BT900905 | TMM may crash while processing SIP data | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
888417-5 | CVE-2020-8840 | K15320518, BT888417 | Apache Vulnerability: CVE-2020-8840 | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
883717-1 | CVE-2020-5914 | K37466356, BT883717 | BD crash on specific server cookie scenario | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
841577-2 | CVE-2020-5922 | K20606443, BT841577 | iControl REST hardening | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
838677-1 | CVE-2019-10744 | K47105354, BT838677 | lodash library vulnerability CVE-2019-10744 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
837773-7 | CVE-2020-5912 | K12936322, BT837773 | Restjavad Storage and Configuration Hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
788057-3 | CVE-2020-5921 | K00103216, BT788057 | MCPD may crash while processing syncookies | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2, 11.6.5.3 |
917005-5 | CVE-2020-8619 | K19807532 | ISC BIND Vulnerability: CVE-2020-8619 | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.6, 11.6.5.3 |
909837-1 | CVE-2020-5950 | K05204103, BT909837 | TMM may consume excessive resources when AFM is provisioned | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
902141-1 | CVE-2020-5919 | K94563369, BT902141 | TMM may crash while processing APM data | 16.0.0, 15.1.0.5 |
898949-1 | CVE-2020-27724 | K04518313, BT898949 | APM may consume excessive resources while processing VPN traffic | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
888489-2 | CVE-2020-5927 | K55873574, BT888489 | ASM UI hardening | 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
886085-5 | CVE-2020-5925 | K45421311, BT886085 | BIG-IP TMM vulnerability CVE-2020-5925 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
872673-1 | CVE-2020-5918 | K26464312, BT872673 | TMM can crash when processing SCTP traffic | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
856961-7 | CVE-2018-12207 | K17269881, BT856961 | INTEL-SA-00201 MCE vulnerability CVE-2018-12207 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8, 13.1.3.5 |
837837-2 | CVE-2020-5917 | K43404629, BT837837 | F5 SSH server key size vulnerability CVE-2020-5917 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 12.1.5.2 |
832885-1 | CVE-2020-5923 | K05975972, BT832885 | Self-IP hardening | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
830481-1 | CVE-2020-5916 | K29923912, BT830481 | SSL TMUI hardening | 16.0.0, 15.1.0.5, 15.0.1.4 |
816413-5 | CVE-2019-1125 | K31085564, BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
811789-7 | CVE-2020-5915 | K57214921, BT811789 | Device trust UI hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
888493-2 | CVE-2020-5928 | K40843345, BT888493 | ASM GUI Hardening | 16.1.0, 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.2 |
748122-8 | CVE-2018-15333 | K53620021, BT748122 | BIG-IP Vulnerability CVE-2018-15333 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
746091-8 | CVE-2019-19151 | K21711352, BT746091 | TMSH Vulnerability: CVE-2019-19151 | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3 |
717276-9 | CVE-2020-5930 | K20622530, BT717276 | TMM Route Metrics Hardening | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4, 12.1.5.3, 11.6.5.3 |
839145-3 | CVE-2019-10744 | K47105354, BT839145 | CVE-2019-10744: lodash vulnerability | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
767269-5 | CVE-2018-16884 | K21430012 | Linux kernel vulnerability: CVE-2018-16884 | 16.0.0, 15.1.0.5, 14.1.2.8 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
816233-1 | 2-Critical | BT816233 | Session and authentication cookies should use larger character set | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
890421-2 | 3-Major | BT890421 | New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers★ | 16.0.0, 15.1.0.5, 15.0.1.3 |
691499-5 | 3-Major | BT691499 | GTP::ie primitives in iRule to be certified | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
745465-4 | 4-Minor | BT745465 | The tcpdump file does not provide the correct extension | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
934241-2 | 1-Blocking | BT934241 | TMM may core when using FastL4's hardware offloading feature | 16.1.0, 15.1.0.5 |
891477-3 | 2-Critical | BT891477 | No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
890513-2 | 2-Critical | BT890513 | MCPD fails to load configuration from binary database | 16.0.0, 15.1.0.5, 14.1.4 |
849405-2 | 2-Critical | BT849405 | LTM v14.1.2.1 does not log after upgrade★ | 16.0.0, 15.1.0.5, 14.1.2.5 |
842865-2 | 2-Critical | BT842865 | Add support for Auto MAC configuration (ixlv) | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.8 |
739507-3 | 2-Critical | BT739507 | Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check | 16.1.0, 15.1.0.5, 14.1.4, 13.1.1.2 |
927901-4 | 3-Major | BT927901 | After BIG-IP reboot, vxnet interfaces come up as uninitialized | 15.1.0.5 |
915497-2 | 3-Major | BT915497 | New Traffic Class Page shows multiple question marks. | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.3.1 |
907549-1 | 3-Major | BT907549 | Memory leak in BWC::Measure | 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5 |
891721-3 | 3-Major | BT891721 | Anti-Fraud Profile URLs with query strings do not load successfully | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7 |
888497-2 | 3-Major | BT888497 | Cacheable HTTP Response | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
887089-1 | 3-Major | BT887089 | Upgrade can fail when filenames contain spaces | 16.1.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
877145-4 | 3-Major | BT877145 | Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException | 16.0.0, 15.1.0.5, 15.0.1.3 |
871657-1 | 3-Major | BT871657 | Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
844085-1 | 3-Major | BT844085 | GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
842125-6 | 3-Major | BT842125 | Unable to reconnect outgoing SCTP connections that have previously aborted | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4 |
821309-1 | 3-Major | BT821309 | After an initial boot, mcpd has a defunct child "systemctl" process | 16.0.0, 15.1.0.5, 14.1.2.7 |
814585-1 | 3-Major | BT814585 | PPTP profile option not available when creating or modifying virtual servers in GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3 |
807005-5 | 3-Major | BT807005 | Save-on-auto-sync is not working as expected with large configuration objects | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
802685-2 | 3-Major | BT802685 | Unable to configure performance HTTP virtual server via GUI | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
797829-6 | 3-Major | BT797829 | The BIG-IP system may fail to deploy new or reconfigure existing iApps | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.8, 13.1.3.5 |
785741-3 | 3-Major | K19131357, BT785741 | Unable to login using LDAP with 'user-template' configuration | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.3 |
760622-5 | 3-Major | BT760622 | Allow Device Certificate renewal from BIG-IP Configuration Utility | 16.0.0, 15.1.0.5 |
405329-3 | 3-Major | The imish utility cores while checking help strings for OSPF6 vertex-threshold | 16.0.0, 15.1.0.5, 14.1.4.6 | |
919745-2 | 4-Minor | BT919745 | CSV files downloaded from the Dashboard have the first row with all 'NaN | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
918209-3 | 4-Minor | BT918209 | GUI Network Map icons color scheme is not section 508 compliant | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.8 |
851393-1 | 4-Minor | BT851393 | Tmipsecd leaves a zombie rm process running after starting up | 16.0.0, 15.1.0.5, 14.1.4.4 |
804309-1 | 4-Minor | BT804309 | [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
713614-7 | 4-Minor | BT713614 | Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) | 16.0.0, 15.1.0.5, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
925989 | 2-Critical | BT925989 | Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4★ | 15.1.0.5 |
839749-3 | 2-Critical | BT839749 | Virtual server with specific address list might fail to create via GUI | 16.0.0, 15.1.0.5, 15.0.1.1, 14.1.2.8 |
715032-1 | 2-Critical | K73302459, BT715032 | iRulesLX Hardening | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3 |
916589-2 | 3-Major | BT916589 | QUIC drops 0RTT packets if CID length changes | 16.1.0, 16.0.1.1, 15.1.0.5 |
910521-2 | 3-Major | BT910521 | Support QUIC and HTTP draft-28 | 16.1.0, 16.0.1, 15.1.0.5 |
893281-3 | 3-Major | BT893281 | Possible ssl stall on closed client handshake | 16.1.0, 15.1.0.5, 14.1.2.7 |
813701-6 | 3-Major | BT813701 | Proxy ARP failure | 16.0.0, 15.1.0.5, 14.1.2.7 |
788753-2 | 3-Major | BT788753 | GATEWAY_ICMP monitor marks node down with wrong error code | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.4 |
786517-5 | 3-Major | BT786517 | Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address | 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.5 |
720440-6 | 3-Major | BT720440 | Radius monitor marks pool members down after 6 seconds | 16.0.0, 15.1.0.5, 14.1.3.1, 13.1.3.6, 12.1.5.2 |
914681-2 | 4-Minor | BT914681 | Value of tmm.quic.log.level can differ between TMSH and GUI | 16.1.0, 16.0.1.1, 15.1.0.5 |
714502-3 | 4-Minor | BT714502 | bigd restarts after loading a UCS for the first time | 16.0.0, 15.1.0.5, 14.1.2.7 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
789421-4 | 3-Major | BT789421 | Resource-administrator cannot create GTM server object through GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
774257-4 | 5-Cosmetic | BT774257 | tmsh show gtm pool and tmsh show gtm wideip print duplicate object types | 16.0.0, 15.1.0.5, 14.1.2.7 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
904593-1 | 2-Critical | BT904593 | Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled | 16.1.0, 15.1.0.5, 14.1.2.7 |
865461-1 | 2-Critical | BT865461 | BD crash on specific scenario | 16.0.0, 15.1.0.5, 14.1.2.7 |
850641-2 | 2-Critical | BT850641 | Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies | 16.0.0, 15.1.0.5 |
900797-2 | 3-Major | BT900797 | Brute Force Protection (BFP) hash table entry cleanup | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
900793-1 | 3-Major | K32055534, BT900793 | APM Brute Force Protection resources do not scale automatically | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
900789-2 | 3-Major | BT900789 | Alert before Brute Force Protection (BFP) hash are fully utilized | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
892653-1 | 3-Major | BT892653 | Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI | 16.1.0, 16.0.1, 15.1.0.5, 14.1.2.7 |
880789-3 | 3-Major | BT880789 | ASMConfig Handler undergoes frequent restarts | 16.0.0, 15.1.0.5, 14.1.2.7 |
874753-3 | 3-Major | BT874753 | Filtering by Bot Categories on Bot Requests Log shows 0 events | 16.0.0, 15.1.0.5, 14.1.2.7 |
871905-2 | 3-Major | K02705117, BT871905 | Incorrect masking of parameters in event log | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.5 |
868721-1 | 3-Major | BT868721 | Transactions are held for a long time on specific server related conditions | 16.0.0, 15.1.0.5, 14.1.2.7 |
863609-4 | 3-Major | BT863609 | Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies | 16.0.0, 15.1.0.5, 14.1.2.7 |
854177-5 | 3-Major | BT854177 | ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
850677-4 | 3-Major | BT850677 | Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy | 16.0.0, 15.1.0.5, 14.1.2.7 |
848445-1 | 3-Major | K86285055, BT848445 | Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer★ | 16.0.0, 15.1.0.5, 14.1.2.8, 13.1.3.5, 12.1.5.3, 11.6.5.3 |
833685-5 | 3-Major | BT833685 | Idle async handlers can remain loaded for a long time doing nothing | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
809125-5 | 3-Major | BT809125 | CSRF false positive | 16.0.0, 15.1.0.5, 14.1.2.7, 12.1.5.1 |
799749-2 | 3-Major | BT799749 | Asm logrotate fails to rotate | 16.0.0, 15.1.0.5, 14.1.2.7 |
783165-1 | 3-Major | BT783165 | Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile | 16.0.0, 15.1.0.5, 14.1.2.7 |
742549-3 | 3-Major | BT742549 | Cannot create non-ASCII entities in non-UTF ASM policy using REST | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.6 |
722337-2 | 3-Major | BT722337 | Always show violations in request log when post request is large | 16.1.0, 16.0.1.1, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
640842-5 | 3-Major | BT640842 | ASM end user using mobile might be blocked when CSRF is enabled | 16.0.0, 15.1.0.5, 14.1.2.7 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
828937-1 | 2-Critical | K45725467, BT828937 | Some systems can experience periodic high IO wait due to AVR data aggregation | 16.0.0, 15.1.0.5, 14.1.2.5, 13.1.3.4 |
902485-3 | 3-Major | BT902485 | Incorrect pool member concurrent connection value | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
841305-2 | 3-Major | BT841305 | HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log | 16.1.0, 16.0.1, 15.1.0.5 |
838685-4 | 3-Major | BT838685 | DoS report exist in per-widget but not under individual virtual | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
884797-4 | 3-Major | BT884797 | Portal Access: in some cases data is not delivered via WebSocket connection | 16.0.0, 15.1.0.5, 14.1.2.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
921773-2 | 3-Major | BT921773 | Diameter initial negotiation is not rejected when no common application is set | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4 |
904373-3 | 3-Major | BT904373 | MRF GenericMessage: Implement limit to message queues size | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4, 14.1.3.1 |
876953-2 | 3-Major | BT876953 | Tmm crash while passing diameter traffic | 16.1.0, 16.0.1, 15.1.0.5, 15.0.1.4 |
876077-1 | 3-Major | BT876077 | MRF DIAMETER: stale pending retransmission entries may not be cleaned up | 16.1.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
868381-1 | 3-Major | BT868381 | MRF DIAMETER: Retransmission queue unable to delete stale entries | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5 |
866021-1 | 3-Major | BT866021 | Diameter Mirror connection lost on the standby due to "process ingress error" | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
824149-5 | 3-Major | BT824149 | SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
815877-2 | 3-Major | BT815877 | Information Elements with zero-length value are rejected by the GTP parser | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.5, 12.1.5.2, 11.6.5.3 |
696348-5 | 3-Major | BT696348 | "GTP::ie insert" and "GTP::ie append" do not work without "-message" option | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
788513-6 | 4-Minor | BT788513 | Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.7, 13.1.3.4, 12.1.5.2 |
793005-1 | 5-Cosmetic | BT793005 | 'Current Sessions' statistic of MRF/Diameter pool may be incorrect | 16.0.0, 15.1.0.5, 14.1.2.7, 13.1.3.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
802421-6 | 2-Critical | BT802421 | The /var partition may become 100% full requiring manual intervention to clear space | 16.0.0, 15.1.0.5, 14.1.2.7 |
757279-3 | 3-Major | BT757279 | LDAP authenticated Firewall Manager role cannot edit firewall policies | 15.1.0.5, 14.1.2.8, 13.1.1.5 |
896917 | 4-Minor | BT896917 | The fw_zone_stat 'Hits' field may not increment in some scenarios | 15.1.0.5 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
839597-6 | 3-Major | BT839597 | Restjavad fails to start if provision.extramb has a large value | 16.0.0, 15.1.0.5, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
886717-1 | 3-Major | BT886717 | TMM crashes while using SSL Orchestrator. | 16.0.0, 15.1.0.5 |
886713-1 | 4-Minor | BT886713 | Error log seen in case of SSL Orchestrator configured with http service during connection close. | 16.0.0, 15.1.0.5, 14.1.2.5 |
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
900757-2 | CVE-2020-5902 | K52145254, BT900757 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4 |
895525-2 | CVE-2020-5902 | K52145254, BT895525 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
909237-6 | CVE-2020-8617 | K05544642 | CVE-2020-8617: BIND Vulnerability | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
909233-6 | CVE-2020-8616 | K97810133, BT909233 | DNS Hardening | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
905905-1 | CVE-2020-5904 | K31301245, BT905905 | TMUI CSRF vulnerability CVE-2020-5904 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
895993-2 | CVE-2020-5902 | K52145254, BT895993 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
895981-2 | CVE-2020-5902 | K52145254, BT895981 | TMUI RCE vulnerability CVE-2020-5902 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
895881-1 | CVE-2020-5903 | K43638305, BT895881 | BIG-IP TMUI XSS vulnerability CVE-2020-5903 | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.2 |
891457-2 | CVE-2020-5939 | K75111593, BT891457 | NIC driver may fail while transmitting data | 16.1.0, 16.0.1, 15.1.0.4, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
859089-7 | CVE-2020-5907 | K00091341, BT859089 | TMSH allows SFTP utility access | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.3, 11.6.5.2 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
909673 | 2-Critical | BT909673 | TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms | 17.1.0, 15.1.0.4 |
882557-2 | 3-Major | BT882557 | TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) | 16.0.0, 15.1.0.4, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
878893-3 | 3-Major | BT878893 | During system shutdown it is possible the for sflow_agent to core | 16.0.0, 15.1.0.4 |
858769-6 | 3-Major | K82498430, BT858769 | Net-snmp library must be upgraded to 5.8 in order to support SHA-2 | 16.0.0, 15.1.0.4 |
829193-4 | 3-Major | BT829193 | REST system unavailable due to disk corruption | 16.0.0, 15.1.0.4, 14.1.3.1, 13.1.3.6 |
826265-5 | 3-Major | BT826265 | The SNMPv3 engineBoots value restarts at 1 after an upgrade | 16.0.0, 15.1.0.4 |
812493-4 | 3-Major | BT812493 | When engineID is reconfigured, snmp and alert daemons must be restarted★ | 16.0.0, 15.1.0.4 |
810381-2 | 3-Major | BT810381 | The SNMP max message size check is being incorrectly applied. | 16.0.0, 15.1.0.4, 14.1.2.8, 13.1.3.5 |
743234-6 | 3-Major | BT743234 | Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons | 16.0.0, 15.1.0.4 |
774617-3 | 4-Minor | BT774617 | SNMP daemon reports integer truncation error for values greater than 32 bits | 16.0.0, 15.1.0.4, 14.1.4 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
910177 | 2-Critical | BT910177 | Poor HTTP/3 throughput | 15.1.0.4 |
848777-3 | 3-Major | BT848777 | Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. | 16.0.0, 15.1.0.4, 14.1.2.7 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
892621-1 | 3-Major | BT892621 | Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software | 16.0.0, 15.1.0.4, 14.1.3 |
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
889505 | 3-Major | BT889505 | Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available | 16.0.0, 15.1.0.3 |
888569 | 3-Major | BT888569 | Added PBA stats for total number of free PBAs, and percent free PBAs | 16.0.0, 15.1.0.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
795649-5 | 3-Major | BT795649 | Loading UCS from one iSeries model to another causes FPGA to fail to load | 16.0.0, 15.1.0.3, 14.1.3.1, 13.1.3.5, 12.1.5.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
883513-1 | 3-Major | BT883513 | Support for QUIC and HTTP/3 draft-27 | 16.0.0, 15.1.0.3 |
828601-1 | 3-Major | BT828601 | IPv6 Management route is preferred over IPv6 tmm route | 16.0.0, 15.1.0.3, 14.1.2.7, 13.1.3.5 |
758599-3 | 3-Major | BT758599 | IPv6 Management route is preferred over IPv6 tmm route | 16.0.0, 15.1.0.3, 15.0.1.4, 14.1.2.7, 13.1.3.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
846713-1 | 2-Critical | BT846713 | Gtm_add does not restart named | 16.0.0, 15.1.0.3 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
903905-2 | 2-Critical | BT903905 | BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances | 16.0.0, 15.1.0.3 |
889477-1 | 2-Critical | BT889477 | Modern customization does not enforce validation at password changing | 16.0.0, 15.1.0.3 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
888625 | 3-Major | BT888625 | CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks | 16.0.0, 15.1.0.3, 14.1.2.7 |
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
879025-2 | CVE-2020-5913 | K72752002, BT879025 | When processing TLS traffic, LTM may not enforce certificate chain restrictions | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5, 12.1.5.2 |
871633-1 | CVE-2020-5859 | K61367237, BT871633 | TMM may crash while processing HTTP/3 traffic | 16.0.0, 15.1.0.2 |
846917-1 | CVE-2019-10744 | K47105354, BT846917 | lodash Vulnerability: CVE-2019-10744 | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
846365-1 | CVE-2020-5878 | K35750231, BT846365 | TMM may crash while processing IP traffic | 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3 |
830401-1 | CVE-2020-5877 | K54200228, BT830401 | TMM may crash while processing TCP traffic with iRules | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
819197-2 | CVE-2019-13135 | K20336394, BT819197 | BIGIP: CVE-2019-13135 ImageMagick vulnerability | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
819189-1 | CVE-2019-13136 | K03512441, BT819189 | BIGIP: CVE-2019-13136 ImageMagick vulnerability | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
818169-1 | CVE-2022-26372 | K23454411, BT818169 | TMM may consume excessive resources when processing DNS profiles with DNS queing enabled | 16.0.0, 15.1.0.2, 14.1.4.6, 13.1.5 |
636400 | CVE-2019-6665 | K26462555, BT636400 | CPB (BIG-IP->BIGIQ log node) Hardening | 15.1.0.2, 15.0.1.1, 14.1.2.1, 14.0.1.1, 13.1.3.2 |
873469-2 | CVE-2020-5889 | K24415506, BT873469 | APM Portal Access: Base URL may be set to incorrectly | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
864109-1 | CVE-2020-5889 | K24415506, BT864109 | APM Portal Access: Base URL may be set to incorrectly | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
858025-1 | CVE-2021-22984 | K33440533, BT858025 | BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
838881-1 | CVE-2020-5853 | K73183618, BT838881 | APM Portal Access Vulnerability: CVE-2020-5853 | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 12.1.5.2, 11.6.5.2 |
832021-3 | CVE-2020-5888 | K73274382, BT832021 | Port lockdown settings may not be enforced as configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
832017-3 | CVE-2020-5887 | K10251014, BT832017 | Port lockdown settings may not be enforced as configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
829121-1 | CVE-2020-5886 | K65720640, BT829121 | State mirroring default does not require TLS | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
829117-1 | CVE-2020-5885 | K17663061, BT829117 | State mirroring default does not require TLS | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
789921-5 | CVE-2020-5881 | K03386032, BT789921 | TMM may restart while processing VLAN traffic | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4 |
868097-3 | CVE-2020-5891 | K58494243, BT868097 | TMM may crash while processing HTTP/2 traffic | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
846157-1 | CVE-2020-5862 | K01054113, BT846157 | TMM may crash while processing traffic on AWS | 16.0.0, 15.1.0.2, 15.0.1.2, 14.1.2.3 |
838909-3 | CVE-2020-5893 | K97733133, BT838909 | BIG-IP APM Edge Client vulnerability CVE-2020-5893 | 15.1.0.2, 14.1.2.4, 13.1.4, 12.1.5.2, 11.6.5.2 |
823893-7 | CVE-2020-5890 | K03318649, BT823893 | Qkview may fail to completely sanitize LDAP bind credentials | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
870389-3 | 3-Major | BT870389 | Increase size of /var logical volume to 1.5 GiB for LTM-only VE images | 16.0.0, 15.1.0.2, 14.1.2.5 |
858229-5 | 3-Major | K22493037, BT858229 | XML with sensitive data gets to the ICAP server | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
854493-5 | 2-Critical | BT854493 | Kernel page allocation failures messages in kern.log | 16.0.0, 15.1.0.2, 14.1.2.8 |
841953-7 | 2-Critical | BT841953 | A tunnel can be expired when going offline, causing tmm crash | 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3 |
841581 | 2-Critical | BT841581 | License activation takes a long time to complete on Google GCE platform | 15.1.0.2 |
841333-7 | 2-Critical | BT841333 | TMM may crash when tunnel used after returning from offline | 16.0.0, 15.1.0.2, 14.1.2.8, 13.1.3.4, 12.1.5.3 |
817709-3 | 2-Critical | BT817709 | IPsec: TMM cored with SIGFPE in racoon2 | 16.1.0, 15.1.0.2, 14.1.2.8, 13.1.5 |
811701-3 | 2-Critical | BT811701 | AWS instance using xnet driver not receiving packets on an interface. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7 |
811149-2 | 2-Critical | BT811149 | Remotely-authenticated users are unable to authenticate through the serial console | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.8 |
866925-5 | 3-Major | BT866925 | The TMM pages used and available can be viewed in the F5 system stats MIB | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
865225-1 | 3-Major | BT865225 | 100G modules may not work properly in i15000 and i15800 platforms | 16.1.0, 15.1.0.2, 14.1.5.1, 13.1.3.4 |
852001-1 | 3-Major | BT852001 | High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
830717 | 3-Major | BT830717 | Appdata logical volume cannot be resized for some cloud images★ | 16.0.0, 15.1.0.2 |
829317-5 | 3-Major | BT829317 | Memory leak in icrd_child due to concurrent REST usage | 16.0.0, 15.1.0.2, 14.1.3.1, 14.1.3, 13.1.4 |
828873-3 | 3-Major | BT828873 | Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor | 16.0.0, 15.1.0.2 |
812981-6 | 3-Major | BT812981 | MCPD: memory leak on standby BIG-IP device | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
802281-3 | 3-Major | BT802281 | Gossip shows active even when devices are missing | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3.5 |
793121-5 | 3-Major | BT793121 | Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.7, 13.1.3.2 |
742628-1 | 3-Major | BT742628 | A tmsh session initiation adds increased control plane pressure | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.4, 14.1.2.6, 13.1.3.4, 12.1.5.3 |
605675-6 | 3-Major | BT605675 | Sync requests can be generated faster than they can be handled | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.5, 12.1.5.3, 11.6.5.2 |
831293-5 | 4-Minor | BT831293 | SNMP address-related GET requests slow to respond. | 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.5, 12.1.5.3 |
755317-3 | 4-Minor | BT755317 | /var/log logical volume may run out of space due to agetty error message in /var/log/secure | 16.0.0, 15.1.0.2, 14.1.2.5 |
722230-1 | 4-Minor | BT722230 | Cannot delete FQDN template node if another FQDN node resolves to same IP address | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.4, 12.1.5.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
860881-3 | 2-Critical | BT860881 | TMM can crash when handling a compressed response from HTTP server | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
839401-1 | 2-Critical | BT839401 | Moving a virtual-address from one floating traffic-group to another does not send GARPs out. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5 |
837617-1 | 2-Critical | BT837617 | Tmm may crash while processing a compression context | 16.0.0, 15.1.0.2, 14.1.4.4 |
872965-1 | 3-Major | BT872965 | HTTP/3 does not support draft-25 | 16.0.0, 15.1.0.2 |
862597-7 | 3-Major | BT862597 | Improve MPTCP's SYN/ACK retransmission handling | 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5 |
853613-4 | 3-Major | BT853613 | Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
852873-2 | 3-Major | BT852873 | Proprietary Multicast PVST+ packets are forwarded instead of dropped | 16.0.0, 15.1.0.2, 14.1.2.7 |
852861-1 | 3-Major | BT852861 | TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario | 16.0.0, 15.1.0.2 |
851445-1 | 3-Major | BT851445 | QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams | 16.0.0, 15.1.0.2 |
850973-1 | 3-Major | BT850973 | Improve QUIC goodput for lossy links | 16.0.0, 15.1.0.2 |
850933-1 | 3-Major | BT850933 | Improve QUIC rate pacing functionality | 16.0.0, 15.1.0.2 |
847325-3 | 3-Major | BT847325 | Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
818853-1 | 3-Major | BT818853 | Duplicate MAC entries in FDB | 16.0.0, 15.1.0.2, 14.1.3.1, 13.1.3.5 |
809597-5 | 3-Major | BT809597 | Memory leak in icrd_child observed during REST usage | 16.0.0, 15.1.0.2, 14.1.3, 13.1.4 |
714372-5 | 3-Major | BT714372 | Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.4.4 |
705112-6 | 3-Major | BT705112 | DHCP server flows are not re-established after expiration | 16.0.0, 15.1.0.2, 14.1.2.5, 13.1.3, 12.1.4.1, 11.5.9 |
859113-1 | 4-Minor | BT859113 | Using "reject" iRules command inside "after" may causes core | 16.0.0, 15.1.0.2, 14.1.2.5 |
839245-3 | 4-Minor | BT839245 | IPother profile with SNAT sets egress TTL to 255 | 16.0.0, 15.1.0.2, 14.1.2.5 |
824365-5 | 4-Minor | BT824365 | Need informative messages for HTTP iRule runtime validation errors | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.3, 13.1.3.6 |
822025 | 4-Minor | BT822025 | HTTP response not forwarded to client during an early response | 15.1.0.2, 15.0.1.4, 14.1.3.1, 13.1.3.6, 12.1.5.3 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
760471-1 | 3-Major | BT760471 | GTM iQuery connections may be reset during SSL key renegotiation. | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.3, 13.1.3.5, 12.1.5.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
852437-3 | 2-Critical | K25037027, BT852437 | Overly aggressive file cleanup causes failed ASU installation | 16.0.0, 15.1.0.2, 14.1.2.5 |
846073-1 | 2-Critical | BT846073 | Installation of browser challenges fails through Live Update | 16.0.0, 15.1.0.2 |
850673-1 | 3-Major | BT850673 | BD sends bad ACKs to the bd_agent for configuration | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.1 |
842161-1 | 3-Major | BT842161 | Installation of Browser Challenges fails in 15.1.0 | 16.0.0, 15.1.0.2 |
793017-3 | 3-Major | BT793017 | Files left behind by failed Attack Signature updates are not cleaned | 16.0.0, 15.1.0.2, 14.1.2.3 |
778261-2 | 3-Major | BT778261 | CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate | 16.0.0, 15.1.0.2, 15.0.1.1 |
739618-3 | 3-Major | BT739618 | When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy | 15.1.0.2, 14.1.2.3, 14.1.0, 13.1.3.2 |
681010-4 | 3-Major | K33572148, BT681010 | 'Referer' is not masked when 'Query String' contains sensitive parameter | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4, 12.1.5.2, 11.6.5.2 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
838709-4 | 2-Critical | BT838709 | Enabling DoS stats also enables page-load-time | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
870957-4 | 3-Major | BT870957 | "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
863161-1 | 3-Major | BT863161 | Scheduled reports are sent via TLS even if configured as non encrypted | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
835381-3 | 3-Major | BT835381 | HTTP custom analytics profile 'not found' when default profile is modified | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
830073-2 | 3-Major | BT830073 | AVRD may core when restarting due to data collection device connection timeout | 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
865053-3 | 4-Minor | BT865053 | AVRD core due to a try to load vip lookup when AVRD is down | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
863069-1 | 4-Minor | BT863069 | Avrmail timeout is too small | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
876393-1 | 2-Critical | BT876393 | General database error while creating Access Profile via the GUI | 16.0.0, 15.1.0.2 |
871761-1 | 2-Critical | BT871761 | Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5, 13.1.3.4 |
871653-1 | 2-Critical | BT871653 | Access Policy cannot be created with 'modern' customization | 16.0.0, 15.1.0.2 |
866685-1 | 3-Major | BT866685 | Empty HSTS headers when HSTS mode for HTTP profile is disabled | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
866161-1 | 3-Major | BT866161 | Client port reuse causes RST when the security service attempts server connection reuse. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
853325-1 | 3-Major | BT853325 | TMM Crash while parsing form parameters by SSO. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.5 |
852313-4 | 3-Major | BT852313 | VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
850277-1 | 3-Major | BT850277 | Memory leak when using OAuth | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4, 13.1.3.4 |
844781-3 | 3-Major | BT844781 | [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4 |
844685-1 | 3-Major | BT844685 | Per-request policy is not exported if it contains HTTP Connector Agent | 16.0.0, 15.1.0.2 |
844573-1 | 3-Major | BT844573 | Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. | 15.1.0.2 |
844281-3 | 3-Major | BT844281 | [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4 |
835309-1 | 3-Major | Some strings on BIG-IP APM Server pages are not localized | 16.0.0, 15.1.0.2 | |
832881-1 | 3-Major | BT832881 | F5 Endpoint Inspection helper app is not updated | 16.0.0, 15.1.0.2 |
832569-3 | 3-Major | BT832569 | APM end-user connection reset | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
831781-4 | 3-Major | BT831781 | AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
803825-5 | 3-Major | BT803825 | WebSSO does not support large NTLM target info length | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4 |
761303-5 | 3-Major | BT761303 | Upgrade of standby BIG-IP system results in empty Local Database | 16.0.0, 15.1.0.2, 15.0.1.3 |
744407-1 | 3-Major | BT744407 | While the client has been closed, iRule function should not try to check on a closed session | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.4.4, 13.1.3.4 |
706782-5 | 3-Major | BT706782 | Inefficient APM processing in large configurations. | 17.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.8 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
853545-1 | 3-Major | BT853545 | MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event | 16.0.0, 15.1.0.2, 14.1.2.5 |
842625-5 | 3-Major | BT842625 | SIP message routing remembers a 'no connection' failure state forever | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.7, 13.1.3.4 |
840821-1 | 3-Major | BT840821 | SCTP Multihoming not working within MRF Transport-config connections | 16.0.0, 15.1.0.2 |
825013-1 | 3-Major | BT825013 | GENERICMESSAGE::message's src and dst may get cleared in certain scenarios | 16.0.0, 15.1.0.2, 15.0.1.1, 14.1.2.7 |
803809-4 | 3-Major | BT803809 | SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. | 16.0.0, 15.1.0.2, 14.1.2.7, 13.1.3.4 |
859721-1 | 4-Minor | BT859721 | Using GENERICMESSAGE create together with reject inside periodic after may cause core | 16.0.0, 15.1.0.2, 14.1.2.5 |
836357-5 | 4-Minor | BT836357 | SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 | 16.0.0, 15.1.0.2, 15.0.1.4, 14.1.2.5, 13.1.3.4, 12.1.5.2 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
852557-3 | 2-Critical | BT852557 | Tmm core while using service chaining for SSL Orchestrator | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
864329-3 | 3-Major | BT864329 | Client port reuse causes RST when the backend server-side connection is open | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
852481-3 | 3-Major | BT852481 | Failure to check virtual-server context when closing server-side connection | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
852477-3 | 3-Major | BT852477 | Tmm core when SSL Orchestrator is enabled | 16.0.0, 15.1.0.2, 15.0.1.3, 14.1.2.5 |
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
834853 | 3-Major | BT834853 | Azure walinuxagent has been updated to v2.2.42 | 15.1.0.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
862557-1 | 3-Major | BT862557 | Client-ssl profiles derived from clientssl-quic fail validation | 16.0.0, 15.1.0.1 |
Cumulative fix details for BIG-IP v15.1.10.2 that are included in this release
999901-3 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Links to More Info: K68816502, BT999901
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
999881-4 : Tcl command 'string first' not working if payload contains Unicode characters.
Links to More Info: BT999881
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
999317-8 : Running Diagnostics report for Edge Client on Windows does not follow best practice
Links to More Info: K03544414, BT999317
Component: Access Policy Manager
Symptoms:
Running Diagnostics report for Edge Client on Windows does not follow best practice
Conditions:
Running Diagnostics report for Edge client on Windows system
Impact:
Edge client does not follow best practice
Workaround:
No workaround.
Fix:
Edge Client on Windows now follows best practice
Fixed Versions:
17.0.0, 15.1.3.1
999125-2 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
999097-3 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
998701-2 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.
Links to More Info: BT998701
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.
Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation
Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.
Workaround:
None
Fixed Versions:
15.1.10
998473-2 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Links to More Info: BT998473
Component: Access Policy Manager
Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)
Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.
Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.
Workaround:
None
Fix:
A fix has been provided to the sequence number handling which is used to calculate the RPC checksum as part of ID 949477.
Fixed Versions:
16.1.0, 15.1.4.1
998225-4 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.
Links to More Info: BT998225
Component: TMOS
Symptoms:
TMM crashes during the primary blade transition.
Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes on primary blade transition.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
998221-3 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
998085-1 : BIG-IP DataSafe GUI does not save changes
Links to More Info: BT998085
Component: Fraud Protection Services
Symptoms:
Due to a JavaScript error, the BIG-IP DataSafe GUI does not save changes.
Conditions:
-- Provision FPS.
-- License DataSafe.
-- Configure the system using the GUI.
Impact:
Configurations made for DataSafe using the BIG-IP Configuration Utility GUI cannot be saved.
Workaround:
Use tmsh to configure the BIG-IP system.
Fix:
BIG-IP DataSafe GUI is working properly and configurations are now saved.
Fixed Versions:
16.1.0, 15.1.3
997929-3 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic
Links to More Info: BT997929
Component: Local Traffic Manager
Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.
If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.
Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.
-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.
Impact:
The virtual server stops processing traffic.
Workaround:
To recover, you can do either of the following:
-- Restart tmm:
bigstart restart tmm
-- Change the virtual server's port back to 'any' (0).
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.4
997761-2 : Subsessionlist entries leak if there is no RADIUS accounting agent in policy
Links to More Info: BT997761
Component: Access Policy Manager
Symptoms:
Subsessionlist entries are not cleaned up when subsessions are deleted. For long-lived main sessions, use cases such as API protection, the number of leaked subsessionlist entries increases over time, resulting in increasing memory consumption. If high availability (HA) is configured, the standby device can experience even more memory pressure when a very large number of subsessionlist entries are sent to it for mirroring.
Conditions:
This issue occurs if the main session is long-lived and there is no RADIUS accounting agent in the policy.
Impact:
TMM may run out of memory and restart. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.5
997641 : APM policy ending with redirection results in policy execution failure
Links to More Info: BT997641
Component: Access Policy Manager
Symptoms:
After successful authentication, the APM end user client connection gets reset.
/var/log/apm shows errors:
err tmm2[18140]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_rewrite_pdp_response_to_302, Line: 19766
Conditions:
Access policy has a path ending with a redirect.
Impact:
APM end user clients cannot access the backend resources protected by the policy.
Workaround:
None
Fix:
Fixed an issue with APM policies not working when they ended with redirect.
Fixed Versions:
15.1.4
997561-3 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.
Fixed Versions:
15.1.10
997429 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled
Links to More Info: BT997429
Component: Advanced Firewall Manager
Symptoms:
Some DoS-related log messages may be missing
Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.
Impact:
Applications dependent on log frequency may be impacted.
Workaround:
Configure the mitigation limit about 10% over the attack limit.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
997313-3 : Unable to create APM policies in a sync-only folder★
Links to More Info: BT997313
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
997169 : AFM rule not triggered
Links to More Info: BT997169
Component: Advanced Firewall Manager
Symptoms:
An AFM rule is not triggered when it should be.
Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route
Impact:
A firewall rule is not triggered and the default deny rule is used.
Workaround:
Alter the route to use an IP address and not a pool.
Fix:
Firewall rules are now triggered when gateway pools are used.
Fixed Versions:
15.1.4.1
997137-3 : CSRF token modification may allow WAF bypass on GET requests
Links to More Info: K80945213, BT997137
Component: Application Security Manager
Symptoms:
Under certain conditions a parameter is not processed as expected.
Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter
Impact:
Malicious request will bypass signatures and will not raise any attack signature violation
Workaround:
N/A
Fix:
The parameter is now processed as expected.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.4, 13.1.5
996649-4 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
Fixed Versions:
15.1.10
996593-2 : Password change through REST or GUI not allowed if the password is expired
Links to More Info: BT996593
Component: TMOS
Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:
Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.
Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.
Impact:
Expired password cannot be updated through REST or the GUI.
Workaround:
Update password using tmsh:
tmsh modify auth password <username>
Fix:
You can now change an expired password through REST or the GUI.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.3
996381-3 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
996113-1 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
996001-1 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
995853-2 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.
Links to More Info: BT995853
Component: Global Traffic Manager (DNS)
Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.
Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.
Impact:
GSLB Server object creation fails.
Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.
Fix:
GSLB Server object creation no longer fails.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.4, 13.1.5
995849-2 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c
Links to More Info: BT995849
Component: TMOS
Symptoms:
Tmm crashes while processing a large number of tunnels.
Conditions:
-- A large number of ipsec tunnels
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Memory allocation failures are handled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
995629-3 : Loading UCS files may hang if ASM is provisioned★
Links to More Info: BT995629
Component: TMOS
Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.
Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.
Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.
Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.
Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html
Fix:
Loading UCS files no longer hangs if ASM is provisioned.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4.1, 13.1.4.1
995433 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT
Links to More Info: BT995433
Component: Advanced Firewall Manager
Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.
Conditions:
This is encountered when viewing PPTP log entries.
Impact:
IPV6 addresses in PPTP logs are truncated.
Workaround:
None
Fix:
The full IPv6 address is now logged in PPTP logs.
Fixed Versions:
16.1.0, 15.1.4.1, 14.1.4.5
995201-4 : IP fragments for the same flow are dropped if they are received on different VLANs and route domains.
Links to More Info: BT995201
Component: Local Traffic Manager
Symptoms:
When duplicate IP fragments for the same flow (same connection tuple and flow ID) are simultaneously received on different VLANs or route domains, IP datagram reassembly fails.
Conditions:
-- Multicast traffic where identical fragments arrive on two different VLANs.
-- IP fragments for the same flow are received on different VLANs.
-- Alternatively, IP fragments for the same flow are received on different route domains.
Impact:
IP fragments that fail reassembly are dropped.
Workaround:
None
Fix:
The tm.ipfragreassemblestrict db var is disabled by default. When enabled IPv6 or IPv4 fragments arriving on different interfaces are queued separately.
Note: In order to resolve this issue, a version with this fix is necessary and the tm.ipfragreassemblestrict must be set to enable.
Fixed Versions:
16.1.0, 15.1.7
995097-3 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Links to More Info: BT995097
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.
For instance, you can enter the following command:
tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }
And the system inserts the following instruction in the /etc/dhclient.conf file:
supersede domain-search "one.example.com", "two.example.com" ;
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
995029-3 : Configuration is not updated during auto-discovery
Links to More Info: BT995029
Component: Access Policy Manager
Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:
-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token
Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).
Impact:
JWT auto-discovery fails and the configuration is not updated.
Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.
Fix:
Fixed an issue with auto-discovery and JWKs.
Fixed Versions:
16.1.0, 15.1.4, 14.1.4.2
994985-2 : CGNAT GUI shows blank page when applying SIP profile
Links to More Info: BT994985
Component: Carrier-Grade NAT
Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.
Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.
Impact:
The virtual server properties page does not display the configuration.
Workaround:
None.
Fix:
The GUI shows virtual server config page with all config values
Fixed Versions:
17.0.0, 15.1.4, 14.1.4.2
994801-3 : SCP file transfer system
Component: TMOS
Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.
Conditions:
tmsh does not follow best practices for SCP operations
Impact:
tmsh does not follow best practices for SCP operations
Workaround:
None
Fix:
The SCP file transfer system now follows current best practices.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3, 13.1.4.1
994305-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
Links to More Info: BT994305
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools are not available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools are not available.
Workaround:
None.
Fix:
The version of open-vm-tools has been updated to 11.1.5.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
994269-2 : Message 'double flow removal' is logged in LTM log file
Links to More Info: BT994269
Component: Local Traffic Manager
Symptoms:
The LTM log contains messages similar to the following:
Oops @ 0x290cfa0:1129: double flow removal.
Conditions:
FastL4 virtual server with iRule containing the FLOW_INIT command.
Impact:
The memory_usage_stat and tmm/umem_usage_stat might reflect incorrect values under increased traffic load when the underlying double flow removal messages persist continuously on the blades.
Excessive message logging by TMM may impact traffic.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.10
994125-2 : NetHSM Sanity results are not reflecting in GUI test output box
Links to More Info: BT994125
Component: Local Traffic Manager
Symptoms:
Cannot see the netHSM sanity test results in GUI when selected hsm test.
Conditions:
NA
Impact:
Cannot see netHSM test results from GUI.
Workaround:
Use TMSH to see netHSM test results.
Fix:
Can test the selected HSM and partition and view the test results.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3.1, 14.1.4.3
994033-2 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
16.1.4, 15.1.9
993921-4 : TMM SIGSEGV
Links to More Info: BT993921
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This is a rarely occurring issue associated with the iRule command 'pool XXXX member XXXX'.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use 'pool XXXX member XXXX' iRule command.
Fix:
This rarely occurring issue is now fixed.
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5.1
993913-2 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
993613-5 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
993517-3 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
993489-3 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
993481-3 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
16.1.4, 15.1.10
993457-2 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993269-1 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
Links to More Info: BT993269
Component: Advanced Firewall Manager
Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.
DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.
Conditions:
-- DoS timestamp cookies are enabled, and either of the following:
-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.
Impact:
Traffic is dropped due to incorrect timestamps.
Workaround:
Disable timestamp cookies on the affected VLAN.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
992865 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4
992813-2 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Links to More Info: BT992813
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
Fix:
The list of dhcp-options known to mcpd has been updated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
992213-2 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2
992121-1 : REST "/mgmt/tm/services" endpoint is not accessible
Links to More Info: BT992121
Component: TMOS
Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.
Conditions:
When accessing /mgmt/tm/services through REST API
Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.
Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
992097-2 : Incorrect hostname is seen in logging files
Links to More Info: BT992097
Component: TMOS
Symptoms:
-- On the local blade, slot information is missing from LTM logs. Only the hostname is logged.
-- For messages received from another blade, the hostname is replaced by the word "slotX".
Conditions:
Multi-bladed VIPRION or VIPRION-based vCMP guest.
Impact:
Remote log collectors cannot identify the log message based on hostname and/or blade number.
Workaround:
None
Fixed Versions:
16.1.0, 15.1.6.1, 14.1.5
992053-1 : Pva_stats for server side connections do not update for redirected flows
Links to More Info: BT992053
Component: TMOS
Symptoms:
Pva_stats for server side connections do not update for the re-directed flows
Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.
Impact:
PVA stats do not reflect the offloaded flow.
Workaround:
None
Fix:
Updated pva_stats to reflect server side flow.
Fixed Versions:
17.1.0, 15.1.4.1
990849-2 : Loading UCS with platform-migrate option hangs and requires exiting from the command★
Links to More Info: BT990849
Component: TMOS
Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:
Platform migrate loaded successfully. Saving configuration.
Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate
Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html
Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.
Workaround:
None.
Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.3, 14.1.4, 13.1.4.1
990461-3 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
990073 : BIG-IP software v13.1.3.6, v14.1.4, v15.1.2.1, v16.0.1.1 or later require APM Clients 7.1.8.5, 7.1.9.8, or 7.2.1.1★
Links to More Info: BT990073
Component: Access Policy Manager
Symptoms:
APM end user clients fail to establish VPN access using the browser to BIG-IP APM systems running 13.1.3.6, 14.1.4, 15.1.2.1, or 16.0.1.1 with APM Client versions 7.1.8.4, 7.1.9.7, 7.2.1 or earlier in their respective software branches.
You may observe the following error message in a pop up dialog of the browser when the network access fails to launch:
=============
"F5 VPN - Your session could not be established"
"Your session could not be established.
The session reference number: nnnnnnnn
Application will be closed"
=============
Conditions:
-- This can occur after upgrading to the following BIG-IP versions:
- 13.1.3.6
- 14.1.4
- 15.1.2.1
- 16.0.1.1
-- APM end user clients are running 7.1.8.4 or earlier, 7.1.9, 7.1.9.7, or 7.2.1.
Impact:
APM end user clients, using the browser, cannot establish VPN access to the BIG-IP system.
Workaround:
Edge Clients (apmclients) versions 7.1.8.4, v7.1.9, and v7.1.9.7 (and earlier), do not work with BIG-IP versions beginning with v16.0.1.1, v15.1.2.1, v14.1.4, or v13.1.3.6. You must use later Edge Client versions.
-- If you are running 7.1.8.4 and earlier, upgrade to 7.1.8.5.
-- If you are running 7.1.9 or 7.1.9.7, upgrade to 7.1.9.8.
-- If you are running 7.2.1, upgrade to 7.2.1.1.
You can find versions 7.1.8.5, 7.1.8.9 and 7.2.1.1 on the F5 Downloads site :: https://downloads.f5.com/esd/index.jsp
For more information, see K13757: BIG-IP Edge Client version matrix :: https://support.f5.com/csp/article/K13757 and K01733249: What version of BIG-IP Edge Client should I use on my APM? :: https://support.f5.com/csp/article/K01733249
Fix:
BIG-IP APM releases now include the appropriately corresponding APM Clients.
Fixed Versions:
15.1.9
989753-2 : In HA setup, standby fails to establish connection to server
Links to More Info: BT989753
Component: Service Provider
Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:
err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config
Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.
Impact:
Standby BIG-IP system fails to establish a connection to the server.
Workaround:
None.
Fix:
Standby is now able to establish a connection to the server.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
989701-5 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
989517-2 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
989501-1 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
16.1.4, 15.1.10
989373-3 : CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem
Links to More Info: K67830124
988793 : SecureVault on BIG-IP tenant does not store unit key securely
Links to More Info: BT988793
Component: TMOS
Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.
Conditions:
BIG-IP tenant running on the VELOS platform.
Impact:
The BIG-IP tenant does not utilize secure storage for unit key.
Workaround:
None
Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.
Fixed Versions:
17.1.0, 15.1.4
988761-1 : Cannot create Protected Object in GUI
Links to More Info: BT988761
Component: Advanced Firewall Manager
Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step
Conditions:
This occurs in normal operation
Impact:
Cannot create Protected Objects using the GUI
Workaround:
Use tmsh to create Protected Objects
Fix:
GUI Page no longer gets stuck in loading phase and completes the Protected Object creation step.
Fixed Versions:
16.1.0, 15.1.4
988645 : Traffic may be affected after tmm is aborted and restarted
Links to More Info: BT988645
Component: TMOS
Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.
Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.
Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.
Workaround:
Reboot the tenant
Fix:
Fixed system behavior when tmm is aborted and restarted.
Fixed Versions:
17.1.0, 15.1.4
988589-5 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv
Links to More Info: K68251873
988533-1 : GRE-encapsulated MPLS packet support
Links to More Info: BT988533
Component: TMOS
Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).
Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.
Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.
Workaround:
None
Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.
Fixed Versions:
17.0.0, 15.1.4.1, 14.1.4.5
988165-2 : VMware CPU reservation is now enforced.
Links to More Info: BT988165
Component: TMOS
Symptoms:
CPU reservation is not enabled which can result in insufficient CPU resource for virtual edition guest.
Conditions:
BIG-IP Virtual Edition running in VMware.
Impact:
Performance may be lower than expected particularly if ESXi is over subscribed and traffic volume is high.
Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.
Fix:
The VMware CPU reservation of 2GHz per core is now automatically enabled in the OVF file. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will see 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
988005-1 : Zero active rules counters in GUI
Links to More Info: BT988005
Component: Advanced Firewall Manager
Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).
Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules
Impact:
Incorrect information on active rules count is seen in the UI.
Workaround:
Disable firewall inline editor.
Fix:
The active rules count column now displays the correct number of times a rule has been hit.
Fixed Versions:
16.1.0, 16.0.1.2, 15.1.4, 14.1.4.2
987885-4 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
987637-2 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware
Links to More Info: BT987637
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.
Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server
Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0, 15.1.4
987605-2 : DDoS: ICMP attacks are not hardware-mitigated
Links to More Info: BT987605
Component: Advanced Firewall Manager
Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.
Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.
Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.
Workaround:
None
Fix:
Until the hardware is fixed, the software uses the SPVA in hardware to mitigate these attacks.
Fixed Versions:
15.1.4
987345-1 : Disabling periodic-refresh-log has no effect
Links to More Info: BT987345
Component: Advanced Firewall Manager
Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:
info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".
Conditions:
PBA periodic-refresh-log set to '0'.
Impact:
System provides unnecessary, excessive logging.
Workaround:
None
Fix:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is now honored."Port Block Periodic Log" messages are no longer logged with this configuration setting.
Fixed Versions:
16.1.0, 15.1.4.1
987341-2 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.
Links to More Info: BT987341
Component: Access Policy Manager
Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.
Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.
Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
987301-1 : Software install on vCMP guest via block-device may fail with error 'reason unknown'
Links to More Info: BT987301
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
-- /var/log/liveinstall may contain an error similar to:
I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty
-- /var/log/kern.log may contain an error similar to:
Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712
Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
987113-1 : CMP state degraded while under heavy traffic
Links to More Info: BT987113
Component: TMOS
Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.
Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.
Impact:
System performance drops dramatically.
Workaround:
Lower traffic load.
Fix:
Fixed an inconsistent CMP state.
Fixed Versions:
17.1.0, 15.1.4, 14.1.5
987077-1 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.
Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.
Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.