Supplemental Document : BIG-IP 15.1.6 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.6

BIG-IP APM

  • 15.1.6

BIG-IP Link Controller

  • 15.1.6

BIG-IP Analytics

  • 15.1.6

BIG-IP LTM

  • 15.1.6

BIG-IP AFM

  • 15.1.6

BIG-IP PEM

  • 15.1.6

BIG-IP DNS

  • 15.1.6

BIG-IP FPS

  • 15.1.6

BIG-IP ASM

  • 15.1.6
Updated Date: 06/06/2022

BIG-IP Release Information

Version: 15.1.6
Build: 8.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v15.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.1 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release
Known Issues in BIG-IP v15.1.x

Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1021005 3-Major   IPI IPV6 traffic Reputation. 15.1.6


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1058509 1-Blocking   Platform_agent crash on tenant token renewal 15.1.6
1075229 3-Major   Jumbo frames not supported 15.1.6
1048977 3-Major BT1048977 IPSec tunnel is not coming up after tmm/system restart when ipsec.removeredundantsa db variable is enabled 15.1.6


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1084953 2-Critical BT1084953 CPU usage increase observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition 15.1.6
1084929 2-Critical BT1084929 Performance drop observed in some Ramcache::HTTP tests on BIG-IP Virtual Edition 15.1.6


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
1063173-1 2-Critical BT1063173 Blob size consistency after changes to pktclass. 15.1.6


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1082885-2 3-Major BT1082885 MR::message route virtual asserts when configuration changes during ongoing traffic 15.1.6, 16.1.2.2



Cumulative fixes from BIG-IP v15.1.5.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
965853-2 CVE-2022-28695 K08510472, BT965853 IM package file hardening&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
964489-2 CVE-2022-28695 K08510472, BT964489 Protocol Inspection IM package hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1051561-2 CVE-2022-1388 K23605346, BT1051561 BIG-IP iControl REST vulnerability CVE-2022-1388 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
993981-1 CVE-2022-28705 K52340447, BT993981 TMM may crash when ePVA is enabled 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
982697-5 CVE-2022-26071 K41440465, BT982697 ICMP hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
951257-3 CVE-2022-26130 K82034427, BT951257 FTP active data channels are not established 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
946325-2 CVE-2022-28716 K25451853, BT946325 PEM subscriber GUI hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
830361-2 CVE-2012-6711 K05122252, BT830361 CVE-2012-6711 Bash Vulnerability 14.1.4.6, 15.1.5.1, 16.1.2.2
1087201-5 CVE-2022-0778 K31323265, BT1087201 OpenSSL Vulnerability: CVE-2022-0778 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1078721-2 CVE-2022-27189 K16187341, BT1078721 TMM may consume excessive resources while processing ICAP traffic 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1067993-5 CVE-2022-28714 K54460845, BT1067993 APM Windows Client installer hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1059185-2 CVE-2022-26415 K81952114, BT1059185 iControl REST Hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1057801-5 CVE-2022-28707 K70300233, BT1057801 TMUI does not follow current best practices 14.1.4.6, 15.1.5.1, 16.1.2.2
1029629-2 CVE-2022-28706 K03755971, BT1029629 TMM may crash while processing DNS lookups 15.1.5.1, 16.1.2
1019161-4 CVE-2022-29263 K33552735, BT1019161 Windows installer(VPN through browser components installer) as administrator user uses temporary folder to create files&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1002565-3 CVE-2021-23840 K24624116, BT1002565 OpenSSL vulnerability CVE-2021-23840 14.1.4.6, 15.1.5.1, 16.1.2.2
992073-4 CVE-2022-27181 K93543114, BT992073 APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
982757-5 CVE-2022-26835 K53197140 APM Access Guided Configuration hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
982341-5 CVE-2022-26835 K53197140, BT982341 iControl REST endpoint hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
975593-3 CVE-2022-29473 K06323049, BT975593 TMM may crash while processing IPSec traffic 13.1.5, 14.1.4.5, 15.1.5.1
968725-3 CVE-2017-10661 K04337834, BT968725 Linux Kernel Vulnerability CVE-2017-10661 15.1.5.1
931677-5 CVE-2022-29479 K64124988, BT931677 IPv6 hardening 13.1.5, 14.1.4.6, 15.1.5.1
919249-2 CVE-2022-28859 K47662005, BT919249 NETHSM installation script hardening 14.1.4.6, 15.1.5.1
915981-3 CVE-2022-26340 K38271531, BT915981 BIG-IP SCP hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
823877-5 CVE-2019-10098
CVE-2020-1927
K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability 14.1.4.5, 15.1.5.1, 16.1.2.2
1071365-4 CVE-2022-29474 K59904248, BT1071365 iControl SOAP WSDL hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1066729-3 CVE-2022-28708 K85054496, BT1066729 TMM may crash while processing DNS traffic 15.1.5.1, 16.1.2.2
1057809-5 CVE-2022-27659 K41877405, BT1057809 Saved dashboard hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1016657-3 CVE-2022-26517 K54082580, BT1016657 TMM may crash while processing LSN traffic 13.1.5, 14.1.4.6, 15.1.5.1
1009049-5 CVE-2022-27636 K57110035, BT1009049 browser based vpn did not follow best practices while logging.&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1001937-3 CVE-2022-27634 K57555833, BT1001937 APM configuration hardening 15.1.5.1, 16.1.2.2
713754-2 CVE-2017-15715 K27757011 Apache vulnerability: CVE-2017-15715 14.1.4.5, 15.1.5.1, 16.1.2.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050537-2 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
972489-2 3-Major   BIG-IP Appliance Mode iControl hardening 15.1.5.1
930633-3 3-Major BT930633 Delay in using new route updates by existing connections on BIG-IP. 14.1.4.5, 15.1.5.1
1046669-2 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1033837-2 4-Minor K23605346, BT1033837 REST authentication tokens persist on reboot&start; 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1060149-1 1-Blocking BT1060149 BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. 15.1.5.1, 16.1.2.2
976669-2 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade 14.1.4.6, 15.1.5.1, 16.1.2.2
957897-1 2-Critical BT957897 Unable to modify gateway-ICMP monitor fields in the GUI 13.1.5, 14.1.4.6, 15.1.5.1
894133-1 2-Critical BT894133 After ISO upgrade the SSL Orchestrator guided configuration user interface is not available.&start; 15.1.5.1
865329-1 2-Critical BT865329 WCCP crashes on "ServiceGroup size exceeded" exception 15.1.5.1
718573-3 2-Critical BT718573 Internal SessionDB invalid state 14.1.4.4, 15.1.5.1
1075905-1 2-Critical BT1075905 TCP connections may fail when hardware SYN Cookie is active 15.1.5.1
1048141-2 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error' 14.1.4.6, 15.1.5.1, 16.1.2.2
999125-2 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
994305-1 3-Major BT994305 The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 15.1.5.1, 16.1.2.1
988165-2 3-Major BT988165 VMware CPU reservation is now enforced. 15.1.5.1, 16.1.2.2
984585-1 3-Major BT984585 IP Reputation option not shown in GUI. 15.1.5.1, 16.1.2.2
968657-2 3-Major BT968657 Added support for IMDSv2 on AWS 15.1.5.1, 16.1.2.1
963541-2 3-Major BT963541 Net-snmp5.8 crash 15.1.5.1, 16.1.2.2
943793-2 3-Major BT943793 Neurond continuously restarting. 14.1.4, 15.1.5.1
943577-2 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions 14.1.4.6, 15.1.5.1, 16.1.2.2
919317-5 3-Major BT919317 NSM consumes 100% CPU processing nexthops for recursive ECMP routes 13.1.5, 14.1.4.6, 15.1.5.1
918409-2 3-Major BT918409 BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures 13.1.5, 14.1.4.6, 15.1.5.1
912253-1 3-Major BT912253 Non-admin users cannot run show running-config or list sys 15.1.5.1, 16.1.2.2
901669-4 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 14.1.4.6, 15.1.5.1, 16.1.2.2
755976-4 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
741702-2 3-Major BT741702 TMM crash 14.1.4.4, 15.1.5.1
730852-1 3-Major BT730852 The tmrouted repeatedly crashes and produces core when new peer device is added 14.1.4.4, 15.1.5.1
1076785 3-Major BT1076785 Virtual server may not properly exit from hardware SYN Cookie mode 15.1.5.1
1075729-1 3-Major BT1075729 Virtual server may not properly exit from hardware SYN Cookie mode 15.1.5.1
1066285-3 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1063473-2 3-Major BT1063473 While establishing a high availability (HA) connection, the number of npus in DAG context may be overwritten incorrectly 15.1.5.1
1061797-2 3-Major BT1061797 Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 15.1.5.1, 16.1.2.2
1060181 3-Major BT1060181 SSL handshakes fail when using CRL certificate validator. 15.1.5.1
1056993-1 3-Major   404 error is raised on GUI when clicking "App IQ." 14.1.4.6, 15.1.5.1, 16.1.2.2
1056741 3-Major BT1056741 ECDSA certificates signed by RSA CA are not selected based by SNI. 15.1.5.1, 16.1.2.2
1048541-2 3-Major BT1048541 Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. 15.1.5.1, 16.1.2.2
1047169-2 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1036613-1 3-Major BT1036613 Client flow might not get offloaded to PVA in embryonic state 15.1.5.1
1032257-2 3-Major BT1032257 Forwarded PVA offload requests fail on platforms with multiple PDE/TMM 15.1.5.1
1019085-1 3-Major BT1019085 Network virtual-addresses fail to retain the "icmp-echo enabled" property following an upgrade or reload of the configuration from file.&start; 13.1.5, 14.1.4.6, 15.1.5.1
1008269-3 3-Major BT1008269 Error: out of stack space 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
976337-1 4-Minor BT976337 i40evf Requested 4 queues, but PF only gave us 16. 15.1.5.1, 16.1.2.2
1058677-1 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled. 14.1.4.6, 15.1.5.1, 16.1.2.2
1051797-2 4-Minor   Linux kernel vulnerability: CVE-2018-18281 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1046693-3 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1045549-3 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1040821-3 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1034589-2 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1031425-2 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check. 14.1.4.6, 15.1.5.1, 16.1.2.2
1030645-3 4-Minor BT1030645 BGP session resets during traffic-group failover 14.1.4.6, 15.1.5.1, 16.1.2.2
1024621-3 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1023817-1 4-Minor BT1023817 Misleading "Enabling NAT64 for virtual server with security NAT policy configured is redundant/not required." warning 15.1.5.1
1002809-1 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
946481-1 2-Critical BT946481 Virtual Edition FIPS not compatible with TLS 1.3 14.1.4.6, 15.1.5.1
910213-2 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
881401-1 2-Critical BT881401 TMM crash at Tcl_AfterCancelByUF() while deleting connections. 15.1.5.1
1080581-3 2-Critical BT1080581 Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.&start; 15.1.5.1
1069629-3 2-Critical   TMM may crash while processing TLS traffic 15.1.5.1, 16.1.2.2
1067397 2-Critical BT1067397 TMM cored after response, due to receipt of GOAWAY frame from server post TCP FIN. 15.1.5.1
1064617-2 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1059053-1 2-Critical BT1059053 Tmm crash when passing traffic over some configurations with L2 virtual wire 15.1.5.1, 16.1.2.2
1009161-1 2-Critical BT1009161 SSL mirroring protect for null sessions 14.1.4.5, 15.1.5.1
999901-3 3-Major K68816502, BT999901 Certain LTM policies may not execute correctly after a system reboot or TMM restart. 14.1.4.6, 15.1.5.1, 16.1.2.2
987077-1 3-Major BT987077 TLS1.3 with client authentication handshake failure 14.1.4.6, 15.1.5.1
967101-2 3-Major BT967101 When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. 14.1.4.6, 15.1.5.1, 16.1.2.2
955617-2 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
939085-2 3-Major BT939085 /config/ssl/ssl.csr directory disappears after creating certificate archive 14.1.4.6, 15.1.5.1
937769-2 3-Major BT937769 SSL connection mirroring failure on standby with sslv2 records 15.1.5.1
936441-2 3-Major BT936441 Nitrox5 SDK driver logging messages 15.1.5.1, 16.1.2.2
927713-1 3-Major BT927713 Clsh reboot hangs when executed from the primary blade. 15.1.5.1
912517-2 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
910905-1 3-Major BT910905 TMM crash when processing virtual server traffic with TLS/SSL session cache enabled 14.1.4.4, 15.1.5.1
910673-4 3-Major BT910673 Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' 15.1.5.1, 16.1.2.1
902377-2 3-Major BT902377 HTML profile forces re-chunk even though HTML::disable 15.1.5.1, 16.1.2.2
892485-2 3-Major BT892485 A wrong OCSP status cache may be looked up and re-used during SSL handshake. 14.1.4.6, 15.1.5.1
892073-3 3-Major BT892073 TLS1.3 LTM policy rule based on SSL SNI is not triggered 14.1.4.6, 15.1.5.1
872721-3 3-Major BT872721 SSL connection mirroring intermittent failure with TLS1.3 14.1.4.5, 15.1.5.1
838353-1 3-Major BT838353 MQTT monitor is not working in route domain. 14.1.4.6, 15.1.5.1
825245-4 3-Major BT825245 SSL::enable does not work for server side ssl 14.1.4.6, 15.1.5.1
803109-3 3-Major BT803109 Certain configuration may result in zombie forwarding flows 14.1.4.6, 15.1.5.1, 16.1.2.2
794385-3 3-Major BT794385 BGP sessions may be reset after CMP state change 15.1.5.1, 16.1.2.2
793669-5 3-Major BT793669 FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value. 13.1.5, 14.1.4.6, 15.1.5.1
760406-1 3-Major BT760406 HA connection might stall on Active device when the SSL session cache becomes out-of-sync. 14.1.4.1, 15.1.5.1
672963-2 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1068561 3-Major BT1068561 Can't create key on the second netHSM partition. 15.1.5.1, 16.1.2.2
1058469-2 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. 14.1.4.6, 15.1.5.1, 16.1.2.2
1056401-3 3-Major BT1056401 Valid clients connecting under active syncookie mode might experience latency. 15.1.5.1, 16.1.2.2
1052929-3 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1043357-3 3-Major BT1043357 SSL handshake may fail when using remote crypto client 14.1.4.6, 15.1.5.1, 16.1.2.2
1031609 3-Major BT1031609 Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.&start; 15.1.5.1, 16.1.2.1
1029897-2 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1024841-1 3-Major BT1024841 SSL connection mirroring with ocsp connection failure on standby 15.1.5.1, 16.1.2.2
1023341-2 3-Major   HSM hardening 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.1
1021713-3 3-Major   TMM may crash when processing AFM NAT64 policy 15.1.5.1, 16.1.2
1019609 3-Major BT1019609 No Error logging when BIG-IP device's IP address is not added in client list on netHSM.&start; 15.1.5.1, 16.1.2.1
1017513-3 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier 13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1
1016449-2 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters. 14.1.4.6, 15.1.5.1, 16.1.2.2
1016049-4 3-Major BT1016049 EDNS query with CSUBNET dropped by protocol inspection 14.1.4.6, 15.1.5.1, 16.1.2.2
1015161-2 3-Major BT1015161 Ephemeral pool member may not be created when FQDN resolves to address that matches static node 13.1.5, 14.1.4.5, 15.1.5.1
1008501-3 3-Major BT1008501 TMM core 14.1.4.6, 15.1.5.1, 16.1.2.2
1008009-2 3-Major BT1008009 SSL mirroring null hs during session sync state 14.1.4.5, 15.1.5.1, 16.1.2.2
838305-7 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow. 14.1.4.6, 15.1.5.1, 16.1.2.2
801705-6 4-Minor BT801705 When inserting a cookie or a cookie attribute, BIG-IP does not add a leading space, required by RFC 13.1.3.6, 14.1.3.1, 15.1.5.1
717806-1 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1064669-2 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. 15.1.5.1, 16.1.2.2
1048433 4-Minor BT1048433 Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.&start; 15.1.5.1, 16.1.2.1
1045913-3 4-Minor BT1045913 COMPRESS::disable/COMPRESS::enable don't work reliably for selective compression 14.1.4.5, 15.1.5.1
1026605-4 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1026005-2 4-Minor BT1026005 BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. 15.1.5.1, 16.1.2.2
1016441-3 4-Minor   RFC Enforcement Hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
968581-2 5-Cosmetic BT968581 TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description 15.1.5.1, 16.1.2.2
873249-1 5-Cosmetic BT873249 Switching from fast_merge to slow_merge can result in incorrect tmm stats 13.1.5, 14.1.4.6, 15.1.5.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1062513-3 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1027657-3 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. 15.1.5.1, 16.1.2.2
1010617-3 2-Critical BT1010617 String operation against DNS resource records cause tmm memory corruption 15.1.5.1, 16.1.2.2
874221-1 3-Major BT874221 DNS response recursion desired (rd) flag does not match DNS query when using iRule command DNS::header rd 15.1.5.1
872037-2 3-Major BT872037 DNS::header rd does not set the Recursion desired 15.1.5.1
1046785-3 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 13.1.5, 15.1.5.1, 16.1.2.2
1044425-3 3-Major K85021277, BT1044425 NSEC3 record improvements for NXDOMAIN 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1039205 3-Major BT1039205 DNSSEC key stored on netHSM fails to generate if the key name length is > 24 14.1.4.6, 15.1.5.1
1020337-1 3-Major BT1020337 DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator 15.1.5.1, 16.1.2.2
1018613-3 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
885869-2 4-Minor BT885869 Incorrect time used with iQuery SSL certificates utilizing GenericTime instead of UTCTime 14.1.4, 15.1.5.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1069449-2 2-Critical K39002226, BT1069449 ASM attack signatures may not match cookies as expected 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
965785-2 3-Major BT965785 Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 14.1.4.6, 15.1.5.1, 16.1.2.2
961509-2 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy 14.1.4.6, 15.1.5.1, 16.1.2.2
926845-5 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
921697-3 3-Major BT921697 Attack signature updates fail to install with Installation Error.&start; 14.1.4.6, 15.1.5.1, 16.1.2.1
818889-2 3-Major BT818889 False positive malformed json or xml violation. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1072197-2 3-Major K94142349, BT1072197 Issue with input normalization in WebSocket. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1067285-2 3-Major BT1067285 Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1066829-2 3-Major BT1066829 Memory leak for xml/json auto-detected parameter with signature patterns. 15.1.5.1, 16.1.2.2
1060933-2 3-Major   Issue with input normalization. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1051213-2 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1051209-2 3-Major K53593534, BT1051209 BD may not process certain HTTP payloads as expected 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1047389-2 3-Major BT1047389 Bot Defense challenge hardening 14.1.4.6, 15.1.5.1, 16.1.2.2
1043533-1 3-Major   Unable to pick up the properties of the parameters from audit reports. 15.1.5.1, 16.1.2.2
1043385-3 3-Major BT1043385 No Signature detected If Authorization header is missing padding. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1042605-3 3-Major BT1042605 ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above&start; 15.1.5.1, 16.1.2.2
1041149-2 3-Major BT1041149 Staging of URL does not affect apply value signatures 15.1.5.1, 16.1.2.2
1038733-3 3-Major BT1038733 Attack signature not detected for unsupported authorization types. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1037457-2 3-Major BT1037457 High CPU during specific dos mitigation 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1030853-2 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1023993-3 3-Major BT1023993 Brute Force is not blocking requests, even when auth failure happens multiple times 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1012221-2 3-Major BT1012221 Message: childInheritanceStatus is not compatible with parentInheritanceStatus&start; 14.1.4.6, 15.1.5.1, 16.1.2.2
1011069-3 3-Major BT1011069 Group/User R/W permissions should be changed for .pid and .cfg files. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1008849-3 3-Major BT1008849 OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. 15.1.5.1, 16.1.2.2
844045-3 4-Minor BT844045 ASM Response event logging for "Illegal response" violations. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
842029-2 4-Minor BT842029 Unable to create policy: Inherited values may not be changed. 15.1.5.1
1050697-5 4-Minor   Traffic learning page counts Disabled signatures when they are ready to be enforced 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1038741-3 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1036521-3 4-Minor BT1036521 TMM crash in certain cases 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1035361-2 4-Minor BT1035361 Illegal cross-origin after successful CAPTCHA 15.1.5.1, 16.1.2.2
1034941-2 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1020717-3 4-Minor BT1020717 Policy versions cleanup process sometimes removes newer versions 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038913-3 3-Major   The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883841-1 3-Major BT883841 APM now displays icons of all sizes what Horizon VCS supports. 15.1.5.1
827393-2 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 13.1.5, 14.1.4.5, 15.1.5.1, 16.1.2.1
423519-3 3-Major K74302282, BT423519 Bypass disabling the redirection controls configuration of APM RDP Resource. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2
1045229-2 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557 14.1.4.5, 15.1.5.1, 16.1.2.2
1044121-2 3-Major BT1044121 APM logon page is not rendered if db variable "ipv6.enabled" is set to false 14.1.4.5, 15.1.5.1, 16.1.2.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007109-1 2-Critical BT1007109 Flowmap entry is deleted before updating its timeout to INDEFINITE 14.1.4.6, 15.1.5.1
957905-2 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1061929 2-Critical BT1061929 Unable to perform IPI update (through proxy) after upgrade to 15.1.4.&start; 15.1.5.1
1058645-1 2-Critical BT1058645 ipsecalg blocks Sophos ISAKMP negotiation during tunnel setup. 14.1.4.6, 15.1.5.1
980593 3-Major BT980593 LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table 15.1.5.1
929909-2 3-Major BT929909 TCP Packets are not dropped in IP Intelligence 15.1.5.1, 16.1.2.2
1079637 3-Major BT1079637 Incorrect Neuron rule order 15.1.5.1
1067393-1 3-Major BT1067393 MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool.&start; 15.1.5.1
1063681-1 3-Major BT1063681 PCCD cored, SIGSEGV in pc::cfg::CMessageProcessor::modify_fqdn. 15.1.5.1
1008265-3 3-Major K92306170, BT1008265 DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond&start; 14.1.4.6, 15.1.5.1, 16.1.2.2
1072057-2 4-Minor BT1072057 "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. 14.1.4.6, 15.1.5.1, 16.1.2.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1028269-1 2-Critical BT1028269 Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. 15.1.5.1, 16.1.2.2
1019613-3 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike 14.1.4.6, 15.1.5.1, 16.1.2.2


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
873617-2 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1060409-3 4-Minor BT1060409 Behavioral DoS enable checkbox is wrong. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1033829-1 2-Critical BT1033829 Unable to load Traffic Classification package 14.1.4.5, 15.1.5.1, 16.1.2.2
1052153 3-Major BT1052153 Signature downloads for traffic classification updates via proxy fail 14.1.4.6, 15.1.5.1, 16.1.2.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
940261-3 4-Minor BT940261 Support IPS package downloads via HTTP proxy. 14.1.4.6, 15.1.5.1, 16.1.2.2


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-1 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050969-2 1-Blocking BT1050969 After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid 15.1.5.1, 16.1.2.2
1055361-2 2-Critical BT1055361 Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. 15.1.5.1, 16.1.2.1



Cumulative fixes from BIG-IP v15.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1056933-5 CVE-2022-26370 K51539421, BT1056933 TMM may crash while processing SIP traffic 14.1.4.6, 15.1.5, 16.1.2.2
1047053-2 CVE-2022-28691 K37155600, BT1047053 TMM may consume excessive resources while processing RTSP traffic 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1045101-3 CVE-2022-26890 K03442392, BT1045101 Bd may crash while processing ASM traffic 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.1
997193-1 CVE-2022-23028 K16101409, BT997193 TCP connections may fail when AFM global syncookies are in operation. 13.1.5, 14.1.4.5, 15.1.5
940185-2 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1047089 CVE-2022-29491 K14229426, BT1047089 TMM may terminate while processing TLS/DTLS traffic 14.1.4.6, 15.1.5, 16.1.2.2
1000021-5 CVE-2022-27182 K31856317, BT1000021 TMM may consume excessive resources while processing packet filters 14.1.4.6, 15.1.5, 16.1.2.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1015133-3 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
749332-2 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 14.1.4.4, 15.1.5, 16.1.2.1
1040929 2-Critical BT1040929 Change F5OS BIG-IP tenant name from VELOS to F5OS. 15.1.5
1004929-2 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 13.1.5, 14.1.4.5, 15.1.5
996001-1 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 14.1.4.5, 15.1.5, 16.1.2.1
940177-1 3-Major BT940177 Certificate instances tab shows incorrect number of instances in certain conditions 15.1.5
888869-2 3-Major BT888869 GUI reports General Database Error when accessing Instances Tab of SSL Certificates 15.1.5
1055785 3-Major BT1055785 SmartNIC 2.0: stats throughput logging is broken on Virtual Edition dashboard. 15.1.5
1048917 3-Major BT1048917 Image2disk does not work on F5OS BIG-IP tenant.&start; 15.1.5
1032949 3-Major BT1032949 Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. 15.1.5, 16.1.2.1
1022637-2 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2
1019793 3-Major BT1019793 Image2disk does not work on F5OS BIG-IP tenant.&start; 15.1.5
528894-6 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 13.1.5, 14.1.4.6, 15.1.5, 16.1.2.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1064649-1 2-Critical BT1064649 Tmm crash after upgrade.&start; 15.1.5
1060093 2-Critical BT1060093 Upgrading BIG-IP tenant from 14.1.4.4-0.0.4 to 15.1.5-0.0.3 with blade in the 8th slot causes backplane CDP clustering issues.&start; 15.1.5
1056213 2-Critical BT1056213 TMM core due to freeing of connflow, assuming it as http data. 15.1.5
1040361-2 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. 14.1.4.5, 15.1.5, 16.1.2
1013181-2 2-Critical BT1013181 TMM may produce core when dynamic CRL check is enabled on the client SSL profile 15.1.5
999097-3 3-Major BT999097 SSL::profile may select profile with outdated configuration 14.1.4.5, 15.1.5, 16.1.2.1
967093-1 3-Major BT967093 In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail 15.1.5
686395-3 3-Major BT686395 With DTLS version1, when client hello uses version1.2, handshake shall proceed 12.1.3.4, 15.1.5
608952-1 3-Major BT608952 MSSQL health monitors fail when SQL server requires TLSv1.1 or TLSv1.2 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.5
1065789-2 3-Major   TMM may send duplicated alerts while processing SSL connections 15.1.5, 16.1.2.1
1038629 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1034365-2 3-Major BT1034365 DTLS handshake fails with DTLS1.2 client version 13.1.5, 14.1.4.5, 15.1.5
1015201 3-Major BT1015201 HTTP unchunking satellite leaks ERR_MORE_DATA which can cause connection to be aborted. 14.1.4.4, 15.1.5
1007749-1 3-Major BT1007749 URI TCL parse functions fail when there are interior segments with periods and semi-colons 15.1.5, 16.1.2.1
1024761-3 4-Minor BT1024761 HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body 15.1.5, 16.1.2.1
1005109-2 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 14.1.4.5, 15.1.5, 16.1.2.1
898929-4 5-Cosmetic BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1035853-3 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
935249-2 3-Major BT935249 GTM virtual servers have the wrong status 15.1.5, 16.1.2.1
1039553-2 3-Major BT1039553 Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors 15.1.5, 16.1.2.1
1024553-2 3-Major BT1024553 GTM Pool member set to monitor type "none" results in big3d: timed out 13.1.5, 14.1.4.5, 15.1.5
1021061-3 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
1011285-2 3-Major BT1011285 The iControl REST API no longer accepts an empty 'lastResortPool' property for wide IP objects. 13.1.5, 14.1.4.6, 15.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993613-5 2-Critical BT993613 Device fails to request full sync 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
984593-2 3-Major BT984593 BD crash 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1
907025-3 3-Major BT907025 Live update error" 'Try to reload page' 14.1.4.5, 15.1.5, 16.1.2.1
885765-3 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 14.1.4.5, 15.1.5, 16.1.2.1
580715-2 3-Major BT580715 ASM is not sending 64 KB remote logs over UDP 15.1.5
1004069-1 3-Major BT1004069 Brute force attack is detected too soon 13.1.5, 14.1.4.5, 15.1.5, 16.1.2
886865-1 4-Minor BT886865 P3P header is added for all browsers, but required only for Internet Explorer 14.1.4.5, 15.1.5
1016033-2 4-Minor BT1016033 Remote logging of WS/WSS shows date_time equal to Unix epoch start time 15.1.5
1002385-3 4-Minor K67397230, BT1002385 Fixing issue with input normalization 14.1.4.6, 15.1.5, 16.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1009093-1 2-Critical BT1009093 GUI widgets pages are not functioning correctly 15.1.5, 16.1.2.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883889-3 2-Critical BT883889 Tmm might crash when under memory pressure 14.1.4.5, 15.1.5
997761-2 3-Major BT997761 Subsessionlist entries leak if there is no RADIUS accounting agent in policy 15.1.5
973673-1 3-Major BT973673 CPU spikes when the LDAP operational timeout is set to 180 seconds 15.1.5
926973-1 3-Major BT926973 APM / OAuth issue with larger JWT validation 15.1.5
828761-1 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 14.1.4.5, 15.1.5, 16.1.2.1
738593-2 3-Major BT738593 Vmware Horizon session collaboration (shadow session) feature does not work through APM. 14.1.4.5, 15.1.5, 16.1.2.1
1020561-1 3-Major BT1020561 Session memory increases over time due to db_access_set_accessinfo can leak sresult key/data in error case 15.1.5
942965-2 4-Minor BT942965 Local users database can sometimes take more than 5 minutes to sync to the standby device 14.1.4.5, 15.1.5
886841-1 4-Minor BT886841 Allow LDAP Query and HTTP Connector for API Protection policies 15.1.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1029397-1 2-Critical BT1029397 Tmm may crash with SIP-ALG deployment in a particular race condition 14.1.4.6, 15.1.5, 16.1.2.2
1039329-1 3-Major BT1039329 MRF per peer mode is not working in vCMP guest. 14.1.4.5, 15.1.5, 16.1.2.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
919465-2 2-Critical BT919465 A dwbld core on configuration changes on IP Intelligence policy 15.1.5


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956013-1 3-Major BT956013 System reports{{validation_errors}} 14.1.4.5, 15.1.5, 16.1.2.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
922665-2 3-Major BT922665 The admd process is terminated by watchdog on some heavy load configuration process 14.1.4.5, 15.1.5
1023437-3 3-Major   Buffer overflow during attack with large HTTP Headers 13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050273-2 3-Major BT1050273 ERR_BOUNDS errors observed with HTTP explicit proxy service in SSL Orchestrator. 15.1.5
1038669-2 3-Major BT1038669 Antserver keeps restarting. 15.1.5, 16.1.2
1032797-2 3-Major BT1032797 Tmm continuously cores when parsing custom category URLs 15.1.5, 16.1.2



Cumulative fixes from BIG-IP v15.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
999933-3 CVE-2022-23017 K28042514, BT999933 TMM may crash while processing DNS traffic on certain platforms 13.1.5, 14.1.4.5, 15.1.4.1
991421-3 CVE-2022-23016 K91013510, BT991421 TMM may crash while processing TLS traffic 15.1.4.1, 16.1.2
989701-5 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
989637-3 CVE-2022-23015 K08476614, BT989637 TMM may crash while processing SSL traffic 14.1.4.5, 15.1.4.1
988549-5 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 14.1.4.5, 15.1.4.1, 16.1.2
968893-2 CVE-2022-23014 K93526903, BT968893 TMM crash when processing APM traffic 15.1.4.1, 16.1.2
966901-2 CVE-2020-14364 K09081535, BT966901 CVE-2020-14364: Qemu Vulnerability 13.1.5, 14.1.4.4, 15.1.4.1
940317-4 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
910517-1 CVE-2022-23012 K26310765, BT910517 TMM may crash while processing HTTP traffic 14.1.4.5, 15.1.4.1
550928-5 CVE-2022-23010 K34360320, BT550928 TMM may crash when processing HTTP traffic with a FastL4 virtual server 13.1.5, 14.1.4.4, 15.1.4.1
1032405-3 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1030689-2 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
1028669-5 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1028573-5 CVE-2020-10878 K40508224, BT1028573 Perl vulnerability: CVE-2020-10878 14.1.4.5, 15.1.4.1, 16.1.2
1028497-5 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1012365-2 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 14.1.4.5, 15.1.4.1, 16.1.2
1007489-5 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
988589-5 CVE-2019-25013 K68251873 CVE-2019-25013 glibc vulnerability: buffer over-read in iconv 15.1.4.1
981693-1 CVE-2022-23024 K54892865, BT981693 TMM may consume excessive resources while processing IPSec ALG traffic 13.1.5, 14.1.4.2, 15.1.4.1
975589-4 CVE-2020-8277 K07944249, BT975589 CVE-2020-8277 Node.js vulnerability 14.1.4.4, 15.1.4.1
974341-2 CVE-2022-23026 K08402414, BT974341 REST API: File upload 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
973409-5 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 14.1.4.4, 15.1.4.1, 16.1.2
941649-2 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1009725-3 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1008077-5 CVE-2022-23029 K50343028, BT1008077 TMM may crash while processing TCP traffic with a FastL4 VS 13.1.5, 14.1.4.4, 15.1.4.1
1001369-2 CVE-2020-12049 K16729408 D-Bus vulnerability CVE-2020-12049 15.1.4.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
754335-3 3-Major BT754335 Install ISO does not boot on BIG-IP VE&start; 14.1.4.4, 15.1.4.1
985953-3 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1042993-2 1-Blocking K19272127, BT1042993 Provisioning high availability (HA) setup wizard fails to load, reports 'No Access' 13.1.5, 14.1.4.5, 15.1.4.1
1039049 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 14.1.4.5, 15.1.4.1, 16.1.2
997313-3 2-Critical BT997313 Unable to create APM policies in a sync-only folder&start; 15.1.4.1, 16.1.2
942549-2 2-Critical BT942549 Dataplane INOPERABLE - Only 7 HSBs found. Expected 8 14.1.4.4, 15.1.4.1
897509-1 2-Critical BT897509 IPsec SAs are missing on HA standby, leading to packet drops after failover 15.1.4.1
831821-1 2-Critical BT831821 Corrupted DAG packets causes bcm56xxd core on VCMP host 14.1.4.5, 15.1.4.1
1043277-3 2-Critical K06520200, BT1043277 'No access' error page displays for APM policy export and apply options. 13.1.5, 14.1.4.5, 15.1.4.1
992053-1 3-Major BT992053 Pva_stats for server side connections do not update for redirected flows 15.1.4.1
965205-2 3-Major BT965205 BIG-IP dashboard downloads unused widgets 14.1.4.4, 15.1.4.1
958093-3 3-Major BT958093 IPv6 routes missing after BGP graceful restart 13.1.5, 14.1.4.5, 15.1.4.1
947529-2 3-Major BT947529 Security tab in virtual server menu renders slowly 13.1.5, 14.1.4.4, 15.1.4.1
940885-2 3-Major BT940885 Add embedded SR-IOV support for Mellanox CX5 Ex adapter 14.1.4.4, 15.1.4.1
922185-1 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth'&start; 14.1.4.5, 15.1.4.1, 16.1.2
909197-3 3-Major BT909197 The mcpd process may become unresponsive 14.1.4, 15.1.4.1, 16.0.1.1
900933-1 3-Major BT900933 IPsec interoperability problem with ECP PFS 14.1.4.5, 15.1.4.1, 16.0.1.2
887117-2 3-Major BT887117 Invalid SessionDB messages are sent to Standby 15.1.4.1, 16.1.1
881085-3 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 14.1.4.5, 15.1.4.1, 16.1.2
873641-1 3-Major BT873641 Re-offloading of TCP flows to hardware does not work 15.1.4.1
856953-4 3-Major BT856953 IPsec: TMM cores after ike-peer switched version from IKEv2 to IKEv1 13.1.5, 14.1.2.8, 15.1.4.1
809657-7 3-Major BT809657 HA Group score not computed correctly for an unmonitored pool when mcpd starts 13.1.5, 14.1.4.4, 15.1.4.1
1045421-2 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1032737-1 3-Major BT1032737 IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate 15.1.4.1, 16.1.2
1032077-2 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1027713 3-Major BT1027713 SELinux avc: denied { signull } for pid=6207 comm="useradd" on vCMP guest during its deployment. 15.1.4.1
1026549-3 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 14.1.4.5, 15.1.4.1, 16.1.2
1024877-2 3-Major BT1024877 Systemd[]: systemd-ask-password-serial.service failed. 14.1.4.4, 15.1.4.1
1019429-3 3-Major BT1019429 CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated 15.1.4.1
1018309-3 3-Major BT1018309 Loading config file with imish removes the last character 15.1.4.1, 16.1.1
1015093-3 3-Major BT1015093 The "iq" column is missing from the ndal_tx_stats table 14.1.4.5, 15.1.4.1
1010245-1 3-Major BT1010245 Duplicate ipsec-sa SPI values shown by tmsh command 15.1.4.1
1009949-2 3-Major BT1009949 High CPU usage when upgrading from previous version&start; 14.1.4.4, 15.1.4.1, 16.1.2
1003257-4 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
988533-1 4-Minor BT988533 GRE-encapsulated MPLS packet support 14.1.4.5, 15.1.4.1
966073-1 4-Minor BT966073 GENEVE protocol support 15.1.4.1
884165-3 4-Minor BT884165 Datasync regenerating CAPTCHA table causing frequent syncs of datasync-device DG 13.1.5, 14.1.4.4, 15.1.4.1
1030845-2 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit. 14.1.4.5, 15.1.4.1, 16.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
862885-2 2-Critical BT862885 Virtual server-to-virtual server with 'Tail Loss Probe' enabled can result in 'no trailing data' error 14.1.4.5, 15.1.4.1
1020645-1 2-Critical BT1020645 When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered 15.1.4.1
985433-2 3-Major BT985433 Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset. 15.1.4.1
978833-2 3-Major BT978833 Use of CRL-based Certificate Monitoring Causes Memory Leak 14.1.4.4, 15.1.4.1
965037-1 3-Major BT965037 SSL Orchestrator does not send HTTP CONNECT tunnel payload to services 15.1.4.1
963705-3 3-Major BT963705 Proxy ssl server response not forwarded 13.1.5, 14.1.4.5, 15.1.4.1
915773-1 3-Major BT915773 Restart of TMM after stale interface reference 14.1.4.4, 15.1.4.1, 16.1.2
904041-2 3-Major BT904041 Ephemeral pool members may be incorrect when modified via various actions 13.1.5, 14.1.4.5, 15.1.4.1
803629-7 3-Major BT803629 SQL monitor fails with 'Analyze Response failure' message even if recv string is correct 13.1.5, 14.1.4.5, 15.1.4.1, 16.0.1.1
758041-1 3-Major BT758041 LTM Pool Members may not be updated accurately when multiple identical database monitors are configured. 13.1.3.5, 14.1.2.7, 15.1.4.1
723112-8 3-Major BT723112 LTM policies does not work if a condition has more than 127 matches 14.1.4.4, 15.1.4.1
1023365-1 3-Major BT1023365 SSL server response could be dropped on immediate client shutdown. 15.1.4.1, 16.1.2
1018577-3 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1012009-1 3-Major BT1012009 MQTT Message Routing virtual may result in TMM crash 15.1.4.1
1008017-5 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1006781-1 3-Major BT1006781 Server SYN is sent on VLAN 0 when destination MAC is multicast 15.1.4.1, 16.1.2.2
949721-2 4-Minor BT949721 QUIC does not send control frames in PTO packets 15.1.4.1, 16.0.1.2
936773-2 4-Minor BT936773 Improve logging for "double flow removal" TMM Oops 14.1.4.4, 15.1.4.1
936557-2 4-Minor BT936557 Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled. 13.1.5, 14.1.4.5, 15.1.4.1
890881-4 4-Minor BT890881 ARP entry in the FDB table is created on VLAN group when the MAC in the ARP reply differs from Ethernet address 14.1.4.5, 15.1.4.1
1031901-1 4-Minor BT1031901 In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked 15.1.4.1, 16.1.2
1002945-2 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 14.1.4.5, 15.1.4.1, 16.1.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
933405-2 1-Blocking K34257075, BT933405 Zonerunner GUI hangs when attempting to list Resource Records 14.1.4, 15.1.4.1, 16.0.1.1
1009037-3 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 14.1.4.5, 15.1.4.1, 16.1.2
847105-2 3-Major BT847105 The bigip_gtm.conf is reverted to default after rebooting with license expired&start; 13.1.5, 14.1.4.4, 15.1.4.1
1021417-3 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
997137-3 2-Critical K80945213, BT997137 CSRF token modification may allow WAF bypass on GET requests 13.1.5, 14.1.4.4, 15.1.4.1
912149-5 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
879841-4 2-Critical BT879841 Domain cookie same-site option is missing the "None" as value in GUI and rest 13.1.5, 14.1.4.5, 15.1.4.1
1019853-2 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1011065-2 2-Critical K39002226, BT1011065 Certain attack signatures may not match in multipart content 15.1.4.1, 16.1.2
1011061-2 2-Critical K39002226, BT1011061 Certain attack signatures may not match in multipart content 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
948805-1 3-Major BT948805 False positive "Null in Request" 14.1.4.5, 15.1.4.1
945789-1 3-Major BT945789 Live update cannot resolve hostname if IPv6 is configured. 15.1.4.1
932133-2 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
920149-1 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 14.1.4.4, 15.1.4.1, 16.1.1
914277-2 3-Major BT914277 [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU 14.1.4.4, 15.1.4.1, 16.0.1.2
904133-1 3-Major BT904133 Creating a user-defined signature via iControl REST occasionally fails with a 400 response code 14.1.4.4, 15.1.4.1
882377-3 3-Major BT882377 ASM Application Security Editor Role User can update/install ASU 14.1.2.5, 15.1.4.1
857633-7 3-Major BT857633 Attack Type (SSRF) appears incorrectly in REST result 13.1.5, 14.1.4.5, 15.1.4.1
842013-3 3-Major BT842013 ASM Configuration is Lost on License Reactivation&start; 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
753715-2 3-Major BT753715 False positive JSON max array length violation 13.1.5, 14.1.4.4, 15.1.4.1
1042069-2 3-Major   Some signatures are not matched under specific conditions. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2.1
1017153-2 3-Major BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 14.1.4.5, 15.1.4.1, 16.1.2
1039805 4-Minor   Save button in Response and Blocking Pages section is enabled when there are no changes to save. 15.1.4.1
1003765-1 4-Minor BT1003765 Authorization header signature triggered even when explicitly disabled 15.1.4.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-5 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
922105-3 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2
832805-2 3-Major BT832805 AVR should make sure file permissions are correct (tmstat_tables.xml) 13.1.5, 14.1.4.5, 15.1.4.1
787677-5 3-Major BT787677 AVRD stays at 100% CPU constantly on some systems 13.1.5, 14.1.4.5, 15.1.4.1
1035133-3 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
948113-3 4-Minor BT948113 User-defined report scheduling fails 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1027217 1-Blocking BT1027217 Script errors in Network Access window using browser. 15.1.4.1, 16.1.2
860617-3 2-Critical BT860617 Radius sever pool without attaching the load balancing algorithm will result into core 14.1.4.5, 15.1.4.1
817137-1 2-Critical BT817137 SSO setting for Portal Access resources in webtop sections cannot be updated. 15.1.4.1
1006893-2 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 14.1.4.5, 15.1.4.1, 16.1.2
998473-2 3-Major BT998473 NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL) 15.1.4.1
993457-2 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 14.1.4.5, 15.1.4.1, 16.1.2
969317-3 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 14.1.4.5, 15.1.4.1, 16.1.2.1
964037 3-Major BT964037 Error: Exception response while loading properties from server 15.1.4.1
949477-1 3-Major BT949477 NTLM RPC exception: Failed to verify checksum of the packet 14.1.4.4, 15.1.4.1
933129-2 3-Major BT933129 Portal Access resources are visible when they should not be 15.1.4.1
932213-2 3-Major BT932213 Local user db not synced to standby device when it is comes online after forced offline state 14.1.4.5, 15.1.4.1
918717-2 3-Major BT918717 Exception at rewritten Element.innerHTML='<a href></a>' 15.1.4.1
915509-1 3-Major BT915509 RADIUS Access-Reject Reply-Message should be printed on logon page if 'show extended error' is true 14.1.4.5, 15.1.4.1
891613-1 3-Major BT891613 RDP resource with user-defined address cannot be launched from webtop with modern customization 15.1.4.1
1021485-2 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 14.1.4.5, 15.1.4.1, 16.1.2
1017233-1 3-Major BT1017233 APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption 15.1.4.1, 16.1.2
1007677-1 3-Major BT1007677 Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' 15.1.4.1, 16.1.2.1
1007629-1 3-Major BT1007629 APM policy configured with many ACL policies can create APM memory pressure 13.1.5, 14.1.4.4, 15.1.4.1
1002557-2 3-Major BT1002557 Tcl free object list growth 13.1.5, 14.1.4.4, 15.1.4.1
1001337-1 3-Major BT1001337 Cannot read single sign-on configuration from GUI when logged in as guest 14.1.4.5, 15.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1012721-1 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 13.1.5, 14.1.4.4, 15.1.4.1, 16.1.1
1012533-1 2-Critical BT1012533 `HTTP2::disable serverside` can cause cores 15.1.4.1
1007113-1 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 14.1.4.5, 15.1.4.1, 16.1.2
1025529-1 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 14.1.4.5, 15.1.4.1, 16.1.2.1
1018285-1 4-Minor BT1018285 MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction 15.1.4.1, 16.1.2
1003633-3 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 14.1.4.5, 15.1.4.1, 16.1.2


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968533 2-Critical BT968533 Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector. 15.1.4.1
1049229-2 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
997169 3-Major BT997169 AFM rule not triggered 15.1.4.1
995433 3-Major BT995433 IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT 14.1.4.5, 15.1.4.1
1032329 3-Major BT1032329 A user with role "Firewall Manager" cannot open the Rule List editor in UI 15.1.4.1
1031909-1 3-Major BT1031909 NAT policies page unusable due to the page load time 15.1.4.1
987345-1 5-Cosmetic BT987345 Disabling periodic-refresh-log has no effect 15.1.4.1


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
981689-2 2-Critical BT981689 TMM memory leak with IPsec ALG 14.1.4.2, 15.1.4.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
984657-3 3-Major BT984657 Sysdb variable not working from tmsh 15.1.4.1, 16.0.1.2
686783-2 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2
1032689-3 4-Minor BT1032689 UlrCat Custom db feedlist does not work for some URLs 14.1.4.5, 15.1.4.1, 16.1.2


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
929213-1 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade&start; 14.1.4.4, 15.1.4.1, 16.1.2


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
946185-1 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.'&start; 14.1.4.4, 15.1.4.1, 16.1.2



Cumulative fixes from BIG-IP v15.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
949933-1 CVE-2021-22980 K29282483, BT949933 BIG-IP APM CTU vulnerability CVE-2021-22980 13.1.3.6, 14.1.4, 15.1.4, 16.0.1.1
937333-2 CVE-2022-23013 K29500533, BT937333 Incomplete validation of input in unspecified forms 13.1.5, 14.1.4.4, 15.1.4
889045-3 CVE-2022-23011 K68755210, BT889045 Virtual server may stop responding while processing TCP traffic 15.1.4
1017973-2 CVE-2021-25215 K96223611, BT1017973 BIND Vulnerability CVE-2021-25215 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
1017965-2 CVE-2021-25214 K11426315, BT1017965 BIND Vulnerability CVE-2021-25214 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
981273-2 CVE-2021-23054 K41997459, BT981273 APM webtop hardening 13.1.5, 15.1.4
965485-3 CVE-2019-5482 K41523201 CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
954425-2 CVE-2022-23031 K61112120, BT954425 Hardening of Live-Update 14.1.4.4, 15.1.4, 16.1.1
949889-3 CVE-2019-3900 K04107324, BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
887965-1 CVE-2022-23027 K30573026, BT887965 Virtual server may stop responding while processing TCP traffic 13.1.5, 14.1.4.4, 15.1.4
803965-7 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 13.1.5, 14.1.4.5, 15.1.4, 16.1.2
797797-4 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.1
797769-9 CVE-2019-11599 K51674118 Linux vulnerability : CVE-2019-11599 13.1.4.1, 15.1.4, 16.0.1.2
1008561-1 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
968733-6 CVE-2018-1120 K42202505, BT968733 CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
939421-2 CVE-2020-10029 K38481791, BT939421 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow 14.1.4.3, 15.1.4, 16.0.1.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
913729-5 2-Critical BT913729 Support for DNSSEC Lookaside Validation (DLV) has been removed. 15.1.4, 16.0.1.2
907765-1 2-Critical BT907765 BIG-IP system does not respond to ARP requests if it has a route to the source IP address 15.1.4
1014433 2-Critical BT1014433 Time stamp format is not the same for all LTM logs 15.1.4
948073-2 3-Major BT948073 Dual stack download support for IP Intelligence Database 15.1.4
923301-2 3-Major BT923301 ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group 14.1.4.4, 15.1.4, 16.0.1.2
911141-3 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
876937-3 3-Major BT876937 DNS Cache not functioning 14.1.4.3, 15.1.4
866073-2 3-Major BT866073 Add option to exclude stats collection in qkview to avoid very large data files 14.1.4.4, 15.1.4, 16.0.1.2
1001865-2 3-Major   No platform trunk information passed to tenant 15.1.4
751032-5 4-Minor BT751032 TCP receive window may open too slowly after zero-window 14.1.4.4, 15.1.4


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1032761 1-Blocking BT1032761 HA mirroring may not function correctly. 15.1.4
1004833-2 1-Blocking BT1004833 NIST SP800-90B compliance 14.1.4.2, 15.1.4
1002109-3 1-Blocking BT1002109 Xen binaries do not follow security best practices 13.1.5, 14.1.4.4, 15.1.4
988645 2-Critical BT988645 Traffic may be affected after tmm is aborted and restarted 15.1.4
987113-1 2-Critical BT987113 CMP state degraded while under heavy traffic 15.1.4
980325-5 2-Critical BT980325 Chmand core due to memory leak from dossier requests. 13.1.5, 14.1.4.4, 15.1.4
974241-1 2-Critical BT974241 Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades 15.1.4, 16.1.1
967905-2 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
944513-2 2-Critical BT944513 Apache configuration file hardening 14.1.4.6, 15.1.4
941893-3 2-Critical BT941893 VE performance tests in Azure causes loss of connectivity to objects in configuration 15.1.4
928029-2 2-Critical BT928029 Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis 14.1.3, 15.1.4
1027637 2-Critical BT1027637 System controller failover may cause dropped requests 15.1.4
1004517-2 2-Critical BT1004517 BIG-IP tenants on VELOS cannot install EHFs 14.1.4.3, 15.1.4
1000973-3 2-Critical BT1000973 Unanticipated restart of TMM due to heartbeat failure 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
998221-3 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2
996593-2 3-Major BT996593 Password change through REST or GUI not allowed if the password is expired 14.1.4.3, 15.1.4, 16.0.1.2
992865 3-Major BT992865 Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances 15.1.4, 16.1.2.2
988793 3-Major BT988793 SecureVault on BIG-IP tenant does not store unit key securely 15.1.4
985537-1 3-Major BT985537 Upgrade Microsoft Hyper-V driver&start; 15.1.4
976505-2 3-Major BT976505 Rotated restnoded logs will fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
975809-1 3-Major BT975809 Rotated restjavad logs fail logintegrity verification. 14.1.4.2, 15.1.4, 16.0.1.2
973201-2 3-Major BT973201 F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions&start; 14.1.4, 15.1.4
969713-1 3-Major BT969713 IPsec interface mode tunnel may fail to pass packets after first IPsec rekey 15.1.4
969105-2 3-Major BT969105 HA failover connections via the management address do not work on vCMP guests running on VIPRION 13.1.5, 14.1.4.4, 15.1.4
964941-1 3-Major BT964941 IPsec interface-mode tunnel does not initiate or respond after config change 15.1.4
959629-2 3-Major BT959629 Logintegrity script for restjavad/restnoded fails 14.1.4.2, 15.1.4, 16.0.1.2
958353-2 3-Major BT958353 Restarting the mcpd messaging service renders the PAYG VE license invalid. 14.1.4.2, 15.1.4, 16.0.1.2
956293-2 3-Major BT956293 High CPU from analytics-related REST calls - Dashboard TMUI 14.1.4.4, 15.1.4
946089-2 3-Major BT946089 BIG-IP might send excessive multicast/broadcast traffic. 14.1.4.2, 15.1.4, 16.0.1.2
932497-3 3-Major BT932497 Autoscale groups require multiple syncs of datasync-global-dg 14.1.4.2, 15.1.4, 16.0.1.2
928697-2 3-Major BT928697 Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT 15.1.4, 16.0.1.2
919305-2 3-Major BT919305 Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS. 15.1.4
913849-1 3-Major BT913849 Syslog-ng periodically logs nothing for 20 seconds 14.1.4.2, 15.1.4, 16.0.1.2
908601-2 3-Major BT908601 System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option 14.1.4.3, 15.1.4, 16.0.1.2
895781-2 3-Major BT895781 Round Robin disaggregation does not disaggregate globally 15.1.4
880289 3-Major BT880289 FPGA firmware changes during configuration loads&start; 15.1.4
850193-4 3-Major BT850193 Microsoft Hyper-V hv_netvsc driver unevenly utilizing vmbus_channel queues 14.1.4.4, 15.1.4
849157-2 3-Major BT849157 An outgoing SCTP connection that retransmits the INIT chunk the maximum number of times does not expire and becomes stuck 15.1.4
841277-7 3-Major BT841277 C4800 LCD fails to load after annunciator hot-swap 14.1.4.3, 15.1.4
827033-1 3-Major BT827033 Boot marker is being logged before shutdown logs 14.1.4.4, 15.1.4
746861-3 3-Major BT746861 SFP interfaces fail to come up on BIG-IP 2x00/4x00, usually when both SFP interfaces are populated&start; 14.1.2.5, 15.1.4
1029105 3-Major BT1029105 Hardware SYN cookie mode state change logs bogus virtual server address 15.1.4
1024853 3-Major BT1024853 Platform Agent logs to ERROR severity on success 15.1.4
1013649-4 3-Major BT1013649 Leftover files in /var/run/key_mgmt after key export 15.1.4
1010393-4 3-Major BT1010393 Unable to relax AS-path attribute in multi-path selection 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
1008837-2 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 14.1.4.4, 15.1.4, 16.1.2.2
1002761-1 3-Major BT1002761 SCTP client's INIT chunks rejected repeatedly with ABORT during re-establishment of network link after failure 15.1.4, 16.0.1.2
962249-2 4-Minor BT962249 Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm 15.1.4
921365-1 4-Minor BT921365 IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby 15.1.4, 16.1.2
921065 4-Minor BT921065 BIG-IP systems not responding to DPD requests from initiator after failover 15.1.4
898441-1 4-Minor BT898441 Enable logging of IKE keys 14.1.4.4, 15.1.4
819053 4-Minor   CVE-2019-13232 unzip: overlapping of files in ZIP container 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
1004417-3 4-Minor BT1004417 Provisioning error message during boot up&start; 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1029357 1-Blocking BT1029357 Performance drop during traffic test on VIPRION (B2250, C2400) platforms 15.1.4
945997-2 2-Critical BT945997 LTM policy applied to HTTP/2 traffic may crash TMM 14.1.4.2, 15.1.4, 16.0.1.2
943101-2 2-Critical BT943101 Tmm crash in cipher group delete. 14.1.3, 15.1.4
942185-2 2-Critical BT942185 Non-mirrored persistence records may accumulate over time 15.1.4, 16.0.1.2
934461-2 2-Critical BT934461 Connection error with server with TLS1.3 single-dh-use. 14.1.3, 15.1.4
1039145-3 2-Critical BT1039145 Tenant mirroring channel disconnects with peer and never reconnects after failover. 15.1.4
1005489-2 2-Critical BT1005489 iRules with persist command might result in tmm crash. 15.1.4, 16.0.1.2
997929-3 3-Major BT997929 Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic 14.1.4.4, 15.1.4, 16.0.1.2
969637-2 3-Major BT969637 Config may fail to load with "FIPS 140 operations not available on this system" after upgrade&start; 14.1.4.4, 15.1.4
963713-1 3-Major BT963713 HTTP/2 virtual server with translate-disable can core tmm 15.1.4
956133-3 3-Major BT956133 MAC address might be displayed as 'none' after upgrading.&start; 14.1.4.4, 15.1.4
944641-1 3-Major BT944641 HTTP2 send RST_STREAM when exceeding max streams 14.1.4, 15.1.4, 16.0.1.1
941481-2 3-Major BT941481 iRules LX - nodejs processes consuming excessive memory 14.1.4.4, 15.1.4
941257-1 3-Major BT941257 Occasional Nitrox3 ZIP engine hang 13.1.5, 14.1.4.4, 15.1.4
940665-1 3-Major BT940665 DTLS 1.0 support for PFS ciphers 15.1.4, 16.0.1.2
930385-3 3-Major BT930385 SSL filter does not re-initialize when an OCSP object is modified 14.1.3, 15.1.4
912425-3 3-Major BT912425 Modifying in-TMM monitor configuration may not take effect, or may result in a TMM crash 14.1.4.2, 15.1.4, 16.0.1.2
891373-2 3-Major BT891373 BIG-IP does not shut a connection for a HEAD request 15.1.4, 16.0.1.2
882549-2 3-Major BT882549 Sock driver does not use multiple queues in unsupported environments 14.1.4.3, 15.1.4, 16.0.1.2
819329-4 3-Major BT819329 Specific FIPS device errors will not trigger failover 13.1.5, 14.1.3.1, 15.1.4, 16.0.1.2
818833-1 3-Major BT818833 TCP re-transmission during SYN Cookie activation results in high latency 14.1.4.4, 15.1.4
760050-8 3-Major BT760050 "cwnd too low" warning message seen in logs 13.1.4.1, 14.1.2.7, 15.1.4
1020941-2 3-Major BT1020941 HTTP/2 header frames decoding may fail with COMPRESSION_ERROR when frame delivered in multiple xfrags 14.1.4.5, 15.1.4
1016113-3 3-Major BT1016113 HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. 15.1.4, 16.1.2
962433-4 4-Minor BT962433 HTTP::retry for a HEAD request fails to create new connection 13.1.4.1, 14.1.4.3, 15.1.4
962177-2 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2
912945-2 4-Minor BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 14.1.4.4, 15.1.4, 16.1.1
895557-2 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2
751586-3 4-Minor BT751586 Http2 virtual does not honour translate-address disabled 12.1.4.1, 13.1.3.4, 14.1.2.1, 15.1.4
1018493-2 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 13.1.5, 14.1.4.5, 15.1.4, 16.1.2


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
910633-1 2-Critical BT910633 Continuous 'neurond restart' message on console 15.1.4
1004633-3 2-Critical BT1004633 Performance degradation on KVM and VMware platforms. 15.1.4
948417-2 3-Major BT948417 Network Management Agent (Azure NMAgent) updates causes Kernel Panic 15.1.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039069-2 1-Blocking BT1039069 Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.&start; 15.1.4, 16.1.1
995853-2 2-Critical BT995853 Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error. 13.1.5, 14.1.4.4, 15.1.4
918597-5 2-Critical BT918597 Under certain conditions, deleting a topology record can result in a crash. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
993489-3 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
973261-2 3-Major BT973261 GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
912001-3 3-Major BT912001 TMM cores on secondary blades of the Chassis system. 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
864797-2 3-Major BT864797 Cached results for a record are sent following region modification 14.1.4.4, 15.1.4
857953-2 4-Minor BT857953 Non-functional disable/enable buttons present in GTM wide IP members page 14.1.4.2, 15.1.4, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
996381-3 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
970329-3 2-Critical K70134152, BT970329 ASM hardening 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
965229-2 2-Critical BT965229 ASM Load hangs after upgrade&start; 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
957965-1 2-Critical BT957965 Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent' 15.1.4
898365-1 2-Critical BT898365 XML Policy cannot be imported 15.1.4
854001-2 2-Critical BT854001 TMM might crash in case of trusted bot signature and API protected url 14.1.4.2, 15.1.4, 16.0.1.2
791669-2 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 14.1.2.3, 15.1.4, 16.0.1.2
1017645-2 2-Critical BT1017645 False positive HTTP compliance violation 13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2
986937-1 3-Major BT986937 Cannot create child policy when the signature staging setting is not equal in template and parent policy 15.1.4, 16.0.1.2, 16.1.1
981785-3 3-Major BT981785 Incorrect incident severity in Event Correlation statistics 14.1.4.3, 15.1.4, 16.0.1.2
981069-1 3-Major BT981069 Reset cause: "Internal error ( requested abort (payload release error))" 15.1.4, 16.1.1
964245-2 3-Major BT964245 ASM reports and enforces username always 13.1.5, 14.1.4.4, 15.1.4
963485-1 3-Major BT963485 Performance issue with data guard 15.1.4
963461-1 3-Major BT963461 ASM performance drop on the response side 15.1.4, 16.0.1.2
962589-2 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 14.1.4.4, 15.1.4, 16.1.1
962497 3-Major BT962497 BD crash after ICAP response 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
955017-2 3-Major BT955017 Excessive CPU consumption by asm_config_event_handler 13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2
951133-2 3-Major BT951133 Live Update does not work properly after upgrade&start; 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1
950917-1 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 13.1.4.1, 14.1.4.2, 15.1.4
946081-1 3-Major BT946081 Getcrc tool help displays directory structure instead of version 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
928717-3 3-Major BT928717 [ASM - AWS] - ASU fails to sync 14.1.4.4, 15.1.4
922261-2 3-Major BT922261 WebSocket server messages are logged even it is not configured 14.1.4.2, 15.1.4, 16.0.1.2
920197-3 3-Major BT920197 Brute force mitigation can stop mitigating without a notification 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
912089-2 3-Major BT912089 Some roles are missing necessary permission to perform Live Update 14.1.4.2, 15.1.4, 16.0.1.2
907337-2 3-Major BT907337 BD crash on specific scenario 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
888289-1 3-Major BT888289 Add option to skip percent characters during normalization 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
883853-2 3-Major BT883853 Bot Defense Profile with staged signatures prevents signature update&start; 14.1.4.2, 15.1.4
867825-4 3-Major BT867825 Export/Import on a parent policy leaves children in an inconsistent state 13.1.5, 14.1.4.4, 15.1.4
862793-1 3-Major BT862793 ASM replies with JS-Challenge instead of blocking page upon "Virus detected" violation 15.1.4
846181-3 3-Major BT846181 Request samples for some of the learning suggestions are not visible 14.1.4.2, 15.1.4
837333-1 3-Major BT837333 User cannot update blocking response pages after upgrade&start; 15.1.4
830341-2 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.2.1
802873-2 3-Major BT802873 Manual changes to policy imported as XML may introduce corruption for Login Pages 14.1.2.7, 15.1.4
673272-2 3-Major BT673272 Search by "Signature ID is" does not return results for some signature IDs 13.1.4, 14.1.4.2, 15.1.4, 16.0.1.2
1022269-2 3-Major BT1022269 False positive RFC compliant violation 13.1.5, 14.1.4.4, 15.1.4, 16.1.2
1005105-1 3-Major BT1005105 Requests are missing on traffic event logging 14.1.4.5, 15.1.4, 16.1.1
1000741-3 3-Major K67397230, BT1000741 Fixing issue with input normalization 14.1.4.4, 15.1.4, 16.1.1
952509-2 4-Minor BT952509 Cross origin AJAX requests are blocked in case there is no Origin header 14.1.4.4, 15.1.4, 16.0.1.2
944441-2 4-Minor BT944441 BD_XML logs memory usage at TS_DEBUG level 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
941929-2 4-Minor BT941929 Google Analytics shows incorrect stats, when Google link is redirected. 14.1.4.2, 15.1.4, 16.0.1.2
941625-1 4-Minor BT941625 BD sometimes encounters errors related to TS cookie building 15.1.4, 16.1.1
941249-2 4-Minor BT941249 Improvement to getcrc tool to print cookie names when cookie attributes are involved 13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2
911729-2 4-Minor BT911729 Redundant learning suggestion to set a Maximum Length when parameter is already at that value 14.1.4.2, 15.1.4, 16.0.1.2
1004537-1 4-Minor BT1004537 Traffic Learning: Accept actions for multiple suggestions not localized 15.1.4, 16.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
965581-2 2-Critical BT965581 Statistics are not reported to BIG-IQ 14.1.4, 15.1.4
932485-3 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
926341-2 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start; 13.1.5, 14.1.4.4, 15.1.4
913085-1 3-Major BT913085 Avrd core when avrd process is stopped or restarted 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2, 16.1.1
909161-3 3-Major BT909161 A core file is generated upon avrd process restart or stop 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
833113-6 3-Major BT833113 Avrd core when sending large messages via https 13.1.3.4, 14.1.4.3, 15.0.1.3, 15.1.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
934393-2 1-Blocking BT934393 APM authentication fails due to delay in sessionDB readiness 14.1.3, 15.1.4
995029-3 2-Critical BT995029 Configuration is not updated during auto-discovery 14.1.4.2, 15.1.4
891505-3 2-Critical BT891505 TMM might leak memory when OAuth agent is used in APM per-request policy subroutine. 14.1.2.8, 15.1.4
874949-1 2-Critical BT874949 TMM may crash if traffic is run through APM per-request policy containing an empty variable assign agent. 15.1.4
997641 3-Major BT997641 APM policy ending with redirection results in policy execution failure 15.1.4
984765-1 3-Major BT984765 APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)&start; 14.1.4.4, 15.1.4
946125-2 3-Major BT946125 Tmm restart adds 'Revoked' tokens to 'Active' token count 14.1.4.4, 15.1.4
924521-2 3-Major BT924521 OneConnect does not work when WEBSSO is enabled/configured. 14.1.4.3, 15.1.4
903573 3-Major BT903573 AD group cache query performance 15.1.4
896125-2 3-Major BT896125 Reuse Windows Logon Credentials feature does not work with modern access policies 15.1.4
894885-3 3-Major BT894885 [SAML] SSO crash while processing client SSL request 14.1.4.2, 15.1.4
881641 3-Major BT881641 Errors on VPN client status window in non-English environment 15.1.4
869653-1 3-Major BT869653 VCMP guest secondary blade restarts when creating multiple APM profiles in a single transaction 15.1.4
866109-2 3-Major BT866109 JWK keys frequency does not support fewer than 60 minutes 13.1.4.1, 14.1.4.2, 15.1.4
827325-1 3-Major BT827325 JWT token verification failure 15.1.4
825493-1 3-Major BT825493 JWT token verification failure 15.1.4
738865-6 3-Major BT738865 MCPD might enter into loop during APM config validation 14.1.4.2, 15.1.4
470346-3 3-Major BT470346 Some IPv6 client connections get RST when connecting to APM virtual 13.1.5, 14.1.4.3, 15.1.4
1001041-3 3-Major BT1001041 Reset cause 'Illegal argument' 14.1.4.4, 15.1.4
939877-1 4-Minor BT939877 OAuth refresh token not found 14.1.4.4, 15.1.4, 16.1.2
747234-7 4-Minor BT747234 Macro policy does not find corresponding access-profile directly 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913-2 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 14.1.4.4, 15.1.4, 16.1.1
974881-2 2-Critical BT974881 Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic 14.1.4.2, 15.1.4, 16.0.1.2
1007821-1 2-Critical BT1007821 SIP message routing may cause tmm crash 15.1.4, 16.1.1
996113-1 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
989753-2 3-Major BT989753 In HA setup, standby fails to establish connection to server 14.1.4.2, 15.1.4, 16.0.1.2
957029-1 3-Major BT957029 MRF Diameter loop-detection is enabled by default 15.1.4, 16.0.1.2
805821-3 3-Major BT805821 GTP log message contains no useful information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
788625-1 3-Major BT788625 A pool member is not marked up by the inband monitor even after successful connection to the pool member 14.1.4.3, 15.1.4, 16.0.1.2
919301-3 4-Minor BT919301 GTP::ie count does not work with -message option 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
916781-1 4-Minor BT916781 Validation error while attaching DoS profile to GTP virtual 15.1.4, 16.0.1
913413-3 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913409-3 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 13.1.5, 14.1.4.4, 15.1.4, 16.1.1
913393-3 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 13.1.5, 14.1.4.4, 15.1.4, 16.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
987637-2 1-Blocking BT987637 DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware 15.1.4
1016633 2-Critical BT1016633 iprep.protocol with auto-detect fails when DNS takes time to resolve 15.1.4
992213-2 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 14.1.4.2, 15.1.4, 16.1.1
988761-1 3-Major BT988761 Cannot create Protected Object in GUI 15.1.4
988005-1 3-Major BT988005 Zero active rules counters in GUI 14.1.4.2, 15.1.4, 16.0.1.2
987605-2 3-Major BT987605 DDoS: ICMP attacks are not hardware-mitigated 15.1.4
759799-3 3-Major BT759799 New rules cannot be compiled 15.1.4
685904-1 3-Major BT685904 Firewall Rule hit counts are not auto-updated after a Reset is done 14.1.4.2, 15.1.4
1016309-1 3-Major BT1016309 When two policies with the same properties are configured with geo property, the geo for the second policy is ignored. 15.1.4
1012521-2 3-Major BT1012521 BIG-IP UI file permissions 14.1.4.4, 15.1.4, 16.0.1.2
1012413-3 3-Major BT1012413 Tmm performance impact for DDoS vector on virtual server when hardware mitigation is enabled 15.1.4
1000405-2 3-Major BT1000405 VLAN/Tunnels not listed when creating a new rule via GUI 15.1.4, 16.1.1
977005-1 4-Minor BT977005 Network Firewall Policy rules-list showing incorrect 'Any' for source column 14.1.4.2, 15.1.4
1014609 4-Minor BT1014609 Tunnel_src_ip support for dslite event log for type field list 15.1.4


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019481 2-Critical BT1019481 Unable to provision PEM on VELOS platform 15.1.4


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
994985-2 3-Major BT994985 CGNAT GUI shows blank page when applying SIP profile 14.1.4.2, 15.1.4


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
968741-1 2-Critical BT968741 Traffic Intelligence pages not visible 15.1.4
913453-5 2-Critical BT913453 URL Categorization: wr_urldbd cores while processing urlcat-query 14.1.4.4, 15.1.4
901041-3 2-Critical BT901041 CEC update using incorrect method of determining number of blades in VIPRION chassis&start; 15.1.4, 16.0.1.2
893721-2 2-Critical BT893721 PEM-provisioned systems may suffer random tmm crashes after upgrading&start; 14.1.4.2, 15.1.4
958085-3 3-Major BT958085 IM installation fails with error: Spec file not found&start; 14.1.4.4, 15.1.4
948573-4 3-Major BT948573 Wr_urldbd list of valid TLDs needs to be updated 13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2
846601-4 3-Major BT846601 Traffic classification does not update when an inactive slot becomes active after upgrade&start; 14.1.4.2, 15.1.4, 16.0.1.2
974205-3 4-Minor BT974205 Unconstrained wr_urldbd size causing box to OOM 12.1.6, 14.1.4.4, 15.1.4


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
970829-5 2-Critical K03310534, BT970829 iSeries LCD incorrectly displays secure mode 14.1.4.4, 15.1.4, 16.0.1.2


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1018145-1 3-Major BT1018145 Firewall Manager user role is not allowed to configure/view protocol inspection profiles 15.1.4, 16.1.1


Guided Configuration Fixes

ID Number Severity Links to More Info Description Fixed Versions
1013569 3-Major   Hardening of iApps processing 15.1.4, 16.1.1


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
822245-2 4-Minor BT822245 Large number of in-TMM monitors results in some monitors being marked down 14.1.4.4, 15.1.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
947925-1 3-Major BT947925 TMM may crash when executing L7 Protocol Lookup per-request policy agent 14.1.4.3, 15.1.4
918317-2 3-Major BT918317 SSL Orchestrator resets subsequent requests when HTTP services are being used. 14.1.4.4, 15.1.4



Cumulative fixes from BIG-IP v15.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
989317-12 CVE-2021-23023 K33757590, BT989317 Windows Edge Client does not follow best practice 15.1.3.1
989009-3 CVE-2021-23033 K05314769, BT989009 BD daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
981461-4 CVE-2021-23032 K45407662, BT981461 Unspecified DNS responses cause TMM crash 13.1.5, 14.1.4.4, 15.1.3.1
980125-3 CVE-2021-23030 K42051445, BT980125 BD Daemon may crash while processing WebSocket traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
962341 CVE-2021-23028 K00602225, BT962341 BD crash while processing JSON content 13.1.4, 14.1.4.2, 15.1.3.1, 16.0.1.2
946377-2 CVE-2021-23027 K24301698, BT946377 HSM WebUI Hardening 14.1.4.3, 15.1.3.1, 16.0.1.2
1007049-3 CVE-2021-23034 K30523121, BT1007049 TMM may crash while processing DNS traffic 15.1.3.1
996753-2 CVE-2021-23050 K44553214, BT996753 ASM BD process may crash while processing HTML traffic 15.1.3.1, 16.0.1.2
984613-11 CVE-2021-23022 K08503505, BT984613 CVE-2020-5896 - Edge Client Installer Vulnerability 15.1.3.1
968349 CVE-2021-23048 K19012930, BT968349 TMM crashes with unspecified message 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
962069-3 CVE-2021-23047 K79428827, BT962069 Excessive resource consumption while processing OSCP requests via APM 13.1.5, 14.1.4.4, 15.1.3.1
950017-2 CVE-2021-23045 K94941221, BT950017 TMM may crash while processing SCTP traffic 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
942701-2 CVE-2021-23044 K35408374, BT942701 TMM may consume excessive resources while processing HTTP traffic 13.1.4.1, 14.1.4.2, 15.1.3.1
906377-2 CVE-2021-23038 K61643620, BT906377 iRulesLX hardening 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2
1015381-5 CVE-2021-23022 K08503505, BT1015381 Windows Edge Client does not follow best practices while installing 15.1.3.1
1009773 CVE-2021-23051 K01153535, BT1009773 AWS deployments of TMM may crash while processing traffic 15.1.3.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
737692-4 2-Critical BT737692 Handle x520 PF DOWN/UP sequence automatically by VE 15.1.3.1
1024421-1 3-Major BT1024421 At failover, ePVA flush leads to clock advancing and MPI timeout messages in TMM log 15.1.3.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
994801-3 3-Major   SCP file transfer system 13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2
958465-2 3-Major BT958465 in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization 14.1.4.4, 15.1.3.1, 16.0.1.2
950849-4 3-Major BT950849 B4450N blades report page allocation failure.&start; 14.1.4.4, 15.1.3.1
948717-3 3-Major BT948717 F5-pf_daemon_cond_restart uses excessive CPU&start; 15.1.3.1
1032001-1 3-Major BT1032001 Statemirror address can be configured on management network or clusterd restarting 15.1.3.1
1006345-1 3-Major BT1006345 Static mac entry on trunk is not programmed on CPU-only blades 15.1.3.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019081-3 2-Critical K97045220, BT1019081 HTTP/2 hardening 13.1.5, 14.1.4.5, 15.1.3.1
980821-2 3-Major BT980821 Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured. 14.1.4.2, 15.1.3.1, 16.0.1.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
943913-3 2-Critical K30150004, BT943913 ASM attack signature does not match 13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1020705-1 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 14.1.4.4, 15.1.3.1, 16.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
999317-8 2-Critical K03544414, BT999317 Running Diagnostics report for Edge Client on Windows does not follow best practice 15.1.3.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1019453-3 3-Major BT1019453 Core generated for autodosd daemon when synchronization process is terminated 15.1.3.1


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
976365 3-Major BT976365 Traffic Classification hardening&start; 14.1.4.3, 15.1.3.1



Cumulative fixes from BIG-IP v15.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
980809-2 CVE-2021-23031 K41351250, BT980809 ASM REST Signature Rule Keywords Tool Hardening 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
959121-4 CVE-2021-23015 K74151369, BT959121 Not following best practices in Guided Configuration Bundle Install worker 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
943081-3 CVE-2021-23009 K90603426, BT943081 Unspecified HTTP/2 traffic may cause TMM to crash 15.1.3, 16.0.1.1
935433-2 CVE-2021-23026 K53854428, BT935433 iControl SOAP 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
882633-2 CVE-2021-23008 K51213246, BT882633 Active Directory authentication does not follow current best practices 12.1.6, 13.1.4, 14.1.4, 15.1.3
990333-5 CVE-2021-23016 K75540265, BT990333 APM may return unexpected content when processing HTTP requests 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
975465-2 CVE-2021-23049 K65397301, BT975465 TMM may consume excessive resources while processing DNS iRules 15.1.3, 16.0.1.2
954429-2 CVE-2021-23014 K23203045, BT954429 User authorization changes for live update 14.1.4, 15.1.3, 16.0.1.1
948769-5 CVE-2021-23013 K05300051, BT948769 TMM panic with SCTP traffic 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
945109-2 CVE-2015-9382 K46641512, BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-9382 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
938233-2 CVE-2021-23042 K93231374 An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
937637-3 CVE-2021-23002 K71891773, BT937637 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
937365-2 CVE-2021-23041 K42526507, BT937365 LTM UI does not follow best practices 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907245-1 CVE-2021-23040 K94255403, BT907245 AFM UI Hardening 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
907201-2 CVE-2021-23039 K66782293, BT907201 TMM may crash when processing IPSec traffic 13.1.5, 14.1.2.8, 15.1.3, 16.0.1.2
877109-1 CVE-2021-23012 K04234247 Unspecified input can break intended functionality in iHealth proxy 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
842829-1 CVE-2018-16300 CVE-2018-14881 CVE-2018-14882 CVE-2018-16230 CVE-2018-16229 CVE-2018-16227 CVE-2019-15166 CVE-2018-16228 CVE-2018-16451 CVE-2018-16452 CVE-2018-10103 CVE-2018-10105 CVE-2018-14468 K04367730, BT842829 Multiple tcpdump vulnerabilities 13.1.4.1, 14.1.3.1, 15.1.3
832757 CVE-2017-18551 K48073202, BT832757 Linux kernel vulnerability CVE-2017-18551 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.3
803933-7 CVE-2018-20843 K51011533, BT803933 Expat XML parser vulnerability CVE-2018-20843 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
718189-9 CVE-2021-23011 K10751325, BT718189 Unspecified IP traffic can cause low-memory conditions 11.6.5.3, 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
1003557-3 CVE-2021-23015 K74151369, BT1003557 Not following best practices in Guided Configuration Bundle Install worker 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
1003105-3 CVE-2021-23015 K74151369, BT1003105 iControl Hardening 15.1.3, 16.0.1.2
1002561-5 CVE-2021-23007 K37451543, BT1002561 TMM vulnerability CVE-2021-23007 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
825413-4 CVE-2021-23053 K36942191, BT825413 ASM may consume excessive resources when matching signatures 13.1.3.6, 14.1.3.1, 15.1.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
945265-4 3-Major BT945265 BGP may advertise default route with incorrect parameters 14.1.4, 15.1.3, 16.0.1.1
933777-1 3-Major BT933777 Context use and syntax changes clarification 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
930005-2 3-Major BT930005 Recover previous QUIC cwnd value on spurious loss 15.1.3, 16.0.1.1
913829-4 3-Major BT913829 i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
794417-4 3-Major BT794417 Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
918097-3 4-Minor BT918097 Cookies set in the URI on Safari 14.1.4.1, 15.1.3, 16.0.1.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
995629-3 2-Critical BT995629 Loading UCS files may hang if ASM is provisioned&start; 13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2
990849-2 2-Critical BT990849 Loading UCS with platform-migrate option hangs and requires exiting from the command&start; 13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2
908517-3 2-Critical BT908517 LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)' 14.1.4, 15.1.3, 16.0.1.1
888341-7 2-Critical BT888341 HA Group failover may fail to complete Active/Standby state transition 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
886693-3 2-Critical BT886693 System might become unresponsive after upgrading.&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
860349-3 2-Critical BT860349 Upgrading from previous versions to 14.1 or creating a new configuration with user-template, which involves the usage of white-space character, will result in failed authentication 14.1.2.8, 15.1.3
785017-3 2-Critical BT785017 Secondary blades go offline after new primary is elected 13.1.4, 14.1.4, 15.1.3
776393-3 2-Critical BT776393 Restjavad restarts frequently due to insufficient memory with relatively large configurations 14.1.4, 15.1.3, 16.0.1.1
969213-1 3-Major BT969213 VMware: management IP cannot be customized via net.mgmt.addr property 14.1.4.1, 15.1.3, 16.0.1.2
963049-1 3-Major BT963049 Unexpected config loss when modifying protected object 15.1.3
963017-2 3-Major BT963017 The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed 14.1.4, 15.1.3
946745-2 3-Major BT946745 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
939541-2 3-Major BT939541 TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE 14.1.4, 15.1.3, 16.0.1.1
936125-2 3-Major BT936125 SNMP request times out after configuring IPv6 trap destination 15.1.3, 16.0.1.1
934941-2 3-Major BT934941 Platform FIPS power-up self test failures not logged to console 14.1.3.1, 15.1.3
934065-1 3-Major BT934065 The turboflex-low-latency and turboflex-dns are missing. 15.1.3, 16.0.1.2
927941-5 3-Major BT927941 IPv6 static route BFD does not come up after OAMD restart 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
922297-2 3-Major BT922297 TMM does not start when using more than 11 interfaces with more than 11 vCPUs 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
914245-2 3-Major BT914245 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.3, 16.0.1.2
914081-1 3-Major BT914081 Engineering Hotfixes missing bug titles 14.1.4, 15.1.3
913433-3 3-Major BT913433 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
908021-1 3-Major BT908021 Management and VLAN MAC addresses are identical 13.1.3.5, 14.1.3.1, 15.1.3
896553-3 3-Major BT896553 On blade failure, some trunked egress traffic is dropped. 13.1.3.6, 14.1.4, 15.1.3
896473-2 3-Major BT896473 Duplicate internal connections can tear down the wrong connection 15.1.3
893885-3 3-Major BT893885 The tpm-status command returns: 'System Integrity: Invalid' after Engineering Hotfix installation 14.1.4, 15.1.3
891337-1 3-Major BT891337 'save_master_key(master): Not ready to save yet' errors in the logs 14.1.4, 15.1.3
889029-2 3-Major BT889029 Unable to login if LDAP user does not have search permissions 14.1.4, 15.1.3, 16.0.1.2
879829-2 3-Major BT879829 HA daemon sod cannot bind to ports numbered lower than 1024 14.1.4, 15.1.3, 16.0.1.2
876805-3 3-Major BT876805 Modifying address-list resets the route advertisement on virtual servers. 14.1.4, 15.1.3, 16.0.1.1
862937-3 3-Major BT862937 Running cpcfg after first boot can result in daemons stuck in restart loop&start; 14.1.4, 15.1.3, 16.0.1.2
839121-3 3-Major K74221031, BT839121 A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade&start; 14.1.4.1, 15.1.3, 16.0.1.2
829821-1 3-Major BT829821 Mcpd may miss its high availability (HA) heartbeat if a very large amount of pool members are configured 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
820845-3 3-Major BT820845 Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use. 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
809205-6 3-Major   CVE-2019-3855: libssh2 Vulnerability 12.1.5.1, 13.1.3.2, 14.1.2.3, 15.0.1.1, 15.1.3, 16.0.1.2
803237-2 3-Major BT803237 PVA does not validate interface MTU when setting MSS 14.1.4, 15.1.3
799001-1 3-Major BT799001 Sflow agent does not handle disconnect from SNMPD manager correctly 14.1.4, 15.1.3
787885-2 3-Major BT787885 The device status is falsely showing as forced offline on the network map while actual device status is not. 14.1.4, 15.1.3, 16.0.1.1
749007-1 3-Major BT749007 South Sudan, Sint Maarten, and Curacao country missing in GTM region list 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
692218-1 3-Major BT692218 Audit log messages sent from the primary blade to the secondaries should not be logged. 14.1.4.1, 15.1.3, 16.0.1.2
675911-12 3-Major K13272442, BT675911 Different sections of the GUI can report incorrect CPU utilization 14.1.4.1, 15.1.3, 16.0.1.2
615934-6 3-Major BT615934 Overwrite flag in various iControl key/certificate management functions is ignored and might result in errors. 13.1.3.5, 14.1.4, 15.1.3
569859-7 3-Major BT569859 Password policy enforcement for root user when mcpd is not available 14.1.4.1, 15.1.3
966277-1 4-Minor BT966277 BFD down on multi-blade system 14.1.4, 15.1.3, 16.0.1.1
959889-2 4-Minor BT959889 Cannot update firewall rule with ip-protocol property as 'any' 14.1.4, 15.1.3
947865-2 4-Minor BT947865 Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read 14.1.4, 15.1.3
887505-1 4-Minor BT887505 Coreexpiration script improvement 15.1.3
879189-1 4-Minor BT879189 Network map shows 'One or more profiles are inactive due to unprovisioned modules' in Profiles section 14.1.4.1, 15.1.3, 16.0.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910653-5 2-Critical BT910653 iRule parking in clientside/serverside command may cause tmm restart 14.1.4, 15.1.3, 16.0.1.1
882157-1 2-Critical BT882157 One thread of pkcs11d consumes 100% without any traffic. 14.1.4, 15.1.3
738964-4 2-Critical   Instruction logger debugging enhancement 14.1.4.1, 15.1.3
1001509 2-Critical K11162395, BT1001509 Client going through to BIG-IP SSL forward proxy might not be able to trust forged certificates 14.1.4.3, 15.1.3
968641-2 3-Major BT968641 Fix for zero LACP priority 14.1.4, 15.1.3, 16.0.1.2
953845-1 3-Major BT953845 After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart 12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
946953-1 3-Major BT946953 HTTP::close used in iRule might not close connection. 15.1.3, 16.0.1.1
928857-2 3-Major BT928857 Use of OCSP responder may leak X509 store instances 14.1.4, 15.1.3
928805-2 3-Major BT928805 Use of OCSP responder may cause memory leakage 14.1.4, 15.1.3
928789-2 3-Major BT928789 Use of OCSP responder may leak SSL handshake instances 14.1.4, 15.1.3
921881-2 3-Major BT921881 Use of IPFIX log destination can result in increased CPU utilization 14.1.4, 15.1.3, 16.0.1.2
921721-1 3-Major BT921721 FIPS 140-2 SP800-56Arev3 compliance 14.1.3, 15.1.3
889601-3 3-Major K14903688, BT889601 OCSP revocation not properly checked 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
889165-3 3-Major BT889165 "http_process_state_cx_wait" errors in log and connection reset 14.1.4, 15.1.3
888517-2 3-Major BT888517 Network Driver Abstraction Layer (NDAL) busy polling leads to high CPU.&start; 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
858701-1 3-Major BT858701 Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
845333-6 3-Major BT845333 An iRule with a proc referencing a datagroup cannot be assigned to Transport Config 14.1.4, 15.1.3, 16.0.1.1
842517-2 3-Major BT842517 CKR_OBJECT_HANDLE_INVALID error seen in logs and SSL handshake fails 15.1.3
785877-5 3-Major BT785877 VLAN groups do not bridge non-link-local multicast traffic. 14.1.4, 15.1.3, 16.0.1.2
767341-1 3-Major BT767341 If the size of a filestore file is smaller than the size reported by mcp, tmm can crash while loading the file. 14.1.4, 15.1.3, 16.0.1.2
756812-3 3-Major BT756812 Nitrox 3 instruction/request logger may fail due to SELinux permission error 14.1.4.1, 15.1.3
696755-5 3-Major BT696755 HTTP/2 may truncate a response body when served from cache 13.1.0.8, 14.1.0.6, 15.1.3, 16.0.1.2
804157-3 4-Minor BT804157 ICMP replies are forwarded with incorrect checksums causing them to be dropped 14.1.4, 15.1.3, 16.0.1.2
748333-5 4-Minor BT748333 DHCP Relay does not retain client source IP address for chained relay mode 14.1.4, 15.1.3, 16.0.1.1
743253-2 4-Minor BT743253 TSO in software re-segments L3 fragments. 14.1.4, 15.1.3, 16.0.1.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
960749-2 1-Blocking BT960749 TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
960437-2 2-Critical BT960437 The BIG-IP system may initially fail to resolve some DNS queries 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
971297-2 3-Major BT971297 DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade&start; 14.1.4.1, 15.1.3, 16.0.1.2
921625-2 3-Major BT921625 The certs extend function does not work for GTM/DNS sync group 13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1
863917-2 3-Major BT863917 The list processing time (xx seconds) exceeded the interval value. There may be too many monitor instances configured with a xx second interval. 13.1.4.1, 14.1.4.5, 15.1.3, 16.0.1.2
858973-1 3-Major BT858973 DNS request matches less specific WideIP when adding new wildcard wideips 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
835209-3 3-Major BT835209 External monitors mark objects down 14.1.4.2, 15.1.3
896861-2 4-Minor BT896861 PTR query enhancement for RESOLVER::name_lookup 15.1.3, 16.0.1.1
885201-2 4-Minor BT885201 BIG-IP DNS (GTM) monitoring: 'CSSLSocket:: Unable to get the session"'messages appearing in gtm log 14.1.4.1, 15.1.3


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
846057-3 2-Critical BT846057 UCS backup archive may include unnecessary files 13.1.4, 14.1.4, 15.1.3
960369-2 3-Major BT960369 Negative value suggested in Traffic Learning as max value 14.1.4, 15.1.3, 16.0.1.2
956373-2 3-Major BT956373 ASM sync files not cleaned up immediately after processing 14.1.4.1, 15.1.3, 16.0.1.2
947341-1 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2
941621-2 3-Major K91414704, BT941621 Brute Force breaks server's Post-Redirect-Get flow 13.1.4, 14.1.4, 15.1.3, 16.0.1.1
929077-2 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 14.1.4, 15.1.3, 16.0.1.1
929001-3 3-Major K48321015, BT929001 ASM form handling improvements 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2
928685-2 3-Major K49549213, BT928685 ASM Brute Force mitigation not triggered as expected 13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2
921677-2 3-Major BT921677 Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI. 14.1.4, 15.1.3, 16.0.1.1
910253-2 3-Major BT910253 BD error on HTTP response after upgrade&start; 15.1.3, 16.0.1.1
884425-2 3-Major   Creation of new allowed HTTP URL is not possible 14.1.3.1, 15.1.3
868053-3 3-Major BT868053 Live Update service indicates update available when the latest update was already installed 14.1.3.1, 15.1.3
867373-4 3-Major BT867373 Methods Missing From ASM Policy 14.1.4, 15.1.3
864677-1 3-Major BT864677 ASM causes high mcpd CPU usage 14.1.4, 15.1.3
856725-1 3-Major BT856725 Missing learning suggestion for "Illegal repeated parameter name" violation 15.1.3
964897-2 4-Minor BT964897 Live Update - Indication of "Update Available" when there is no available update 14.1.4, 15.1.3, 16.0.1.2
962817-2 4-Minor BT962817 Description field of a JSON policy overwrites policy templates description 15.1.3, 16.0.1.1
956105-2 4-Minor BT956105 Websocket URLs content profiles are not created as expected during JSON Policy import 15.1.3, 16.0.1.2
935293-2 4-Minor BT935293 'Detected Violation' Field for event logs not showing 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1
922785-2 4-Minor BT922785 Live Update scheduled installation is not installing on set schedule 14.1.4, 15.1.3, 16.0.1.2
824093-5 4-Minor BT824093 Parameters payload parser issue 11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
981385-3 3-Major BT981385 AVRD does not send HTTP events to BIG-IQ DCD 13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2
949593-3 3-Major BT949593 Unable to load config if AVR widgets were created under '[All]' partition&start; 13.1.4, 14.1.4, 15.1.3, 16.0.1.2
924945-3 3-Major BT924945 Fail to detach HTTP profile from virtual server 15.1.3, 16.0.1.2, 16.1.1
869049-4 3-Major BT869049 Charts discrepancy in AVR reports 14.1.4.1, 15.1.3, 16.0.1.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
894565-1 2-Critical BT894565 Autodosd.default crash with SIGFPE 14.1.4, 15.1.3
879401-1 2-Critical K90423190, BT879401 Memory corruption during APM SAML SSO 14.1.2.5, 15.1.3
976501-2 3-Major BT976501 Failed to establish VPN connection 13.1.3.6, 14.1.4, 15.1.3
952557-2 3-Major BT952557 Azure B2C Provider OAuth URLs are updated for B2Clogin.com 14.1.4, 15.1.3
925573-6 3-Major BT925573 SIGSEGV: receiving a sessiondb callback response after the flow is aborted 14.1.4, 15.1.3
916969-3 3-Major BT916969 Support of Microsoft Identity 2.0 platform 14.1.4, 15.1.3
888145-2 3-Major BT888145 When BIG-IP is deployed as SAML SP, allow APM session variables to be used in entityID property 15.1.3
883577-4 3-Major BT883577 ACCESS::session irule command does not work in HTTP_RESPONSE event 14.1.4.1, 15.1.3
831517-2 3-Major BT831517 TMM may crash when Network Access tunnel is used 14.1.2.7, 15.1.3


WebAccelerator Fixes

ID Number Severity Links to More Info Description Fixed Versions
833213-1 3-Major BT833213 Conditional requests are served incorrectly with AAM policy in webacceleration profile 13.1.3.4, 14.1.2.3, 15.0.1.3, 15.1.3


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
982869-1 3-Major BT982869 With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0 14.1.4.1, 15.1.3, 16.0.1.2
977053-2 3-Major BT977053 TMM crash on standby due to invalid MR router instance 14.1.4.1, 15.1.3, 16.0.1.2
966701-2 3-Major BT966701 Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP 14.1.4.1, 15.1.3, 16.0.1.2
952545-2 3-Major BT952545 'Current Sessions' statistics of HTTP2 pool may be incorrect 14.1.4, 15.1.3, 16.0.1.1
913373-2 3-Major BT913373 No connection error after failover with MRF, and no connection mirroring 14.1.4, 15.1.3, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
945853-2 2-Critical BT945853 Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession 15.1.3
969509-4 3-Major BT969509 Possible memory corruption due to DOS vector reset 14.1.4, 15.1.3, 16.0.1.2
965617-3 3-Major BT965617 HSB mitigation is not applied on BDoS signature with stress-based mitigation mode 14.1.4, 15.1.3, 16.0.1.1
963237-3 3-Major BT963237 Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector. 14.1.4, 15.1.3, 16.0.1.1
937749-3 3-Major BT937749 The 'total port blocks' value for NAT stats is limited to 64 bits of range 15.1.3
903561-3 3-Major BT903561 Autodosd returns small bad destination detection value when the actual traffic is high 14.1.4, 15.1.3
887017-3 3-Major BT887017 The dwbld daemon consumes a large amount of memory 14.1.4, 15.1.3
837233-3 3-Major BT837233 Application Security Administrator user role cannot use GUI to manage DoS profile 14.1.4, 15.1.3
716746-3 3-Major BT716746 Possible tmm restart when disabling single endpoint vector while attack is ongoing 13.1.0.7, 14.1.4.2, 15.1.3, 16.0.1.2
967889-1 4-Minor BT967889 Incorrect information for custom signature in DoS Protection:DoS Overview (non-http) 14.1.4, 15.1.3
748561-2 4-Minor BT748561 Network Firewall : Active Rules page does not list active rule entries for firewall policies associated with any context 14.1.4, 15.1.3


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
928553-3 2-Critical BT928553 LSN64 with hairpinning can lead to a tmm core in rare circumstances 14.1.4, 15.1.3, 16.0.1.1
966681-1 3-Major BT966681 NAT translation failures while using SP-DAG in a multi-blade chassis 14.1.4, 15.1.3, 16.0.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
998085-1 3-Major BT998085 BIG-IP DataSafe GUI does not save changes 15.1.3


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
932737-2 2-Critical BT932737 DNS & BADOS high-speed logger messages are mixed 14.1.4, 15.1.3, 16.0.1.2
922597-2 3-Major BT922597 BADOS default sensitivity of 50 creates false positive attack on some sites 14.1.4, 15.1.3
914293-3 3-Major BT914293 TMM SIGSEGV and crash 14.1.4.1, 15.1.3, 16.0.1.2


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
874677-1 2-Critical BT874677 Traffic Classification auto signature update fails from GUI&start; 14.1.4.3, 15.1.3, 16.0.1.1


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
768085-4 4-Minor BT768085 Error in python script /usr/libexec/iAppsLX_save_pre line 79 14.1.4, 15.1.3, 16.0.1.1


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
964585-3 3-Major BT964585 "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update 14.1.4, 15.1.3, 16.0.1.2
825501-3 3-Major BT825501 IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.&start; 14.1.4, 15.1.3, 16.0.1.1
964577-3 4-Minor BT964577 IPS automatic IM download not working as expected 14.1.4.1, 15.1.3, 16.0.1.2


BIG-IP Risk Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
969385-2 3-Major BT969385 Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers. 15.1.3, 16.0.1.2



Cumulative fixes from BIG-IP v15.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
975233-2 CVE-2021-22992 K52510511, BT975233 Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
973333-5 CVE-2021-22991 K56715231, BT973333 TMM buffer-overflow vulnerability CVE-2021-22991 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
955145-2 CVE-2021-22986 K03009991, BT955145 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
954381-2 CVE-2021-22986 K03009991, BT954381 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953677-2 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT953677 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
951705-2 CVE-2021-22986 K03009991, BT951705 iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986 14.1.4, 15.1.2.1, 16.0.1.1
950077-2 CVE-2021-22987, CVE-2021-22988 K18132488 K70031188, BT950077 TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
981169-2 CVE-2021-22994 K66851119, BT981169 F5 TMUI XSS vulnerability CVE-2021-22994 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
953729-2 CVE-2021-22989, CVE-2021-22990 K56142644 K45056101, BT953729 Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
931837-1 CVE-2020-13817 K55376430, BT931837 NTP has predictable timestamps 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
976925-2 CVE-2021-23002 K71891773, BT976925 BIG-IP APM VPN vulnerability CVE-2021-23002 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
935401-2 CVE-2021-23001 K06440657, BT935401 BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
743105-2 CVE-2021-22998 K31934524, BT743105 BIG-IP SNAT vulnerability CVE-2021-22998 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
867793-1 3-Major BT867793 BIG-IP sending the wrong trap code for BGP peer state 14.1.4, 15.1.2.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
942497-1 2-Critical BT942497 Declarative onboarding unable to download and install RPM 15.1.2.1, 16.0.1.1
940021-3 2-Critical BT940021 Syslog-ng hang may lead to unexpected reboot 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
932437-2 2-Critical BT932437 Loading SCF file does not restore files from tar file&start; 14.1.4, 15.1.2.1, 16.0.1.1
915305-5 2-Critical BT915305 Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
838713 2-Critical BT838713 LCD buttons are not responsive during End User Diagnostics 'Front Port LED Test' 15.1.2.1
829277-2 2-Critical BT829277 A Large /config folder can cause memory exhaustion during live-install&start; 14.1.3.1, 15.1.2.1
739505-3 2-Critical BT739505 Automatic ISO digital signature checking not required when FIPS license active&start; 13.1.1.2, 14.1.4, 15.1.2.1, 16.0.1.1
967745 3-Major BT967745 Last resort pool error for the modify command for Wide IP 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1
956589-1 3-Major BT956589 The tmrouted daemon restarts and produces a core file 13.1.5, 14.1.4.6, 15.1.2.1
930905-4 3-Major BT930905 Management route lost after reboot. 14.1.4, 15.1.2.1, 16.0.1.1
904785-1 3-Major BT904785 Remotely authenticated users may experience difficulty logging in over the serial console 14.1.4, 15.1.2.1, 16.0.1.1
896817-2 3-Major BT896817 iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb 14.1.4, 15.1.2.1, 16.0.1.1
895837-3 3-Major BT895837 Mcpd crash when a traffic-matching-criteria destination-port-list is modified 14.1.4, 15.1.2.1, 16.0.1.1
865177-4 3-Major BT865177 Cert-LDAP returning only first entry in the sequence that matches san-other oid 14.1.3.1, 15.1.2.1, 16.0.1.1
842189-4 3-Major BT842189 Tunnels removed when going offline are not restored when going back online 12.1.5.3, 13.1.3.6, 14.1.2.7, 15.1.2.1
830413-3 3-Major BT830413 Intermittent Virtual Edition deployment failure due to inability to access the ssh host key in Azure&start; 14.1.4, 15.1.2.1, 16.0.1.1
806073-1 3-Major BT806073 MySQL monitor fails to connect to MySQL Server v8.0 14.1.3.1, 15.1.2.1, 16.0.1.1
767737-4 3-Major BT767737 Timing issues during startup may make an HA peer stay in the inoperative state 13.1.3.5, 14.1.3.1, 15.1.2.1
853101-2 4-Minor BT853101 ERROR: syntax error at or near 'FROM' at character 17 15.1.2.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
926929-3 1-Blocking BT926929 RFC Compliance Enforcement lacks configuration availability 13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2
911041-3 2-Critical BT911041 Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash 14.1.3.1, 15.1.2.1, 16.0.1.2
846217-3 2-Critical BT846217 Translucent vlan-groups set local bit in destination MAC address 14.1.4.4, 15.1.2.1
841469-6 2-Critical BT841469 Application traffic may fail after an internal interface failure on a VIPRION system. 13.1.3.4, 15.1.2.1
812525-1 2-Critical K27551003, BT812525 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
974501-1 3-Major BT974501 Excessive memory usage by mirroring subsystem when remirroring 15.1.2.1
903581-1 3-Major BT903581 The pkcs11d process cannot recover under certain error condition 15.1.2.1
868209-3 3-Major BT868209 Transparent vlan-group with standard virtual-server does L2 forwarding instead of pool selection 14.1.4, 15.1.2.1
863401-1 3-Major BT863401 QUIC congestion window sometimes increases inappropriately 15.1.2.1
858301-1 3-Major K27551003, BT858301 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858297-1 3-Major K27551003, BT858297 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 12.1.5.2, 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858289-1 3-Major K27551003, BT858289 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
858285-1 3-Major K27551003, BT858285 The BIG-IP system may not interpret an HTTP request the same way the target web server interprets it 13.1.3.4, 14.1.4, 15.0.1.4, 15.1.2.1
818109-1 3-Major BT818109 Certain plaintext traffic may cause SSL Orchestrator to hang 14.1.4, 15.1.2.1
773253-5 4-Minor BT773253 The BIG-IP may send VLAN failsafe probes from a disabled blade 13.1.4, 14.1.4.2, 15.1.2.1
738032-3 4-Minor BT738032 BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed. 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
953393-2 1-Blocking BT953393 TMM crashes when performing iterative DNS resolutions. 15.1.2.1, 16.0.1.1
891093-1 3-Major BT891093 iqsyncer does not handle stale pidfile 14.1.4, 15.1.2.1, 16.0.1.1
853585-1 4-Minor BT853585 REST Wide IP object presents an inconsistent lastResortPool value 12.1.6, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968421-2 2-Critical K30291321, BT968421 ASM attack signature doesn't matched 11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2
865289-1 2-Critical BT865289 TMM crash following DNS resolve with Bot Defense profile 15.1.2.1
913757-1 3-Major BT913757 Error viewing security policy settings for virtual server with FTP Protocol Security 15.1.2.1, 16.0.1.1
758336-5 4-Minor BT758336 Incorrect recommendation in Online Help of Proactive Bot Defense 12.1.5, 13.1.1.5, 14.1.4, 15.1.2.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
934721-2 2-Critical BT934721 TMM core due to wrong assert 15.1.2.1, 16.0.1.1
743826-2 3-Major BT743826 Incorrect error message: "Can't find pool []: Pool was not found" even though Pool member is defined with port any(0) 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1
648242-6 3-Major K73521040, BT648242 Administrator users unable to access all partition via TMSH for AVR reports 12.1.3.2, 13.1.0.8, 14.0.0.5, 14.1.4, 15.1.2.1, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
896709-3 2-Critical BT896709 Add support for Restart Desktop for webtop in VMware VDI 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
924929-2 3-Major BT924929 Logging improvements for VDI plugin 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1
899009 3-Major BT899009 Azure Active Directory deployment fails on BIG-IP 15.1 15.1.2.1
760629-5 3-Major BT760629 Remove Obsolete APM keys in BigDB 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
939529-2 3-Major BT939529 Branch parameter not parsed properly when topmost via header received with comma separated values 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
870381-1 2-Critical BT870381 Network Firewall Active Rule page does not load 15.1.2.1
919381-1 3-Major   Extend AFM subscriber aware policy rule feature to support multiple subscriber groups 15.1.2.1
870385-5 3-Major BT870385 TMM may restart under very heavy traffic load 14.1.2.8, 15.1.2.1
906885-1 5-Cosmetic BT906885 Spelling mistake on AFM GUI Flow Inspector screen 14.1.2.8, 15.1.2.1


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
845313-3 2-Critical BT845313 Tmm crash under heavy load 14.1.4, 15.1.2.1
941169-4 3-Major BT941169 Subscriber Management is not working properly with IPv6 prefix flows. 14.1.4, 15.1.2.1
875401-2 3-Major BT875401 PEM subcriber lookup can fail for internet side new connections 14.1.4, 15.1.2.1


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
915489-2 4-Minor BT915489 LTM Virtual Server Health is not affected by iRule Requests dropped 14.1.4, 15.1.2.1, 16.0.1.1


BIG-IP Risk Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
921181 3-Major BT921181 Wrong error message upon bad credential stuffing configuration 15.1.2.1



Cumulative fixes from BIG-IP v15.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
943125-2 CVE-2021-23010 K18570111, BT943125 ASM bd may crash while processing WebSocket traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
941449-2 CVE-2021-22993 K55237223, BT941449 BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
921337-2 CVE-2021-22976 K88230177, BT921337 BIG-IP ASM WebSocket vulnerability CVE-2021-22976 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
916821-2 CVE-2021-22974 K68652018, BT916821 iControl REST vulnerability CVE-2021-22974 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
882189-6 CVE-2020-5897 K20346072, BT882189 BIG-IP Edge Client for Windows vulnerability CVE-2020-5897 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
882185-6 CVE-2020-5897 K20346072, BT882185 BIG-IP Edge Client Windows ActiveX 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881317-6 CVE-2020-5896 K15478554, BT881317 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
881293-6 CVE-2020-5896 K15478554, BT881293 BIG-IP Edge Client for Windows vulnerability CVE-2020-5896 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
939845-2 CVE-2021-23004 K31025212, BT939845 BIG-IP MPTCP vulnerability CVE-2021-23004 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
939841-2 CVE-2021-23003 K43470422, BT939841 BIG-IP MPTCP vulnerability CVE-2021-23003 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
924961-2 CVE-2019-20892 K45212738, BT924961 CVE-2019-20892: SNMP Vulnerability 15.1.2, 16.0.1.1
919989-2 CVE-2020-5947 K64571774, BT919989 TMM does not follow TCP best practices 15.1.2, 16.0.1
881445-7 CVE-2020-5898 K69154630, BT881445 BIG-IP Edge Client for Windows vulnerability CVE-2020-5898 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
880361-1 CVE-2021-22973 K13323323, BT880361 iRules LX vulnerability CVE-2021-22973 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
842717-6 CVE-2020-5855 K55102004, BT842717 BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
693360-2 CVE-2020-27721 K52035247, BT693360 A virtual server status changes to yellow while still available 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
773693-7 CVE-2020-5892 K15838353, BT773693 CVE-2020-5892: APM Client Vulnerability 11.6.5.2, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
920961-2 3-Major BT920961 Devices incorrectly report 'In Sync' after an incremental sync 14.1.3.1, 15.1.2, 16.0.1.1
756139-3 3-Major BT756139 Inconsistent logging of hostname files when hostname contains periods 14.1.3.1, 15.1.2, 16.0.1.1
754924-1 3-Major BT754924 New VLAN statistics added. 15.1.2
921421-3 4-Minor BT921421 iRule support to get/set UDP's Maximum Buffer Packets 14.1.3.1, 15.1.2, 16.0.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
957337-1 2-Critical BT957337 Tab complete in 'mgmt' tree is broken 14.1.3.1, 15.1.2, 16.0.1.1
933409-2 2-Critical BT933409 Tomcat upgrade via Engineering Hotfix causes live-update files removal&start; 14.1.3.1, 15.1.2, 16.0.1.1
927033-2 2-Critical BT927033 Installer fails to calculate disk size of destination volume&start; 14.1.3.1, 15.1.2, 16.0.1.1
910201-3 2-Critical BT910201 OSPF - SPF/IA calculation scheduling might get stuck infinitely 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
829677-2 2-Critical BT829677 .tmp files in /var/config/rest/ may cause /var directory exhaustion 13.1.3.5, 14.1.2.7, 15.1.2, 16.0.1.1
796601-2 2-Critical BT796601 Invalid parameter in errdefsd while processing hostname db_variable 13.1.3.5, 14.1.3.1, 15.1.2
943669-1 3-Major BT943669 B4450 blade reboot 15.1.2, 16.1.2.2
935801-4 3-Major BT935801 HSB diagnostics are not provided under certain types of failures 14.1.4.5, 15.1.2
932233-2 3-Major BT932233 '@' no longer valid in SNMP community strings 15.1.2, 16.0.1.1
930741-2 3-Major BT930741 Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot 13.1.3.6, 14.1.3.1, 15.1.2
920301-1 3-Major BT920301 Unnecessarily high number of JavaScript Obfuscator instances when device is busy 14.1.3.1, 15.1.2
911809-2 3-Major BT911809 TMM might crash when sending out oversize packets. 14.1.3.1, 15.1.2
902401-5 3-Major BT902401 OSPFd SIGSEGV core when 'ospf clear' is done on remote device 14.1.3.1, 15.1.2, 16.0.1.1
898705-5 3-Major BT898705 IPv6 static BFD configuration is truncated or missing 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
889041-3 3-Major BT889041 Failover scripts fail to access resolv.conf due to permission issues 14.1.3.1, 15.1.2, 16.0.1.1
879405-1 3-Major BT879405 Incorrect value in Transparent Nexthop property 15.1.2, 16.0.1.1
867181-1 3-Major BT867181 ixlv: double tagging is not working 13.1.3.6, 14.1.3.1, 15.1.2
865241-1 3-Major BT865241 Bgpd might crash when outputting the results of a tmsh show command: "sh bgp ipv6 ::/0" 13.1.3.6, 14.1.3.1, 15.1.2
860317-3 3-Major BT860317 JavaScript Obfuscator can hang indefinitely 14.1.3.1, 15.1.2
858197-2 3-Major BT858197 Merged crash when memory exhausted 13.1.3.5, 14.1.2.8, 15.1.2, 16.0.1.1
846441-2 3-Major BT846441 Flow-control is reset to default for secondary blade's interface 13.1.3.5, 14.1.3.1, 15.1.2
846137-4 3-Major BT846137 The icrd returns incorrect route names in some cases 13.1.3.5, 14.1.3.1, 15.1.2
843597-1 3-Major BT843597 Ensure the system does not set the VE's MTU higher than the vmxnet3 driver can handle 13.1.3.6, 14.1.3.1, 15.1.2
841649-4 3-Major BT841649 Hardware accelerated connection mismatch resulting in tmm core 14.1.4.1, 15.1.2
838901-4 3-Major BT838901 TMM receives invalid rx descriptor from HSB hardware 13.1.4, 14.1.4, 15.1.2
826905-3 3-Major BT826905 Host traffic via IPv6 route pool uses incorrect source address 14.1.3.1, 15.1.2
816229-3 3-Major BT816229 Kernel Log Messages Logged Twice 14.1.2.4, 15.1.2
811053-6 3-Major BT811053 REBOOT REQUIRED prompt appears after failover and clsh reboot 14.1.2.7, 15.1.2
811041-7 3-Major BT811041 Out of shmem, increment amount in /etc/ha_table/ha_table.conf 15.1.2
810821-3 3-Major BT810821 Management interface flaps after rebooting the device. 13.1.3.5, 14.1.2.7, 15.1.2
789181-5 3-Major BT789181 Link Status traps are not issued on VE based BIG-IP systems 15.1.2
755197-5 3-Major BT755197 UCS creation might fail during frequent config save transactions 13.1.3.5, 14.1.3.1, 15.1.2
754932-1 3-Major BT754932 New SNMP MIB, sysVlanIfcStat, for VLAN statistics. 15.1.2
737098-1 3-Major BT737098 ASM Sync does not work when the configsync IP address is an IPv6 address 13.1.3.5, 14.1.3.1, 15.1.2
933461-4 4-Minor BT933461 BGP multi-path candidate selection does not work properly in all cases. 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
924429-2 4-Minor BT924429 Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values 14.1.3.1, 15.1.2, 16.0.1.1
892677-1 4-Minor BT892677 Loading config file with imish adds the newline character 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
882713-3 4-Minor BT882713 BGP SNMP trap has the wrong sysUpTime value 14.1.3.1, 15.1.2
583084-6 4-Minor K15101680, BT583084 iControl produces 404 error while creating records successfully 13.1.3.5, 14.1.3.1, 15.1.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
941089-3 2-Critical BT941089 TMM core when using Multipath TCP 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
915957-1 2-Critical BT915957 The wocplugin may get into a restart loop when AAM is provisioned 14.1.3, 15.1.2
908873-1 2-Critical BT908873 Incorrect MRHTTP proxy handling of passthrough mode in certain scenarios may lead to tmm core 15.1.2
908621-2 2-Critical BT908621 Incorrect proxy handling of passthrough mode in certain scenarios may lead to tmm core 14.1.4.1, 15.1.2
891849-1 2-Critical BT891849 Running iRule commands while suspending iRule commands that are running can lead to a crash 14.1.3.1, 15.1.2
876801-5 2-Critical BT876801 Tmm crash: invalid route type 13.1.4, 14.1.4, 15.1.2
866481-2 2-Critical BT866481 TMM may sometimes core when HTTP-MR proxy attempts to go into passthrough mode 15.1.2
851345-1 2-Critical BT851345 The TMM may crash in certain rare scenarios involving HTTP/2 14.1.3.1, 15.1.2
850873-3 2-Critical BT850873 LTM global SNAT sets TTL to 255 on egress. 14.1.3.1, 15.1.2
726518-1 2-Critical BT726518 Tmsh show command terminated with CTRL-C can cause TMM to crash. 13.1.3.6, 14.1.2.8, 15.1.2
705768-2 2-Critical BT705768 The dynconfd process may core and restart with multiple DNS name servers configured 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
949145-5 3-Major BT949145 Improve TCP's response to partial ACKs during loss recovery 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
948757-2 3-Major BT948757 A snat-translation address responds to ARP requests but not to ICMP ECHO requests. 14.1.3.1, 15.1.2, 16.0.1
940209 3-Major BT940209 Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout. 14.1.4, 15.1.2
939961-2 3-Major BT939961 TCP connection is closed when necessary after HTTP::respond iRule. 15.1.2, 16.0.1.2
934993-2 3-Major BT934993 BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams 15.1.2, 16.0.1.1
932033 3-Major BT932033 Chunked response may have DATA frame with END_STREAM prematurely 14.1.4, 15.1.2
915605-6 3-Major K56251674, BT915605 Image install fails if iRulesLX is provisioned and /usr mounted read-write&start; 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
913249-2 3-Major BT913249 Restore missing UDP statistics 14.1.3.1, 15.1.2, 16.0.1.1
901929-2 3-Major BT901929 GARPs not sent on virtual server creation 14.1.3.1, 15.1.2, 16.0.1.1
892941-2 3-Major K20105555, BT892941 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.2, 16.0.1.1
888113-3 3-Major BT888113 TMM may core when the HTTP peer aborts the connection 15.1.2
879413-1 3-Major BT879413 Statsd fails to start if one or more of its *.info files becomes corrupted 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
878925-2 3-Major BT878925 SSL connection mirroring failover at end of TLS handshake 14.1.4.1, 15.1.2
860005-1 3-Major BT860005 Ephemeral nodes/pool members may be created for wrong FQDN name 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2
857845-1 3-Major BT857845 TMM crashes when 'server drained' or 'client drained' errors are triggered via an iRule 13.1.3.6, 14.1.3.1, 15.1.2
850145-1 3-Major BT850145 Connection hangs since pipelined HTTP requests are incorrectly queued in the proxy and not processed 14.1.3.1, 15.1.2
820333-1 3-Major BT820333 LACP working member state may be inconsistent when blade is forced offline 14.1.3.1, 15.1.2
809701-7 3-Major BT809701 Documentation for HTTP::proxy is incorrect: 'HTTP::proxy dest' does not exist 14.1.3.1, 15.0.1.3, 15.1.2
803233-1 3-Major BT803233 Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1
790845-4 3-Major BT790845 An In-TMM monitor may be incorrectly marked down when CMP-hash setting is not default 13.1.3.5, 14.1.4, 15.1.2
724824-1 3-Major BT724824 Ephemeral nodes on peer devices report as unknown and unchecked after full config sync 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2
714642-2 3-Major BT714642 Ephemeral pool-member state on the standby is down 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
935593-4 4-Minor BT935593 Incorrect SYN re-transmission handling with FastL4 timestamp rewrite 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1
895153 4-Minor BT895153 HTTP::has_responded returns incorrect values when using HTTP/2 14.1.3.1, 15.1.2
883105-1 4-Minor BT883105 HTTP/2-to-HTTP/2 virtual server with translate-address disabled does not connect 15.1.2
808409-4 4-Minor BT808409 Unable to specify if giaddr will be modified in DHCP relay chain 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
859717-2 5-Cosmetic BT859717 ICMP-limit-related warning messages in /var/log/ltm 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
918169-1 2-Critical BT918169 The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown. 13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1
916753-2 2-Critical BT916753 RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core 15.1.2, 16.0.1.1
905557-1 2-Critical BT905557 Logging up/down transition of DNS/GTM pool resource via HSL can trigger TMM failure 13.1.5, 14.1.4, 15.1.2
850509-1 2-Critical BT850509 Zone Trusted Signature inadequately maintained, following change of master key 13.1.5, 14.1.4.4, 15.1.2
837637-1 2-Critical K02038650, BT837637 Orphaned bigip_gtm.conf can cause config load failure after upgrading&start; 14.1.3.1, 15.1.2, 16.0.1.1
926593-2 3-Major BT926593 GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout' 14.1.3.1, 15.1.2, 16.0.1.1
852101-1 3-Major BT852101 Monitor fails. 13.1.3.6, 14.1.3.1, 15.1.2
844689-1 3-Major BT844689 Possible temporary CPU usage increase with unusually large named.conf file 14.1.3.1, 15.1.2
746348-4 3-Major BT746348 On rare occasions, gtmd fails to process probe responses originating from the same system. 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.2
644192-2 3-Major K23022557, BT644192 Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN 11.6.5.3, 13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
940249-2 2-Critical BT940249 Sensitive data is not masked after "Maximum Array/Object Elements" is reached 11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
927617-2 2-Critical BT927617 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
941853-1 3-Major BT941853 Logging Profiles do not disassociate from virtual server when multiple changes are made 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1
940897-3 3-Major BT940897 Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
918933-2 3-Major K88162221, BT918933 The BIG-IP ASM system may not properly perform signature checks on cookies 11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1
913137-1 3-Major BT913137 No learning suggestion on ASM policies enabled via LTM policy 15.1.2, 16.0.1.1
904053-2 3-Major BT904053 Unable to set ASM Main Cookie/Domain Cookie hashing to Never 13.1.3.6, 14.1.4, 15.1.2, 16.0.1.1
893061-2 3-Major BT893061 Out of memory for restjavad 14.1.3.1, 15.1.2, 16.0.1.1
882769-1 3-Major BT882769 Request Log: wrong filter applied when searching by Response contains or Response does not contain 13.1.3.5, 14.1.2.7, 15.1.2
919001-2 4-Minor BT919001 Live Update: Update Available notification is shown twice in rare conditions 14.1.2.8, 15.1.2, 16.0.1.1
896285-2 4-Minor BT896285 No parent entity in suggestion to add predefined-filetype as allowed filetype 14.1.2.7, 15.1.2, 16.0.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
924301-1 3-Major BT924301 Incorrect values in REST response for DNS/SIP 15.1.2, 16.0.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910097-2 2-Critical BT910097 Changing per-request policy while tmm is under traffic load may drop heartbeats 14.1.3.1, 15.1.2, 16.0.1.1
924857-1 3-Major BT924857 Logout URL with parameters resets TCP connection 14.1.4.5, 15.1.2, 16.0.1.2
914649-3 3-Major BT914649 Support USB redirection through VVC (VMware virtual channel) with BlastX 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
739570-4 3-Major BT739570 Unable to install EPSEC package&start; 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1
833049-4 4-Minor BT833049 Category lookup tool in GUI may not match actual traffic categorization 13.1.3.5, 14.1.4, 15.1.2
766017-6 4-Minor BT766017 [APM][LocalDB] Local user database instance name length check inconsistencies&start; 12.1.5.3, 13.1.3.5, 14.1.4.2, 15.1.2, 16.0.1.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
942581-1 1-Blocking BT942581 Timestamp cookies do not work with hardware accelerated flows 15.1.2
938165-1 2-Critical BT938165 TMM Core after attempted update of IP geolocation database file 14.1.3.1, 15.1.2, 16.0.1.1
938149-1 3-Major BT938149 Port Block Update log message is missing the "Start time" field 14.1.2.1, 15.1.2, 16.0.1.1
910417-2 3-Major BT910417 TMM core may be seen when reattaching a vector to a DoS profile 14.1.4, 15.1.2, 16.0.1.2
872049-1 3-Major BT872049 Incorrect DoS static vectors mitigation threshold in multiplier based mode after run relearn thresholds command 15.1.2
871985-1 3-Major BT871985 No hardware mitigation for DoS attacks in auto-threshold mode with enabled attacked destinations detection 15.1.2
851745-3 3-Major BT851745 High cpu consumption due when enabling large number of virtual servers 14.1.4.1, 15.1.2
840809-2 3-Major BT840809 If "lsn-legacy-mode" is set to disabled, then LSN_PB_UPDATE events are not logged 14.1.4, 15.1.2


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
842989-6 3-Major BT842989 PEM: tmm could core when running iRules on overloaded systems 14.1.4, 15.1.2


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
944785-2 3-Major BT944785 Admd restarting constantly. Out of memory due to loading malformed state file 14.1.3.1, 15.1.2, 16.0.1.2
923125-2 3-Major BT923125 Huge amount of admd processes caused oom 14.1.3.1, 15.1.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
927993-1 1-Blocking K97501254, BT927993 Built-in SSL Orchestrator RPM installation failure 12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1



Cumulative fixes from BIG-IP v15.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
935721-5 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291, BT935721 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.0.1
935029-3 CVE-2020-27720 K04048104, BT935029 TMM may crash while processing IPv6 NAT traffic 14.1.3.1, 15.1.1, 16.0.1
933741-2 CVE-2021-22979 K63497634, BT933741 BIG-IP FPS XSS vulnerability CVE-2021-22979 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
932065-2 CVE-2021-22978 K87502622, BT932065 iControl REST vulnerability CVE-2021-22978 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
931513-3 CVE-2021-22977 K14693346, BT931513 TMM vulnerability CVE-2021-22977 13.1.3.6, 14.1.3.1, 15.1.1, 16.0.1.1
928321-1 CVE-2020-27719 K19166530, BT928321 K19166530: XSS vulnerability CVE-2020-27719 14.1.3.1, 15.1.1, 16.0.1
917509-3 CVE-2020-27718 K58102101, BT917509 BIG-IP ASM vulnerability CVE-2020-27718 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
911761-2 CVE-2020-5948 K42696541, BT911761 F5 TMUI XSS vulnerability CVE-2020-5948 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
908673-5 CVE-2020-27717 K43850230, BT908673 TMM may crash while processing DNS traffic 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904165-1 CVE-2020-27716 K51574311, BT904165 BIG-IP APM vulnerability CVE-2020-27716 13.1.5, 14.1.3.1, 15.1.1
879745-4 CVE-2020-5942 K82530456 TMM may crash while processing Diameter traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
876353-1 CVE-2020-5941 K03125360, BT876353 iRule command RESOLV::lookup may cause TMM to crash 15.1.1, 16.0.1
839453-6 CVE-2019-10744 K47105354, BT839453 lodash library vulnerability CVE-2019-10744 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.1.1
834257-1 CVE-2020-5931 K25400442, BT834257 TMM may crash when processing HTTP traffic 13.1.3.6, 14.1.2.5, 15.1.1
814953 CVE-2020-5940 K43310520, BT814953 TMUI dashboard hardening 14.1.2.5, 15.1.1, 16.0.1
754855-7 CVE-2020-27714 K60344652, BT754855 TMM may crash while processing FastL4 traffic with the Protocol Inspection Profile 13.1.4, 14.1.3.1, 15.1.1
928037-2 CVE-2020-27729 K15310332, BT928037 APM Hardening 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
919841-3 CVE-2020-27728 K45143221, BT919841 AVRD may crash while processing Bot Defense traffic 14.1.3.1, 15.1.1, 16.0.1
917469-2 CVE-2020-5946 K53821711, BT917469 TMM may crash while processing FPS traffic 14.1.2.8, 15.1.1, 16.0.1
912969-2 CVE-2020-27727 K50343630, BT912969 iAppsLX REST vulnerability CVE-2020-27727 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
910017-2 CVE-2020-5945 K21540525, BT910017 Security hardening for the TMUI Interface page 14.1.2.8, 15.1.1, 16.0.1
905125-2 CVE-2020-27726 K30343902, BT905125 Security hardening for APM Webtop 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
904937-2 CVE-2020-27725 K25595031, BT904937 Excessive resource consumption in zxfrd 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
889557-1 CVE-2019-11358 K20455158, BT889557 jQuery Vulnerability CVE-2019-11358 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
880001-1 CVE-2020-5937 K58290051, BT880001 TMM may crash while processing L4 behavioral DoS traffic 15.1.1
870273-5 CVE-2020-5936 K44020030, BT870273 TMM may consume excessive resources when processing SSL traffic 12.1.5.2, 13.1.5, 14.1.2.8, 15.1.1
868349-1 CVE-2020-5935 K62830532, BT868349 TMM may crash while processing iRules with MQTT commands 13.1.3.4, 14.1.2.5, 15.1.1
858349-3 CVE-2020-5934 K44808538, BT858349 TMM may crash while processing SAML SLO traffic 14.1.2.5, 15.1.1
848405-2 CVE-2020-5933 K26244025, BT848405 TMM may consume excessive resources while processing compressed HTTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.1
839761-1 CVE-2020-5932 K12002065, BT839761 Response Body preview hardening 15.1.1
778049-2 CVE-2018-13405 K00854051, BT778049 Linux Kernel Vulnerability: CVE-2018-13405 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
887637-2 CVE-2019-3815 K22040951, BT887637 Systemd-journald Vulnerability: CVE-2019-3815 14.1.2.5, 15.0.1.4, 15.1.1
852929-6 CVE-2020-5920 K25160703, BT852929 AFM WebUI Hardening 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1
818213-4 CVE-2019-10639 K32804955, BT818213 CVE-2019-10639: KASLR bypass using connectionless protocols 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
818177-6 CVE-2019-12295 K06725231, BT818177 CVE-2019-12295 Wireshark Vulnerability 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1
858537-2 CVE-2019-1010204 K05032915, BT858537 CVE-2019-1010204: Binutilis Vulnerability 14.1.2.8, 15.1.1
834533-7 CVE-2019-15916 K57418558, BT834533 Linux kernel vulnerability CVE-2019-15916 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
912289-1 2-Critical BT912289 Cannot roll back after upgrading on certain platforms&start; 12.1.6, 13.1.4, 14.1.4, 15.1.1
890229-1 3-Major BT890229 Source port preserve setting is not honored 13.1.3.5, 14.1.2.8, 15.1.1
858189-3 3-Major BT858189 Make restnoded/restjavad/icrd timeout configurable with sys db variables. 12.1.5.2, 14.1.2.7, 15.1.1
719338-1 4-Minor BT719338 Concurrent management SSH connections are unlimited 13.1.4, 14.1.4, 15.1.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
864513-1 1-Blocking K48234609, BT864513 ASM policies may not load after upgrading to 14.x or later from a previous major version&start; 14.1.2.7, 15.1.1
896217-2 2-Critical BT896217 BIG-IP GUI unresponsive 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
876957-1 2-Critical BT876957 Reboot after tmsh load sys config changes sys FPGA firmware-config value 14.1.4.1, 15.1.1
871561-5 2-Critical BT871561 Software installation on vCMP guest fails with '(Software compatibility tests failed.)' or '(The requested product/version/build is not in the media.)'&start; 14.1.2.8, 15.1.1, 16.0.1
860517-1 2-Critical BT860517 MCPD may crash on startup with many thousands of monitors on a system with many CPUs. 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1
818253-3 2-Critical BT818253 Generate signature files for logs 14.1.2.8, 15.1.1, 16.0.1.1
805417-3 2-Critical BT805417 Unable to enable LDAP system auth profile debug logging 14.1.2.7, 15.1.1
706521-2 2-Critical K21404407, BT706521 The audit forwarding mechanism for TACACS+ uses an unencrypted db variable to store the password 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
593536-9 2-Critical K64445052, BT593536 Device Group with incremental ConfigSync enabled might report 'In Sync' when devices have differing configurations 14.1.2.8, 15.1.1
924493-2 3-Major BT924493 VMware EULA has been updated 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
921361-2 3-Major BT921361 SSL client and SSL server profile names truncated in GUI 15.1.1, 16.0.1.1
915825-2 3-Major BT915825 Configuration error caused by Drafts folder in a deleted custom partition while upgrading. 13.1.3.5, 14.1.3.1, 15.1.1
904845-2 3-Major BT904845 VMware guest OS customization works only partially in a dual stack environment. 14.1.3.1, 15.1.1, 16.0.1
904705-2 3-Major BT904705 Cannot clone Azure marketplace instances. 14.1.2.8, 15.1.1, 16.0.1
898461-2 3-Major BT898461 Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context' 14.1.3.1, 15.1.1, 16.0.1.1
886689-6 3-Major BT886689 Generic Message profile cannot be used in SCTP virtual 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
880625-3 3-Major BT880625 Check-host-attr enabled in LDAP system-auth creates unusable config 14.1.2.8, 15.1.1, 16.0.1
880165-2 3-Major BT880165 Auto classification signature update fails 14.1.2.8, 15.1.1, 16.0.1
867013-2 3-Major BT867013 Fetching ASM policy list from the GUI (in LTM policy rule creation) occasionally causes REST timeout 13.1.3.5, 14.1.2.7, 15.1.1
850777-3 3-Major BT850777 BIG-IP VE deployed on cloud provider may be unable to reach metadata services with static management interface config 14.1.3.1, 15.1.1
838297-2 3-Major BT838297 Remote ActiveDirectory users are unable to login to the BIG-IP using remote LDAP authentication 14.1.2.8, 15.1.1
828789-1 3-Major BT828789 Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters 14.1.2.8, 15.1.1
807337-5 3-Major BT807337 Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed. 14.1.2.8, 15.1.1, 16.0.1.1
788577-7 3-Major BT788577 BFD sessions may be reset after CMP state change 11.6.5.2, 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
759564-2 3-Major BT759564 GUI not available after upgrade 14.1.2.8, 15.1.1, 16.0.1
740589-4 3-Major BT740589 Mcpd crash with core after 'tmsh edit /sys syslog all-properties' 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
719555-3 3-Major BT719555 Interface listed as 'disable' after SFP insertion and enable 13.1.5, 14.1.4, 15.1.1
489572-5 3-Major K60934489, BT489572 Sync fails if file object is created and deleted before sync to peer BIG-IP 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
431503-8 3-Major K14838, BT431503 TMSH crashes in rare initial tunnel configurations 13.1.3.5, 14.1.2.8, 15.1.1
921369 4-Minor BT921369 Signature verification for logs fails if the log files are modified during log rotation 15.1.1
914761-3 4-Minor BT914761 Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed. 14.1.2.8, 15.1.1, 16.0.1.1
906889-4 4-Minor BT906889 Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows. 14.1.2.8, 15.1.1, 16.0.1
902417-2 4-Minor BT902417 Configuration error caused by Drafts folder in a deleted custom partition&start; 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1.1
890277-3 4-Minor BT890277 Full config sync to a device group operation takes a long time when there are a large number of partitions. 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
864757-3 4-Minor BT864757 Traps that were disabled are enabled after configuration save 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
822377-6 4-Minor   CVE-2019-10092: httpd mod_proxy cross-site scripting vulnerability 14.1.2.8, 15.1.1
779857-2 4-Minor BT779857 Misleading GUI error when installing a new version in another partition&start; 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
751103-2 4-Minor BT751103 TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop 14.1.2.8, 15.1.1, 16.0.1
849085-1 5-Cosmetic BT849085 Lines with only asterisks filling message and user.log file 14.1.3.1, 15.1.1
714176-1 5-Cosmetic BT714176 UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
889209-2 2-Critical BT889209 Sflow receiver configuration may lead to egress traffic dropped after TMM starts. 14.1.4, 15.1.1
879409-3 2-Critical BT879409 TMM core with mirroring traffic due to unexpected interface name length 14.1.3.1, 15.1.1
858429-3 2-Critical BT858429 BIG-IP system sends ICMP packets on both virtual wire interfaces. 14.1.2.8, 15.0.1.4, 15.1.1
851857-1 2-Critical BT851857 HTTP 100 Continue handling does not work when it arrives in multiple packets 13.1.3.5, 14.1.3.1, 15.1.1
851581-3 2-Critical BT851581 Server-side detach may crash TMM 14.1.2.8, 15.1.1
842937-6 2-Critical BT842937 TMM crash due to failed assertion 'valid node' 12.1.5.3, 14.1.2.7, 15.1.1
932825-2 3-Major BT932825 Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device 15.1.1
915713-2 3-Major BT915713 Support QUIC and HTTP3 draft-29 15.1.1, 16.0.1.1
915689-1 3-Major BT915689 HTTP/2 dynamic header table may fail to identify indexed headers on the response side. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
915281-2 3-Major BT915281 Do not rearm TCP Keep Alive timer under certain conditions 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
892385 3-Major BT892385 HTTP does not process WebSocket payload when received with server HTTP response 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.1, 16.0.1
883529-1 3-Major BT883529 HTTP/2 Method OPTIONS allows '*' (asterisk) as an only value for :path 15.1.1
851789-2 3-Major BT851789 SSL monitors flap with client certs with private key stored in FIPS 12.1.5.3, 14.1.2.5, 15.1.1
851477-1 3-Major BT851477 Memory allocation failures during proxy initialization are ignored leading to TMM cores 14.1.3.1, 15.1.1
851045-1 3-Major BT851045 LTM database monitor may hang when monitored DB server goes down 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.1
830797-3 3-Major BT830797 Standby high availability (HA) device passes traffic through virtual wire 14.1.2.3, 15.0.1.1, 15.1.1
825689-1 3-Major   Enhance FIPS crypto-user storage 12.1.6, 13.1.4, 14.1.4, 15.1.1
816881-2 3-Major BT816881 Serverside conection may use wrong VLAN when virtual wire is configured 14.1.2.8, 15.1.1
801497-3 3-Major BT801497 Virtual wire with LACP pinning to one link in trunk. 14.1.2.1, 15.1.1
932937-2 4-Minor BT932937 HTTP Explicit Proxy configurations can result in connections hanging until idle timeout. 14.1.3.1, 15.1.1, 16.0.1
926997-1 4-Minor BT926997 QUIC HANDSHAKE_DONE profile statistics are not reset 15.1.1, 16.0.1
852373-3 4-Minor BT852373 HTTP2::disable or enable breaks connection when used in iRule and logs Tcl error 14.1.2.5, 15.0.1.4, 15.1.1
814037-6 4-Minor BT814037 No virtual server name in Hardware Syncookie activation logs. 13.1.3.5, 14.1.2.8, 15.1.1


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
919553-2 2-Critical BT919553 GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets. 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1
788465-5 2-Critical BT788465 DNS cache idx synced across HA group could cause tmm crash 14.1.3.1, 15.1.1, 16.0.1
783125-1 2-Critical BT783125 iRule drop command on DNS traffic without Datagram-LB may cause TMM crash 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
898093-2 3-Major BT898093 Removing one member from a WideIP removes it from all WideIPs. 15.1.1
869361-1 3-Major BT869361 Link Controller inbound wide IP load balancing method incorrectly presented in GUI when updated 15.1.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
868641-3 2-Critical BT868641 Possible TMM crash when disabling bot profile for the entire connection 14.1.2.7, 15.1.1
843801-2 2-Critical BT843801 Like-named previous Signature Update installations block Live Update usage after upgrade&start; 14.1.2.7, 15.1.1
918081-1 3-Major BT918081 Application Security Administrator role cannot create parent policy in the GUI 15.1.1, 16.0.1.1
913761-2 3-Major BT913761 Security - Options section in navigation menu is visible for only Administrator users 15.1.1, 16.0.1.2
903357-2 3-Major BT903357 Bot defense Profile list is loads too slow when there are 750 or more Virtual servers 14.1.2.7, 15.1.1, 16.0.1.1
901061-2 3-Major BT901061 Safari browser might be blocked when using Bot Defense profile and related domains. 14.1.2.8, 15.1.1, 16.0.1
898741-2 3-Major BT898741 Missing critical files causes FIPS-140 system to halt upon boot 14.1.2.7, 15.1.1
892637-1 3-Major BT892637 Microservices cannot be added or modified 15.1.1
888285-1 3-Major K18304067, BT888285 Sensitive positional parameter not masked in 'Referer' header value 14.1.2.8, 15.1.1
888261-1 3-Major BT888261 Policy created with declarative WAF does not use updated template. 15.1.1
881757-1 3-Major BT881757 Unnecessary HTML response parsing and response payload is not compressed 14.1.4.2, 15.1.1, 16.0.1.2
880753-3 3-Major K38157961, BT880753 Possible issues when using DoSL7 and Bot Defense profile on the same virtual server 14.1.2.7, 15.0.1.4, 15.1.1
879777-3 4-Minor BT879777 Retreive browser cookie from related domain instead of performing another Bot Defense browser verification challenge 14.1.2.8, 15.1.1


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
908065-2 3-Major BT908065 Logrotation for /var/log/avr blocked by files with .1 suffix 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
819301-2 3-Major BT819301 Incorrect values in REST response for dos-l3 table 15.1.1, 16.0.1
866613-4 4-Minor BT866613 Missing MaxMemory Attribute 13.1.3.5, 14.1.2.8, 15.1.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
886729-2 2-Critical BT886729 Intermittent TMM crash in per-request-policy allow-ending agent 15.1.1
838861-3 2-Critical BT838861 TMM might crash once after upgrading SSL Orchestrator&start; 14.1.2.7, 15.1.1
579219-5 2-Critical BT579219 Access keys missing from SessionDB after multi-blade reboot. 13.1.5, 14.1.2.8, 15.1.1
892937-2 3-Major K20105555, BT892937 F5 SSL Orchestrator may fail to stop an attacker from exfiltrating data on a compromised client system (SNIcat) 14.1.4, 15.1.1, 16.0.1
857589-1 3-Major BT857589 On Citrix Workspace app clicking 'Refresh Apps' after signing out fails with message 'Refresh Failed' 15.1.1
771961-3 3-Major BT771961 While removing SSL Orchestrator from the SSL Orchestrator user interface, TMM can core 14.1.3.1, 15.1.1
747020-2 3-Major BT747020 Requests that evaluate to same subsession can be processed concurrently 14.1.3.1, 15.1.1, 16.0.1
679751-2 4-Minor BT679751 Authorization header can cause a connection reset 13.1.3.5, 14.1.2.8, 15.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
868781-1 2-Critical BT868781 TMM crashes while processing MRF traffic 13.1.4.1, 14.1.4.2, 15.1.1
898997-2 3-Major BT898997 GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes 14.1.2.7, 15.1.1, 16.0.1
891385-2 3-Major BT891385 Add support for URI protocol type "urn" in MRF SIP load balancing 14.1.3.1, 15.1.1, 16.0.1
697331-2 3-Major BT697331 Some TMOS tools for querying various DBs fail when only a single TMM is running 14.1.3, 14.1.3.1, 15.1.1
924349-2 4-Minor   DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP 14.1.3.1, 15.1.1, 16.0.1


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
872645-2 3-Major BT872645 Protected Object Aggregate stats are causing elevated CPU usage 14.1.3.1, 15.1.1
852289-4 3-Major K23278332, BT852289 DNS over TCP packet is not rate-limited accurately by DoS device sweep/flood vector 13.1.3.4, 14.1.2.5, 15.1.1
789857 3-Major BT789857 "TCP half open' reports drops made by LTM syn-cookies mitigation. 14.1.4, 15.1.1
920361-2 4-Minor BT920361 Standby device name sent in Traffic Statistics syslog/Splunk messages 14.1.3.1, 15.1.1


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
876581-2 3-Major BT876581 JavaScript engine file is empty if the original HTML page cached for too long 13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1
891729-2 4-Minor BT891729 Errors in datasyncd.log&start; 14.1.2.8, 15.1.1, 16.0.1
759988-2 4-Minor BT759988 Geolocation information inconsistently formatted 15.1.1, 16.0.1
940401-2 5-Cosmetic BT940401 Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection' 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
937281-3 3-Major BT937281 SSL Orchestrator pool members are limited to 20 with Standalone license 15.1.1, 16.0.0.1



Cumulative fixes from BIG-IP v15.1.0.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
912221-1 CVE-2020-12662
CVE-2020-12663
K37661551, BT912221 CVE-2020-12662 & CVE-2020-12663 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5
900905-3 CVE-2020-5926 K42830212, BT900905 TMM may crash while processing SIP data 14.1.2.7, 15.0.1.4, 15.1.0.5
888417-5 CVE-2020-8840 K15320518, BT888417 Apache Vulnerability: CVE-2020-8840 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
883717-1 CVE-2020-5914 K37466356, BT883717 BD crash on specific server cookie scenario 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
841577-2 CVE-2020-5922 K20606443, BT841577 iControl REST hardening 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
838677-1 CVE-2019-10744 K47105354, BT838677 lodash library vulnerability CVE-2019-10744 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
837773-7 CVE-2020-5912 K12936322, BT837773 Restjavad Storage and Configuration Hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
788057-3 CVE-2020-5921 K00103216, BT788057 MCPD may crash while processing syncookies 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
917005-5 CVE-2020-8619 K19807532 ISC BIND Vulnerability: CVE-2020-8619 11.6.5.3, 12.1.6, 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1
909837-1 CVE-2020-5950 K05204103, BT909837 TMM may consume excessive resources when AFM is provisioned 13.1.3.5, 14.1.2.7, 15.1.0.5
902141-1 CVE-2020-5919 K94563369, BT902141 TMM may crash while processing APM data 15.1.0.5
898949-1 CVE-2020-27724 K04518313, BT898949 APM may consume excessive resources while processing VPN traffic 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
888489-2 CVE-2020-5927 K55873574, BT888489 ASM UI hardening 14.1.2.7, 15.0.1.4, 15.1.0.5
886085-5 CVE-2020-5925 K45421311, BT886085 BIG-IP TMM vulnerability CVE-2020-5925 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
872673-1 CVE-2020-5918 K26464312, BT872673 TMM can crash when processing SCTP traffic 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
856961-7 CVE-2018-12207 K17269881, BT856961 INTEL-SA-00201 MCE vulnerability CVE-2018-12207 13.1.3.5, 14.1.2.8, 15.0.1.4, 15.1.0.5
837837-2 CVE-2020-5917 K43404629, BT837837 F5 SSH server key size vulnerability CVE-2020-5917 12.1.5.2, 14.1.2.5, 15.0.1.4, 15.1.0.5
832885-1 CVE-2020-5923 K05975972, BT832885 Self-IP hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.1.0.5
830481-1 CVE-2020-5916 K29923912, BT830481 SSL TMUI hardening 15.0.1.4, 15.1.0.5
816413-5 CVE-2019-1125 K31085564, BT816413 CVE-2019-1125: Spectre SWAPGS Gadget 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
811789-7 CVE-2020-5915 K57214921, BT811789 Device trust UI hardening 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
888493-2 CVE-2020-5928 K40843345, BT888493 ASM GUI Hardening 12.1.5.2, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
748122-8 CVE-2018-15333 K53620021, BT748122 BIG-IP Vulnerability CVE-2018-15333 14.1.2.5, 15.0.1.4, 15.1.0.5
746091-8 CVE-2019-19151 K21711352, BT746091 TMSH Vulnerability: CVE-2019-19151 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
717276-9 CVE-2020-5930 K20622530, BT717276 TMM Route Metrics Hardening 11.6.5.3, 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.5
839145-3 CVE-2019-10744 K47105354, BT839145 CVE-2019-10744: lodash vulnerability 14.1.2.7, 15.1.0.5, 16.0.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
816233-1 2-Critical BT816233 Session and authentication cookies should use larger character set 14.1.2.7, 15.0.1.4, 15.1.0.5
890421-2 3-Major BT890421 New traps were introduced in 15.0.1.2 for Georedundancy with previously assigned trap numbers&start; 15.0.1.3, 15.1.0.5
691499-5 3-Major BT691499 GTP::ie primitives in iRule to be certified 13.1.3.4, 14.1.2.7, 15.1.0.5
745465-4 4-Minor BT745465 The tcpdump file does not provide the correct extension 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
934241-2 1-Blocking BT934241 TMM may core when using FastL4's hardware offloading feature 15.1.0.5
891477-3 2-Critical BT891477 No retransmission occurs on TCP flows that go through a BWC policy-enabled virtual server 14.1.2.7, 15.0.1.4, 15.1.0.5
890513-2 2-Critical BT890513 MCPD fails to load configuration from binary database 14.1.4, 15.1.0.5
849405-2 2-Critical BT849405 LTM v14.1.2.1 does not log after upgrade&start; 14.1.2.5, 15.1.0.5
842865-2 2-Critical BT842865 Add support for Auto MAC configuration (ixlv) 14.1.2.8, 15.0.1.4, 15.1.0.5
739507-3 2-Critical BT739507 Improved recovery method for BIG-IP system that has halted from a failed FIPS integrity check 13.1.1.2, 14.1.4, 15.1.0.5
927901-4 3-Major BT927901 After BIG-IP reboot, vxnet interfaces come up as uninitialized 15.1.0.5
915497-2 3-Major BT915497 New Traffic Class Page shows multiple question marks. 14.1.3.1, 15.1.0.5, 16.0.1.1
907549-1 3-Major BT907549 Memory leak in BWC::Measure 15.1.0.5, 16.1.2.2
891721-3 3-Major BT891721 Anti-Fraud Profile URLs with query strings do not load successfully 14.1.2.7, 15.0.1.4, 15.1.0.5
888497-2 3-Major BT888497 Cacheable HTTP Response 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
887089-1 3-Major BT887089 Upgrade can fail when filenames contain spaces 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
877145-4 3-Major BT877145 Unable to log in to iControl REST via /mgmt/toc/, restjavad throwing NullPointerException 15.0.1.3, 15.1.0.5
871657-1 3-Major BT871657 Mcpd crash when adding NAPTR GTM pool member with a flag of uppercase A or S 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
844085-1 3-Major BT844085 GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address 14.1.2.8, 15.1.0.5, 16.0.1
842125-6 3-Major BT842125 Unable to reconnect outgoing SCTP connections that have previously aborted 13.1.3.4, 14.1.2.5, 15.1.0.5
821309-1 3-Major BT821309 After an initial boot, mcpd has a defunct child "systemctl" process 14.1.2.7, 15.1.0.5
814585-1 3-Major BT814585 PPTP profile option not available when creating or modifying virtual servers in GUI 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1
807005-5 3-Major BT807005 Save-on-auto-sync is not working as expected with large configuration objects 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
802685-2 3-Major BT802685 Unable to configure performance HTTP virtual server via GUI 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5
797829-6 3-Major BT797829 The BIG-IP system may fail to deploy new or reconfigure existing iApps 13.1.3.5, 14.1.2.8, 15.1.0.5, 16.0.1.1
785741-3 3-Major K19131357, BT785741 Unable to login using LDAP with 'user-template' configuration 14.1.2.3, 15.0.1.4, 15.1.0.5
760622-5 3-Major BT760622 Allow Device Certificate renewal from BIG-IP Configuration Utility 15.1.0.5
405329-3 3-Major   The imish utility cores while checking help strings for OSPF6 vertex-threshold 14.1.4.6, 15.1.0.5
919745-2 4-Minor BT919745 CSV files downloaded from the Dashboard have the first row with all 'NaN 14.1.2.8, 15.1.0.5, 16.0.1
918209-3 4-Minor BT918209 GUI Network Map icons color scheme is not section 508 compliant 14.1.2.8, 15.1.0.5, 16.0.1
851393-1 4-Minor BT851393 Tmipsecd leaves a zombie rm process running after starting up 14.1.4.4, 15.1.0.5
804309-1 4-Minor BT804309 [api-status-warning] are generated at stderr and /var/log/ltm when listing config with all-properties argument 13.1.3.5, 14.1.2.7, 15.1.0.5
713614-7 4-Minor BT713614 Virtual address (/Common/10.10.10.10) shares address with floating self IP (/Common/10.10.10.10), so traffic-group is being kept at (/Common/traffic-group-local-only) 13.1.5, 14.1.4.6, 15.1.0.5
767269-5 5-Cosmetic   Linux kernel vulnerability: CVE-2018-16884 14.1.2.8, 15.1.0.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
925989 2-Critical BT925989 Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4&start; 15.1.0.5
839749-3 2-Critical BT839749 Virtual server with specific address list might fail to create via GUI 14.1.2.8, 15.0.1.1, 15.1.0.5
715032-1 2-Critical K73302459, BT715032 iRulesLX Hardening 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
916589-2 3-Major BT916589 QUIC drops 0RTT packets if CID length changes 15.1.0.5, 16.0.1.1
910521-2 3-Major BT910521 Support QUIC and HTTP draft-28 15.1.0.5, 16.0.1
893281-3 3-Major BT893281 Possible ssl stall on closed client handshake 14.1.2.7, 15.1.0.5
813701-6 3-Major BT813701 Proxy ARP failure 14.1.2.7, 15.1.0.5
788753-2 3-Major BT788753 GATEWAY_ICMP monitor marks node down with wrong error code 13.1.3.4, 14.1.2.8, 15.1.0.5
786517-5 3-Major BT786517 Modifying a monitor Alias Address from the TMUI might cause failed config loads and send monitors to an incorrect address 13.1.3.5, 14.1.3.1, 15.1.0.5
720440-6 3-Major BT720440 Radius monitor marks pool members down after 6 seconds 12.1.5.2, 13.1.3.6, 14.1.3.1, 15.1.0.5
914681-2 4-Minor BT914681 Value of tmm.quic.log.level can differ between TMSH and GUI 15.1.0.5, 16.0.1.1
714502-3 4-Minor BT714502 bigd restarts after loading a UCS for the first time 14.1.2.7, 15.1.0.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
789421-4 3-Major BT789421 Resource-administrator cannot create GTM server object through GUI 14.1.2.7, 15.1.0.5, 16.0.1
774257-4 5-Cosmetic BT774257 tmsh show gtm pool and tmsh show gtm wideip print duplicate object types 14.1.2.7, 15.1.0.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
904593-1 2-Critical BT904593 Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled 14.1.2.7, 15.1.0.5
865461-1 2-Critical BT865461 BD crash on specific scenario 14.1.2.7, 15.1.0.5
850641-2 2-Critical BT850641 Incorrect parameter created for names with non-ASCII characters in non-UTF8 policies 15.1.0.5
900797-2 3-Major BT900797 Brute Force Protection (BFP) hash table entry cleanup 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900793-1 3-Major K32055534, BT900793 APM Brute Force Protection resources do not scale automatically 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
900789-2 3-Major BT900789 Alert before Brute Force Protection (BFP) hash are fully utilized 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
892653-1 3-Major BT892653 Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI 14.1.2.7, 15.1.0.5, 16.0.1
880789-3 3-Major BT880789 ASMConfig Handler undergoes frequent restarts 14.1.2.7, 15.1.0.5
874753-3 3-Major   Filtering by Bot Categories on Bot Requests Log shows 0 events 14.1.2.7, 15.1.0.5
871905-2 3-Major K02705117, BT871905 Incorrect masking of parameters in event log 13.1.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
868721-1 3-Major BT868721 Transactions are held for a long time on specific server related conditions 14.1.2.7, 15.1.0.5
863609-4 3-Major BT863609 Unexpected differences in child policies when using BIG-IQ to change learning mode on parent policies 14.1.2.7, 15.1.0.5
854177-5 3-Major BT854177 ASM latency caused by frequent pool IP updates that are unrelated to ASM functionality 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.1.0.5
850677-4 3-Major BT850677 Non-ASCII static parameter values are garbled when created via REST in non-UTF-8 policy 14.1.2.7, 15.1.0.5
848445-1 3-Major K86285055, BT848445 Global/URL/Flow Parameters with flag is_sensitive true are not masked in Referer&start; 11.6.5.3, 12.1.5.3, 13.1.3.5, 14.1.2.8, 15.1.0.5
833685-5 3-Major BT833685 Idle async handlers can remain loaded for a long time doing nothing 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.5
809125-5 3-Major BT809125 CSRF false positive 12.1.5.1, 14.1.2.7, 15.1.0.5
799749-2 3-Major BT799749 Asm logrotate fails to rotate 14.1.2.7, 15.1.0.5
783165-1 3-Major BT783165 Bot Defense whitelists does not apply for url "Any" after modifying the Bot Defense profile 14.1.2.7, 15.1.0.5
742549-3 3-Major BT742549 Cannot create non-ASCII entities in non-UTF ASM policy using REST 13.1.3.6, 14.1.2.7, 15.1.0.5
722337-2 3-Major BT722337 Always show violations in request log when post request is large 13.1.3.5, 14.1.2.7, 15.1.0.5, 16.0.1.1
640842-5 3-Major BT640842 ASM end user using mobile might be blocked when CSRF is enabled 14.1.2.7, 15.1.0.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
828937-1 2-Critical K45725467, BT828937 Some systems can experience periodic high IO wait due to AVR data aggregation 13.1.3.4, 14.1.2.5, 15.1.0.5
902485-3 3-Major BT902485 Incorrect pool member concurrent connection value 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.5, 16.0.1
841305-2 3-Major BT841305 HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log 15.1.0.5, 16.0.1
838685-4 3-Major BT838685 DoS report exist in per-widget but not under individual virtual 13.1.3.5, 14.1.2.7, 15.1.0.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
884797-4 3-Major BT884797 Portal Access: in some cases data is not delivered via WebSocket connection 14.1.2.5, 15.1.0.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
904373-3 3-Major BT904373 MRF GenericMessage: Implement limit to message queues size 14.1.3.1, 15.0.1.4, 15.1.0.5, 16.0.1
876953-2 3-Major BT876953 Tmm crash while passing diameter traffic 15.0.1.4, 15.1.0.5, 16.0.1
876077-1 3-Major BT876077 MRF DIAMETER: stale pending retransmission entries may not be cleaned up 14.1.2.5, 15.0.1.4, 15.1.0.5
868381-1 3-Major BT868381 MRF DIAMETER: Retransmission queue unable to delete stale entries 14.1.2.5, 15.0.1.4, 15.1.0.5
866021-1 3-Major BT866021 Diameter Mirror connection lost on the standby due to "process ingress error" 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
824149-5 3-Major BT824149 SIP ALG virtual with source-nat-policy cores if traffic does not match the source-nat-policy or matches the source-nat-policy which does not have source-translation configured 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5
815877-2 3-Major BT815877 Information Elements with zero-length value are rejected by the GTP parser 11.6.5.3, 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.0.1.4, 15.1.0.5
696348-5 3-Major BT696348 "GTP::ie insert" and "GTP::ie append" do not work without "-message" option 13.1.3.4, 14.1.2.7, 15.1.0.5
788513-6 4-Minor BT788513 Using RADIUS::avp replace with variable produces RADIUS::avp replace USER-NAME $custom_name warning in log 12.1.5.2, 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.5
793005-1 5-Cosmetic BT793005 'Current Sessions' statistic of MRF/Diameter pool may be incorrect 13.1.3.4, 14.1.2.7, 15.1.0.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
802421-6 2-Critical BT802421 The /var partition may become 100% full requiring manual intervention to clear space 14.1.2.7, 15.1.0.5
757279-3 3-Major BT757279 LDAP authenticated Firewall Manager role cannot edit firewall policies 13.1.1.5, 14.1.2.8, 15.1.0.5
896917 4-Minor BT896917 The fw_zone_stat 'Hits' field may not increment in some scenarios 15.1.0.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
839597-6 3-Major BT839597 Restjavad fails to start if provision.extramb has a large value 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
886717-1 3-Major BT886717 TMM crashes while using SSL Orchestrator. 15.1.0.5
886713-1 4-Minor BT886713 Error log seen in case of SSL Orchestrator configured with http service during connection close. 14.1.2.5, 15.1.0.5



Cumulative fixes from BIG-IP v15.1.0.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
900757-2 CVE-2020-5902 K52145254, BT900757 TMUI RCE vulnerability CVE-2020-5902 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895525-2 CVE-2020-5902 K52145254, BT895525 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909237-6 CVE-2020-8617 K05544642 CVE-2020-8617: BIND Vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
909233-6 CVE-2020-8616 K97810133, BT909233 DNS Hardening 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
905905-1 CVE-2020-5904 K31301245, BT905905 TMUI CSRF vulnerability CVE-2020-5904 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895993-2 CVE-2020-5902 K52145254, BT895993 TMUI RCE vulnerability CVE-2020-5902 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895981-2 CVE-2020-5902 K52145254, BT895981 TMUI RCE vulnerability CVE-2020-5902 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
895881-1 CVE-2020-5903 K43638305, BT895881 BIG-IP TMUI XSS vulnerability CVE-2020-5903 12.1.5.2, 13.1.3.4, 14.1.2.6, 15.0.1.4, 15.1.0.4
891457-2 CVE-2020-5939 K75111593, BT891457 NIC driver may fail while transmitting data 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.4, 16.0.1
859089-7 CVE-2020-5907 K00091341, BT859089 TMSH allows SFTP utility access 11.6.5.2, 12.1.5.3, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
909673 2-Critical BT909673 TMM crashes when VLAN SYN cookie feature is used on iSeries i2x00 and i4x00 platforms 15.1.0.4
882557-2 3-Major BT882557 TMM restart loop if virtio platform specifies RX or TX queue sizes that are too large (4096 or higher) 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.4
878893-3 3-Major BT878893 During system shutdown it is possible the for sflow_agent to core 15.1.0.4
858769-6 3-Major K82498430, BT858769 Net-snmp library must be upgraded to 5.8 in order to support SHA-2 15.1.0.4
829193-4 3-Major BT829193 REST system unavailable due to disk corruption 13.1.3.6, 14.1.3.1, 15.1.0.4
826265-5 3-Major BT826265 The SNMPv3 engineBoots value restarts at 1 after an upgrade 15.1.0.4
812493-4 3-Major BT812493 When engineID is reconfigured, snmp and alert daemons must be restarted&start; 15.1.0.4
810381-2 3-Major BT810381 The SNMP max message size check is being incorrectly applied. 13.1.3.5, 14.1.2.8, 15.1.0.4
743234-6 3-Major BT743234 Configuring EngineID for SNMPv3 requires restart of the SNMP and Alert daemons 15.1.0.4
774617-3 4-Minor BT774617 SNMP daemon reports integer truncation error for values greater than 32 bits 14.1.4, 15.1.0.4


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
910177 2-Critical BT910177 Poor HTTP/3 throughput 15.1.0.4
848777-3 3-Major BT848777 Configuration for virtual server using shared object address-list in non-default partition in non-default route-domain does not sync to peer node. 14.1.2.7, 15.1.0.4


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
892621-1 3-Major BT892621 Mismatch between calculation for IPv6 packets size metric in BDoS in hardware and software 14.1.3, 15.1.0.4



Cumulative fixes from BIG-IP v15.1.0.3 that are included in this release


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
889505 3-Major BT889505 Added SNMP OIDs for gathering total number of PBAs and percentage of PBAs available 15.1.0.3
888569 3-Major BT888569 Added PBA stats for total number of free PBAs, and percent free PBAs 15.1.0.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
795649-5 3-Major BT795649 Loading UCS from one iSeries model to another causes FPGA to fail to load 12.1.5.2, 13.1.3.5, 14.1.3.1, 15.1.0.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
883513-1 3-Major BT883513 Support for QUIC and HTTP/3 draft-27 15.1.0.3
828601-1 3-Major BT828601 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.1.0.3
758599-3 3-Major BT758599 IPv6 Management route is preferred over IPv6 tmm route 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
846713-1 2-Critical BT846713 Gtm_add does not restart named 15.1.0.3


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
903905-2 2-Critical BT903905 BIG-IQ or BIG-IP devices experience a service disruption during certain circumstances 15.1.0.3
889477-1 2-Critical BT889477 Modern customization does not enforce validation at password changing 15.1.0.3


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
888625 3-Major BT888625 CGNAT PBA active port blocks counter is incorrect compared to actual allocated port blocks 14.1.2.7, 15.1.0.3



Cumulative fixes from BIG-IP v15.1.0.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
879025-2 CVE-2020-5913 K72752002, BT879025 When processing TLS traffic, LTM may not enforce certificate chain restrictions 12.1.5.2, 13.1.3.5, 14.1.2.5, 15.1.0.2
871633-1 CVE-2020-5859 K61367237, BT871633 TMM may crash while processing HTTP/3 traffic 15.1.0.2
846917-1 CVE-2019-10744 K47105354, BT846917 lodash Vulnerability: CVE-2019-10744 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.3, 15.1.0.2
846365-1 CVE-2020-5878 K35750231, BT846365 TMM may crash while processing IP traffic 14.1.2.3, 15.0.1.2, 15.1.0.2
830401-1 CVE-2020-5877 K54200228, BT830401 TMM may crash while processing TCP traffic with iRules 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
819197-2 CVE-2019-13135 K20336394, BT819197 BIGIP: CVE-2019-13135 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
819189-1 CVE-2019-13136 K03512441, BT819189 BIGIP: CVE-2019-13136 ImageMagick vulnerability 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
818169-1 CVE-2022-26372 K23454411, BT818169 TMM may consume excessive resources when processing DNS profiles with DNS queing enabled 13.1.5, 14.1.4.6, 15.1.0.2
636400 CVE-2019-6665 K26462555, BT636400 CPB (BIG-IP->BIGIQ log node) Hardening 13.1.3.2, 14.0.1.1, 14.1.2.1, 15.0.1.1, 15.1.0.2
873469-2 CVE-2020-5889 K24415506, BT873469 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
864109-1 CVE-2020-5889 K24415506, BT864109 APM Portal Access: Base URL may be set to incorrectly 14.1.2.5, 15.0.1.3, 15.1.0.2
858025-1 CVE-2021-22984 K33440533, BT858025 BIG-IP ASM Bot Defense open redirection vulnerability CVE-2021-22984 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
838881-1 CVE-2020-5853 K73183618, BT838881 APM Portal Access Vulnerability: CVE-2020-5853 11.6.5.2, 12.1.5.2, 14.1.2.5, 15.0.1.3, 15.1.0.2
832021-3 CVE-2020-5888 K73274382, BT832021 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
832017-3 CVE-2020-5887 K10251014, BT832017 Port lockdown settings may not be enforced as configured 14.1.2.5, 15.0.1.3, 15.1.0.2
829121-1 CVE-2020-5886 K65720640, BT829121 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
829117-1 CVE-2020-5885 K17663061, BT829117 State mirroring default does not require TLS 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.1.0.2
789921-5 CVE-2020-5881 K03386032, BT789921 TMM may restart while processing VLAN traffic 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2
868097-3 CVE-2020-5891 K58494243, BT868097 TMM may crash while processing HTTP/2 traffic 14.1.2.5, 15.0.1.3, 15.1.0.2
846157-1 CVE-2020-5862 K01054113, BT846157 TMM may crash while processing traffic on AWS 14.1.2.3, 15.0.1.2, 15.1.0.2
838909-3 CVE-2020-5893 K97733133, BT838909 BIG-IP APM Edge Client vulnerability CVE-2020-5893 11.6.5.2, 12.1.5.2, 13.1.4, 14.1.2.4, 15.1.0.2
823893-7 CVE-2020-5890 K03318649, BT823893 Qkview may fail to completely sanitize LDAP bind credentials 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
870389-3 3-Major BT870389 Increase size of /var logical volume to 1.5 GiB for LTM-only VE images 14.1.2.5, 15.1.0.2
858229-5 3-Major K22493037, BT858229 XML with sensitive data gets to the ICAP server 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
854493-5 2-Critical BT854493 Kernel page allocation failures messages in kern.log 14.1.2.8, 15.1.0.2
841953-7 2-Critical BT841953 A tunnel can be expired when going offline, causing tmm crash 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
841581 2-Critical BT841581 License activation takes a long time to complete on Google GCE platform 15.1.0.2
841333-7 2-Critical BT841333 TMM may crash when tunnel used after returning from offline 12.1.5.3, 13.1.3.4, 14.1.2.8, 15.1.0.2
817709-3 2-Critical BT817709 IPsec: TMM cored with SIGFPE in racoon2 13.1.5, 14.1.2.8, 15.1.0.2
811701-3 2-Critical BT811701 AWS instance using xnet driver not receiving packets on an interface. 14.1.2.7, 15.0.1.4, 15.1.0.2
811149-2 2-Critical BT811149 Remote users are unable to authenticate via serial console. 14.1.2.8, 15.0.1.4, 15.1.0.2
866925-5 3-Major BT866925 The TMM pages used and available can be viewed in the F5 system stats MIB 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
865225-1 3-Major BT865225 100G modules may not work properly in i15000 and i15800 platforms 13.1.3.4, 15.1.0.2
852001-1 3-Major BT852001 High CPU utilization of MCPD when adding multiple devices to trust domain simultaneously 14.1.2.5, 15.0.1.3, 15.1.0.2
830717 3-Major BT830717 Appdata logical volume cannot be resized for some cloud images&start; 15.1.0.2
829317-5 3-Major BT829317 Memory leak in icrd_child due to concurrent REST usage 13.1.4, 14.1.3, 14.1.3.1, 15.1.0.2
828873-3 3-Major BT828873 Unable to successfully deploy BIG-IP 15.0.0 on Nutanix AHV Hypervisor 15.1.0.2
812981-6 3-Major BT812981 MCPD: memory leak on standby BIG-IP device 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
802281-3 3-Major BT802281 Gossip shows active even when devices are missing 13.1.3.5, 14.1.2.5, 15.1.0.2
793121-5 3-Major BT793121 Enabling sys httpd redirect-http-to-https prevents vCMP host-to-guest communication 13.1.3.2, 14.1.2.7, 15.0.1.3, 15.1.0.2
742628-1 3-Major BT742628 A tmsh session initiation adds increased control plane pressure 12.1.5.3, 13.1.3.4, 14.1.2.6, 14.1.4, 15.0.1.4, 15.1.0.2
605675-6 3-Major BT605675 Sync requests can be generated faster than they can be handled 11.6.5.2, 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.0.1.4, 15.1.0.2
831293-5 4-Minor BT831293 SNMP address-related GET requests slow to respond. 12.1.5.3, 13.1.3.5, 14.1.2.7, 15.1.0.2
755317-3 4-Minor BT755317 /var/log logical volume may run out of space due to agetty error message in /var/log/secure 14.1.2.5, 15.1.0.2
722230-1 4-Minor BT722230 Cannot delete FQDN template node if another FQDN node resolves to same IP address 12.1.5.2, 13.1.3.4, 14.1.3.1, 15.0.1.4, 15.1.0.2


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
860881-3 2-Critical BT860881 TMM can crash when handling a compressed response from HTTP server 14.1.2.5, 15.0.1.3, 15.1.0.2
839401-1 2-Critical BT839401 Moving a virtual-address from one floating traffic-group to another does not send GARPs out. 14.1.2.5, 15.0.1.4, 15.1.0.2
837617-1 2-Critical BT837617 Tmm may crash while processing a compression context 14.1.4.4, 15.1.0.2
872965-1 3-Major BT872965 HTTP/3 does not support draft-25 15.1.0.2
862597-7 3-Major BT862597 Improve MPTCP's SYN/ACK retransmission handling 13.1.3.5, 14.1.3.1, 15.1.0.2
853613-4 3-Major BT853613 Improve interaction of TCP's verified accept and tm.tcpsendrandomtimestamp 14.1.2.5, 15.0.1.3, 15.1.0.2
852873-2 3-Major BT852873 Proprietary Multicast PVST+ packets are forwarded instead of dropped 14.1.2.7, 15.1.0.2
852861-1 3-Major BT852861 TMM cores intermittently when HTTP/3 tries to use uni-directional streams in 0-RTT scenario 15.1.0.2
851445-1 3-Major BT851445 QUIC with HTTP/3 should allow the peer to create at least 3 concurrent uni-streams 15.1.0.2
850973-1 3-Major BT850973 Improve QUIC goodput for lossy links 15.1.0.2
850933-1 3-Major BT850933 Improve QUIC rate pacing functionality 15.1.0.2
847325-3 3-Major BT847325 Changing a virtual server that uses a OneConnect profile can trigger incorrect persistence behavior. 14.1.2.5, 15.0.1.3, 15.1.0.2
818853-1 3-Major BT818853 Duplicate MAC entries in FDB 13.1.3.5, 14.1.3.1, 15.1.0.2
809597-5 3-Major BT809597 Memory leak in icrd_child observed during REST usage 13.1.4, 14.1.3, 15.1.0.2
714372-5 3-Major BT714372 Non-standard HTTP header Keep-Alive causes RST_STREAM in Safari 14.1.4.4, 15.0.1.1, 15.1.0.2
705112-6 3-Major BT705112 DHCP server flows are not re-established after expiration 11.5.9, 12.1.4.1, 13.1.3, 14.1.2.5, 15.1.0.2
859113-1 4-Minor BT859113 Using "reject" iRules command inside "after" may causes core 14.1.2.5, 15.1.0.2
839245-3 4-Minor BT839245 IPother profile with SNAT sets egress TTL to 255 14.1.2.5, 15.1.0.2
824365-5 4-Minor BT824365 Need informative messages for HTTP iRule runtime validation errors 13.1.3.6, 14.1.2.3, 15.0.1.1, 15.1.0.2
822025 4-Minor BT822025 HTTP response not forwarded to client during an early response 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.0.1.4, 15.1.0.2


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
760471-1 3-Major BT760471 GTM iQuery connections may be reset during SSL key renegotiation. 12.1.5.2, 13.1.3.5, 14.1.2.3, 15.0.1.4, 15.1.0.2


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
852437-3 2-Critical K25037027, BT852437 Overly aggressive file cleanup causes failed ASU installation 14.1.2.5, 15.1.0.2
846073-1 2-Critical BT846073 Installation of browser challenges fails through Live Update 15.1.0.2
850673-1 3-Major BT850673 BD sends bad ACKs to the bd_agent for configuration 12.1.5.1, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
842161-1 3-Major BT842161 Installation of Browser Challenges fails in 15.1.0 15.1.0.2
793017-3 3-Major BT793017 Files left behind by failed Attack Signature updates are not cleaned 14.1.2.3, 15.1.0.2
778261-2 3-Major BT778261 CPB connection is not refreshed when updating BIG-IQ logging node domain name or certificate 15.0.1.1, 15.1.0.2
739618-3 3-Major BT739618 When loading AWAF or MSP license, cannot set rule to control ASM in LTM policy 13.1.3.2, 14.1.2.3, 15.1.0.2
681010-4 3-Major K33572148, BT681010 'Referer' is not masked when 'Query String' contains sensitive parameter 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
838709-4 2-Critical BT838709 Enabling DoS stats also enables page-load-time 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
870957-4 3-Major   "Security ›› Reporting : ASM Resources : CPU Utilization" shows TMM has 100% CPU usage 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
863161-1 3-Major BT863161 Scheduled reports are sent via TLS even if configured as non encrypted 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
835381-3 3-Major BT835381 HTTP custom analytics profile 'not found' when default profile is modified 14.1.2.5, 15.0.1.3, 15.1.0.2
830073-2 3-Major BT830073 AVRD may core when restarting due to data collection device connection timeout 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
865053-3 4-Minor BT865053 AVRD core due to a try to load vip lookup when AVRD is down 14.1.2.5, 15.0.1.3, 15.1.0.2
863069-1 4-Minor BT863069 Avrmail timeout is too small 14.1.2.5, 15.0.1.3, 15.1.0.2


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
876393-1 2-Critical BT876393 General database error while creating Access Profile via the GUI 15.1.0.2
871761-1 2-Critical BT871761 Unexpected FIN from APM virtual server during Access Policy evaluation if XML profile is configured for VS 13.1.3.4, 14.1.2.5, 15.0.1.3, 15.1.0.2
871653-1 2-Critical BT871653 Access Policy cannot be created with 'modern' customization 15.1.0.2
866685-1 3-Major BT866685 Empty HSTS headers when HSTS mode for HTTP profile is disabled 14.1.2.5, 15.0.1.3, 15.1.0.2
866161-1 3-Major BT866161 Client port reuse causes RST when the security service attempts server connection reuse. 14.1.2.5, 15.0.1.3, 15.1.0.2
853325-1 3-Major BT853325 TMM Crash while parsing form parameters by SSO. 14.1.4.5, 15.0.1.3, 15.1.0.2
852313-4 3-Major BT852313 VMware Horizon client cannot connect to APM after some time if 'Kerberos Authentication' is configured 14.1.2.5, 15.0.1.3, 15.1.0.2
850277-1 3-Major BT850277 Memory leak when using OAuth 13.1.3.4, 14.1.4, 15.0.1.3, 15.1.0.2
844781-3 3-Major BT844781 [APM Portal Access] SELinux policy does not allow rewrite plugin to create web applications trace troubleshooting data collection 14.1.4.4, 15.0.1.3, 15.1.0.2
844685-1 3-Major BT844685 Per-request policy is not exported if it contains HTTP Connector Agent 15.1.0.2
844573-1 3-Major BT844573 Incorrect log level for message when OAuth client or OAuth resource server fails to generate secret. 15.1.0.2
844281-3 3-Major BT844281 [Portal Access] SELinux policy does not allow rewrite plugin to read certificate files. 14.1.4.4, 15.0.1.3, 15.1.0.2
835309-1 3-Major   Some strings on BIG-IP APM Server pages are not localized 15.1.0.2
832881-1 3-Major BT832881 F5 Endpoint Inspection helper app is not updated 15.1.0.2
832569-3 3-Major BT832569 APM end-user connection reset 14.1.2.5, 15.0.1.3, 15.1.0.2
831781-4 3-Major BT831781 AD Query and LDAP Auth/Query fails with IPv6 server address in Direct mode 14.1.2.5, 15.0.1.3, 15.1.0.2
803825-5 3-Major BT803825 WebSSO does not support large NTLM target info length 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
761303-5 3-Major BT761303 Upgrade of standby BIG-IP system results in empty Local Database 15.0.1.3, 15.1.0.2
744407-1 3-Major BT744407 While the client has been closed, iRule function should not try to check on a closed session 13.1.3.4, 14.1.4.4, 15.0.1.3, 15.1.0.2
706782-5 3-Major BT706782 Inefficient APM processing in large configurations. 14.1.2.8, 15.0.1.3, 15.1.0.2


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
853545-1 3-Major BT853545 MRF GenericMessage: Memory leaks if messages are dropped via iRule during GENERICMESSAGE_INGRESS event 14.1.2.5, 15.1.0.2
842625-5 3-Major BT842625 SIP message routing remembers a 'no connection' failure state forever 13.1.3.4, 14.1.2.7, 15.0.1.4, 15.1.0.2
840821-1 3-Major BT840821 SCTP Multihoming not working within MRF Transport-config connections 15.1.0.2
825013-1 3-Major BT825013 GENERICMESSAGE::message's src and dst may get cleared in certain scenarios 14.1.2.7, 15.0.1.1, 15.1.0.2
803809-4 3-Major BT803809 SIP messages fail to forward in MRF SIP when preserve-strict source port is enabled. 13.1.3.4, 14.1.2.7, 15.1.0.2
859721-1 4-Minor BT859721 Using GENERICMESSAGE create together with reject inside periodic after may cause core 14.1.2.5, 15.1.0.2
836357-5 4-Minor BT836357 SIP MBLB incorrectly initiates new flow from virtual IP to client when existing flow is in FIN-wait2 12.1.5.2, 13.1.3.4, 14.1.2.5, 15.0.1.4, 15.1.0.2


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
852557-3 2-Critical BT852557 Tmm core while using service chaining for SSL Orchestrator 14.1.2.5, 15.0.1.3, 15.1.0.2
864329-3 3-Major BT864329 Client port reuse causes RST when the backend server-side connection is open 14.1.2.5, 15.0.1.3, 15.1.0.2
852481-3 3-Major BT852481 Failure to check virtual-server context when closing server-side connection 14.1.2.5, 15.0.1.3, 15.1.0.2
852477-3 3-Major BT852477 Tmm core when SSL Orchestrator is enabled 14.1.2.5, 15.0.1.3, 15.1.0.2



Cumulative fixes from BIG-IP v15.1.0.1 that are included in this release


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
834853 3-Major BT834853 Azure walinuxagent has been updated to v2.2.42 15.1.0.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
862557-1 3-Major BT862557 Client-ssl profiles derived from clientssl-quic fail validation 15.1.0.1

 

Cumulative fix details for BIG-IP v15.1.6 that are included in this release

999933-3 : TMM may crash while processing DNS traffic on certain platforms

Links to More Info: K28042514, BT999933


999901-3 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.

Links to More Info: K68816502, BT999901

Component: Local Traffic Manager

Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.

This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).

Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.

Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.

Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.

Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.

Fix:
TMM now loads LTM policies with external data-groups as expected.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


999317-8 : Running Diagnostics report for Edge Client on Windows does not follow best practice

Links to More Info: K03544414, BT999317

Component: Access Policy Manager

Symptoms:
Running Diagnostics report for Edge Client on Windows does not follow best practice

Conditions:
Running Diagnostics report for Edge client on Windows system

Impact:
Edge client does not follow best practice

Workaround:
No workaround.

Fix:
Edge Client on Windows now follows best practice

Fixed Versions:
15.1.3.1


999125-2 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


999097-3 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


998473-2 : NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)

Links to More Info: BT998473

Component: Access Policy Manager

Symptoms:
NTLM Authentication fails with 'RPC Fault received' error and return code: 0xc0000001 (STATUS_UNSUCCESSFUL)

Conditions:
1. NTLM front-end authentication is enabled.
2. Active Directory users are subscribed to more than one hundred groups.

Impact:
NTLM authentication for Active Directory users which are subscribed to more than hundred groups will fail.

Workaround:
None

Fix:
A fix has been provided to the sequence number handling which is used to calculate the RPC checksum as part of ID 949477.

Fixed Versions:
15.1.4.1


998221-3 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2, 16.1.2


998085-1 : BIG-IP DataSafe GUI does not save changes

Links to More Info: BT998085

Component: Fraud Protection Services

Symptoms:
Due to a JavaScript error, the BIG-IP DataSafe GUI does not save changes.

Conditions:
-- Provision FPS.
-- License DataSafe.
-- Configure the system using the GUI.

Impact:
Configurations made for DataSafe using the BIG-IP Configuration Utility GUI cannot be saved.

Workaround:
Use tmsh to configure the BIG-IP system.

Fix:
BIG-IP DataSafe GUI is working properly and configurations are now saved.

Fixed Versions:
15.1.3


997929-3 : Changing a Traffic Matching Criteria port from 'any' to another value can prevent a virtual server from processing traffic

Links to More Info: BT997929

Component: Local Traffic Manager

Symptoms:
If a virtual server is using a traffic-matching-criteria (TMC) with a destination-inline-port of zero ('any'), and this is later changed (either to a non-zero port value, or to a port-list with non-zero port values) the virtual server stops processing traffic.

If tmm is restarted (which causes an outage) the virtual server resumes accepting traffic using the new ports. In addition, changing the virtual server's port back to 'any' also causes traffic processing to resume.

Conditions:
-- A virtual server using an address list for its destination, and 'any' (zero) for its destination port.

-- Changing the virtual server's destination port to a non-zero value, or to a port-list with non-zero port values.

Impact:
The virtual server stops processing traffic.

Workaround:
To recover, you can do either of the following:

-- Restart tmm:
bigstart restart tmm

-- Change the virtual server's port back to 'any' (0).

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


997761-2 : Subsessionlist entries leak if there is no RADIUS accounting agent in policy

Links to More Info: BT997761

Component: Access Policy Manager

Symptoms:
Subsessionlist entries are not cleaned up when subsessions are deleted. For long-lived main sessions, use cases such as API protection, the number of leaked subsessionlist entries increases over time, resulting in increasing memory consumption. If high availability (HA) is configured, the standby device can experience even more memory pressure when a very large number of subsessionlist entries are sent to it for mirroring.

Conditions:
This issue occurs if the main session is long-lived and there is no RADIUS accounting agent in the policy.

Impact:
TMM may run out of memory and restart. Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
15.1.5


997641 : APM policy ending with redirection results in policy execution failure

Links to More Info: BT997641

Component: Access Policy Manager

Symptoms:
After successful authentication, the APM end user client connection gets reset.

/var/log/apm shows errors:
err tmm2[18140]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_VAL. File: ../modules/hudfilter/access/access.c, Function: access_rewrite_pdp_response_to_302, Line: 19766

Conditions:
Access policy has a path ending with a redirect.

Impact:
APM end user clients cannot access the backend resources protected by the policy.

Workaround:
None

Fix:
Fixed an issue with APM policies not working when they ended with redirect.

Fixed Versions:
15.1.4


997313-3 : Unable to create APM policies in a sync-only folder&start;

Links to More Info: BT997313

Component: TMOS

Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:

-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices

Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.

Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.

Workaround:
You can use either of the following strategies to prevent the issue:

--Do not create APM policies in a sync-only folder.

--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
    tmsh modify sys folder /Common/sync-only no-ref-check true
    tmsh save sys config

Fixed Versions:
15.1.4.1, 16.1.2


997193-1 : TCP connections may fail when AFM global syncookies are in operation.

Links to More Info: K16101409, BT997193


997169 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
15.1.4.1


997137-3 : CSRF token modification may allow WAF bypass on GET requests

Links to More Info: K80945213, BT997137

Component: Application Security Manager

Symptoms:
Under certain conditions a parameter is not processed as expected.

Conditions:
1. CSRF feature is configured
2. Request contains a crafted parameter

Impact:
Malicious request will bypass signatures and will not raise any attack signature violation

Workaround:
N/A

Fix:
The parameter is now processed as expected.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1


996753-2 : ASM BD process may crash while processing HTML traffic

Links to More Info: K44553214, BT996753


996593-2 : Password change through REST or GUI not allowed if the password is expired

Links to More Info: BT996593

Component: TMOS

Symptoms:
When trying to update the expired password through REST or the GUI, the system reports and error:

Authentication failed: Password expired. Update password via /mgmt/shared/authz/users.

Conditions:
-- Password is expired.
-- Password change is done through either REST or the GUI.

Impact:
Expired password cannot be updated through REST or the GUI.

Workaround:
Update password using tmsh:

tmsh modify auth password <username>

Fix:
You can now change an expired password through REST or the GUI.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2


996381-3 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


996113-1 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


996001-1 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


995853-2 : Mixing IPv4 and IPv6 device IPs on GSLB server object results in nullGeneral database error.

Links to More Info: BT995853

Component: Global Traffic Manager (DNS)

Symptoms:
Unable to create GLSB Server object with both IPv4 and IPv6 self IPs as device IPs.

Conditions:
-- DNS and LTM services enabled.
-- Configure two self IPs on the box for IPv4 and IPv6.
-- GLSB Server object creation with IPv4 and IPv6 addresses in device tab along with Virtual Server Discovery enable.

Impact:
GSLB Server object creation fails.

Workaround:
TMSH is not impacted. Use TMSH to create GSLB Server objects.

Fix:
GSLB Server object creation no longer fails.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


995629-3 : Loading UCS files may hang if ASM is provisioned&start;

Links to More Info: BT995629

Component: TMOS

Symptoms:
If a UCS file from a BIG-IP system running a different software version that also has an ASM configuration is loaded onto a device that already has ASM provisioned, the load may hang indefinitely.

Conditions:
-- A system that has ASM provisioned.
-- Loading a UCS file with an ASM configuration that comes from a different system.

Impact:
-- UCS load might fail.
-- Config save and load operations fail while the UCS load hangs. The failure of those operations may not be obvious, leaving the BIG-IP saved configuration different from the running configuration.

Workaround:
If you encounter this, run 'load sys config default' to de-provision ASM. The UCS file should then load successfully.

Note: If loading a UCS archive with the 'platform-migrate' argument, then there is no workaround. See: https://cdn.f5.com/product/bugtracker/ID990849.html

Fix:
Loading UCS files no longer hangs if ASM is provisioned.

Fixed Versions:
13.1.4.1, 14.1.4.1, 15.1.3, 16.0.1.2


995433 : IPv6 truncated in /var/log/ltm when writing PPTP log information from PPTP_ALG in CGNAT

Links to More Info: BT995433

Component: Advanced Firewall Manager

Symptoms:
The PPTP log entries for NAT64 traffic have a truncated IPv6 address.

Conditions:
This is encountered when viewing PPTP log entries.

Impact:
IPV6 addresses in PPTP logs are truncated.

Workaround:
None

Fix:
The full IPv6 address is now logged in PPTP logs.

Fixed Versions:
14.1.4.5, 15.1.4.1


995029-3 : Configuration is not updated during auto-discovery

Links to More Info: BT995029

Component: Access Policy Manager

Symptoms:
Auto-discovery fails, resulting in OAuth failure. In /var/log/apm:

-- OAuth Client: failed for server '<server>' using 'authorization_code' grant type (<grant type>), error: None of the configured JWK keys match the received JWT token

Conditions:
JSON Web Token (JWT) auto-discovery is enabled via JSON Web Keys (JWK).

Impact:
JWT auto-discovery fails and the configuration is not updated.

Workaround:
Use the GUI to manually retrieve the JWKs by clicking the 'Discovery' button for OpenID URI in 'Access :: Federation : OAuth Client / Resource Server : Provider :: <name of provider>.

Fix:
Fixed an issue with auto-discovery and JWKs.

Fixed Versions:
14.1.4.2, 15.1.4


994985-2 : CGNAT GUI shows blank page when applying SIP profile

Links to More Info: BT994985

Component: Carrier-Grade NAT

Symptoms:
The virtual server properties GUI page shows blank when a SIP profile is applied to the virtual server.

Conditions:
-- Create virtual server and attach a SIP profile.
-- Navigate to virtual server properties page.

Impact:
The virtual server properties page does not display the configuration.

Workaround:
None.

Fix:
The GUI shows virtual server config page with all config values

Fixed Versions:
14.1.4.2, 15.1.4


994801-3 : SCP file transfer system

Component: TMOS

Symptoms:
Under certain conditions, the SCP file transfer system does not follow current best practices.

Conditions:
A user assigned to a role, such as Resource Administrator, without Advanced Shell access can run arbitrary commands SCP file transfer.

Impact:
Users without Advanced Shell access can run SCP file trasnfer commands.

Workaround:
None

Fix:
This issue is fixed. The SCP file transfer system now follows current best practices. Users without Advanced Shell access cannot run SCP file transfer commands.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.3.1, 16.0.1.2


994305-1 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5

Links to More Info: BT994305

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools are not available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools are not available.

Workaround:
None.

Fix:
The version of open-vm-tools has been updated to 11.1.5.

Fixed Versions:
15.1.5.1, 16.1.2.1


993981-1 : TMM may crash when ePVA is enabled

Links to More Info: K52340447, BT993981


993913-2 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


993613-5 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


993489-3 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


993457-2 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


992865 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None

Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.

Fixed Versions:
15.1.4, 16.1.2.2


992213-2 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
14.1.4.2, 15.1.4, 16.1.1


992073-4 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Links to More Info: K93543114, BT992073


992053-1 : Pva_stats for server side connections do not update for redirected flows

Links to More Info: BT992053

Component: TMOS

Symptoms:
Pva_stats for server side connections do not update for the re-directed flows

Conditions:
-- Flows that are redirected to TMM.
-- Server flows are offloaded to PVA.

Impact:
PVA stats do not reflect the offloaded flow.

Workaround:
None

Fix:
Updated pva_stats to reflect server side flow.

Fixed Versions:
15.1.4.1


991421-3 : TMM may crash while processing TLS traffic

Links to More Info: K91013510, BT991421


990849-2 : Loading UCS with platform-migrate option hangs and requires exiting from the command&start;

Links to More Info: BT990849

Component: TMOS

Symptoms:
The UCS loading process with platform-migrate stops responding and hangs after printing:

Platform migrate loaded successfully. Saving configuration.

Conditions:
Load UCS with platform-migrate option:
tmsh load sys ucs <ucs_name> platform-migrate

Note: If you are loading a UCS archive created on a system running a different software version that also has an ASM configuration, there are other other aspects to consider. See: https://cdn.f5.com/product/bugtracker/ID995629.html

Impact:
The UCS loading process stops responding, causing the device to be in an INOPERATIVE state.

Workaround:
None.

Fix:
Loading UCS with the platform-migrate option executes smoothly without getting stuck.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.3, 16.0.1.2


990333-5 : APM may return unexpected content when processing HTTP requests

Links to More Info: K75540265, BT990333


989753-2 : In HA setup, standby fails to establish connection to server

Links to More Info: BT989753

Component: Service Provider

Symptoms:
In a high availability (HA) setup, standby fails to establish a connection to the server with the log message:

err tmm[819]: 01850008:3: MR: Received HA message targeting missing transport-config

Conditions:
In MRF (diameter/SIP) HA setup with connection mirroring enabled.

Impact:
Standby BIG-IP system fails to establish a connection to the server.

Workaround:
None.

Fix:
Standby is now able to establish a connection to the server.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


989701-5 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


989637-3 : TMM may crash while processing SSL traffic

Links to More Info: K08476614, BT989637


989317-12 : Windows Edge Client does not follow best practice

Links to More Info: K33757590, BT989317


989009-3 : BD daemon may crash while processing WebSocket traffic

Links to More Info: K05314769, BT989009


988793 : SecureVault on BIG-IP tenant does not store unit key securely

Links to More Info: BT988793

Component: TMOS

Symptoms:
BIG-IP tenants running on the VELOS platform do not store the SecureVault unit key securely.

Conditions:
BIG-IP tenant running on the VELOS platform.

Impact:
The BIG-IP tenant does not utilize secure storage for unit key.

Workaround:
None

Fix:
BIG-IP tenants running on the VELOS platform now securely store the unit key.

Fixed Versions:
15.1.4


988761-1 : Cannot create Protected Object in GUI

Links to More Info: BT988761

Component: Advanced Firewall Manager

Symptoms:
GUI Page stuck in loading phase and never completes the Protected Object creation step

Conditions:
This occurs in normal operation

Impact:
Cannot create Protected Objects using the GUI

Workaround:
Use tmsh to create Protected Objects

Fix:
GUI Page no longer gets stuck in loading phase and completes the Protected Object creation step.

Fixed Versions:
15.1.4


988645 : Traffic may be affected after tmm is aborted and restarted

Links to More Info: BT988645

Component: TMOS

Symptoms:
Traffic may be affected after tmm is aborted and restarted.
/var/log/tmm contains a lot of "DAG Proxy failed" messages.

Conditions:
-- A BIG-IP device is deployed in a VELOS tenant
-- Tmm aborts and restarts for some reason.

Impact:
Traffic disrupted while tmm restarts. Traffic may be disrupted even after tmm has restarted.

Workaround:
Reboot the tenant

Fix:
Fixed system behavior when tmm is aborted and restarted.

Fixed Versions:
15.1.4


988589-5 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873


988549-5 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549


988533-1 : GRE-encapsulated MPLS packet support

Links to More Info: BT988533

Component: TMOS

Symptoms:
There no facility to accept packets using GRE-encapsulated MPLS. The GUI gives only encapsulation options for IP address (0x0800) and transparent ethernet bridging (0x6558).

Conditions:
This is encountered when attempting to configure BIG-IP systems to handle GRE-encapsulated MPLS.

Impact:
Packets get dropped when they are GRE-encapsulated with MPLS.

Workaround:
None

Fix:
Encapsulated MPLS packets over GRE is now supported in a way similar to IP address and transparent ethernet bridging.

Fixed Versions:
14.1.4.5, 15.1.4.1


988165-2 : VMware CPU reservation is now enforced.

Links to More Info: BT988165

Component: TMOS

Symptoms:
CPU reservation is not enforced which can result in users over-subscribing their hosts.

Conditions:
BIG-IP Virtual Edition running in VMware.

Impact:
If a host is oversubscribed, performance can suffer as traffic volumes increase.

Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.

Fix:
The VMware CPU reservation of 2GHz per core is now enforced. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will need 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).

Fixed Versions:
15.1.5.1, 16.1.2.2


988005-1 : Zero active rules counters in GUI

Links to More Info: BT988005

Component: Advanced Firewall Manager

Symptoms:
When accessing Security :: Network Firewall :: Active Rules in UI, the active rules count is stuck at 0 (zero).

Conditions:
Access the following menu path:
Security :: Network Firewall :: Active Rules

Impact:
Incorrect information on active rules count is seen in the UI.

Workaround:
Disable firewall inline editor.

Fix:
The active rules count column now displays the correct number of times a rule has been hit.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


987637-2 : DDoS: Single endpoint flood vectors and Bad destination not supported properly on Neuron hardware

Links to More Info: BT987637

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems mitigate traffic on all of the IP addresses in an address list when certain DoS vectors are detected on a virtual server.

Conditions:
-- BIG-IP hardware platform equipped with Neuron (BIG-IP iSeries)
-- Virtual server configured with a DoS profile
-- Flood traffic reaches the virtual server

Impact:
For Neuron-supported hardware, virtual servers with subnet destinations are not properly mitigated when flood vectors are detected.

Workaround:
None

Fixed Versions:
15.1.4


987605-2 : DDoS: ICMP attacks are not hardware-mitigated

Links to More Info: BT987605

Component: Advanced Firewall Manager

Symptoms:
ICMP/Fragments attacks against a virtual server with a DOS profile are not mitigated by hardware.

Conditions:
ICMP/Fragments attacks mitigation/detection is configured on a virtual system with neuron-capable hardware.

Impact:
ICMP/Fragments attacks mitigation/detection is handled in software. A large volume of attack traffic can spike the tmm CPU.

Workaround:
None

Fix:
Until the hardware is fixed, the software uses the SPVA in hardware to mitigate these attacks.

Fixed Versions:
15.1.4


987345-1 : Disabling periodic-refresh-log has no effect

Links to More Info: BT987345

Component: Advanced Firewall Manager

Symptoms:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is not honored. You might see messages similar to the following logged in /var/log/ltm or sent to remote logging destinations:

info tmm[6215]: 23003168 "Port Block Periodic Log","10.10.10.10","0","","10.10.10.10","0","1024","1031","16164968240","","unknown".

Conditions:
PBA periodic-refresh-log set to '0'.

Impact:
System provides unnecessary, excessive logging.

Workaround:
None

Fix:
Port Block Allocation (PBA) periodic-refresh-log set to '0' - disabled is now honored."Port Block Periodic Log" messages are no longer logged with this configuration setting.

Fixed Versions:
15.1.4.1


987113-1 : CMP state degraded while under heavy traffic

Links to More Info: BT987113

Component: TMOS

Symptoms:
When a VELOS 8 blade system is under heavy traffic, the clustered multiprocessing (CMP) state could become degraded. The symptom could exhibit a dramatic traffic performance drop.

Conditions:
Exact conditions are unknown; the issue was observed while under heavy traffic with all 8 blades configured for a tenant.

Impact:
System performance drops dramatically.

Workaround:
Lower traffic load.

Fix:
Fixed an inconsistent CMP state.

Fixed Versions:
15.1.4


987077-1 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.

Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Fixed Versions:
14.1.4.6, 15.1.5.1


986937-1 : Cannot create child policy when the signature staging setting is not equal in template and parent policy

Links to More Info: BT986937

Component: Application Security Manager

Symptoms:
When trying to create a child policy, you get an error:

FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."

Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.

Impact:
You are unable to create the child policy and the system presents an error.

Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.

Fix:
The error no longer occurs on child policy creation.

Fixed Versions:
15.1.4, 16.0.1.2, 16.1.1


985953-3 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


985537-1 : Upgrade Microsoft Hyper-V driver&start;

Links to More Info: BT985537

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) on Azure has an issue where the BIG-IP system raises a kernel panic soon after a Network Management Agent update occurs on the host.

When performance tests are run on VE in Microsoft Azure, the BIG-IP system loses all connectivity to the pools and becomes unresponsive.

Conditions:
-- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running.
-- Running performance tests of VE in Azure.

Impact:
The BIG-IP system might restart and the GUI becomes unresponsive during performance testing.

Workaround:
None.

Fix:
The Microsoft Hyper-V driver has been updated to v4.3.5.

Fixed Versions:
15.1.4


985433-2 : Insertion of the X-Forwarded-For HTTP header can fail, causing the client's connection to be reset.

Links to More Info: BT985433

Component: Local Traffic Manager

Symptoms:
Some client connections are being reset with rst-cause 'Unknown reason'.

Conditions:
--- Standard virtual server with the TCP and HTTP profiles.

--- The HTTP profile is configured to insert the X-Forwarded-For header.

--- The client supplies an empty X-Forwarded-For header in the HTTP request.

Impact:
Affected client connections are reset, leading to application failures.

Workaround:
You can work around this issue by disabling the header insertion in the HTTP profile and instead using an iRule similar to the following example:

when HTTP_REQUEST {
   HTTP::header replace X-Forwarded-For [IP::remote_addr]
}

Fix:
Insertion of the X-Forwarded-For header now works as expected, regardless of input client data.

Fixed Versions:
15.1.4.1


984765-1 : APM NTLM auth fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED)&start;

Links to More Info: BT984765

Component: Access Policy Manager

Symptoms:
NTLM User logon authentication fails every week with RPC return code 0xC0000022(STATUS_ACCESS_DENIED) from the Active Directory (AD) server.

Conditions:
-- Upgrading from legacy versions to BIG-IP v14.1.2 or later.
-- AD servers are updated with latest security patches from Microsoft.

Impact:
NTLM Authentication fails after a week. APM end user client logon (such as Outlook users, Remote Desktop Users, and Browser-based NTLM Auth logons that use BIG-IP APM as forward/reverse proxy) fails, and the service is down.

Workaround:
To resolve the issue temporarily, use either of the following:

-- Reset the NTLM Machine Account with the 'Renew Machine Password' option.

-- Run the command:
bigstart restart nlad

The problem can reappear after a week, so you must repeat these steps each time the issue occurs.

Fixed Versions:
14.1.4.4, 15.1.4


984657-3 : Sysdb variable not working from tmsh

Links to More Info: BT984657

Component: Traffic Classification Engine

Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh

Conditions:
The following sys db variable is enabled: cloud_only

You attempt to run the following command:

tmsh list sys db urlcat_query

Impact:
Sysdb variables does not work from tmsh

Fix:
After the fix able to verify sysdb variables from tmsh

Fixed Versions:
15.1.4.1, 16.0.1.2


984613-11 : CVE-2020-5896 - Edge Client Installer Vulnerability

Links to More Info: K08503505, BT984613


984593-2 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.5, 16.1.2.1


984585-1 : IP Reputation option not shown in GUI.

Links to More Info: BT984585

Component: TMOS

Symptoms:
Cannot configure IP Reputation option from the GUI.

Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.

Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.

Workaround:
Use tmsh to configure IP Reputation.

Fix:
The IP Reputation option is now shown in the GUI.

Fixed Versions:
15.1.5.1, 16.1.2.2


982869-1 : With auto-init enabled for Message Routing peers, tmm crashes with floating point exception when tmm_total_active_npus value is 0

Links to More Info: BT982869

Component: Service Provider

Symptoms:
Tmm may crash.

Conditions:
This occurs when auto initialization is enabled for one or more Message Routing peers and during CMP transition when tmm_total_active_npus value is 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


982757-5 : APM Access Guided Configuration hardening

Links to More Info: K53197140


982697-5 : ICMP hardening

Links to More Info: K41440465, BT982697


982341-5 : iControl REST endpoint hardening

Links to More Info: K53197140, BT982341


981785-3 : Incorrect incident severity in Event Correlation statistics

Links to More Info: BT981785

Component: Application Security Manager

Symptoms:
When reported to AVR, incident severity reads "correlation" instead of "high" or "medium".

Conditions:
Usually happens for the first incident after ASM startup.

Impact:
Incorrect statistics in Event Correlation summary (Incident Severity graph), and also in tmsh analytics report.

Workaround:
Use severity info from the Incidents list.

Fix:
Event Correlation engine was fixed and now incident severity is reported properly to AVR.

Fixed Versions:
14.1.4.3, 15.1.4, 16.0.1.2


981693-1 : TMM may consume excessive resources while processing IPSec ALG traffic

Links to More Info: K54892865, BT981693


981689-2 : TMM memory leak with IPsec ALG

Links to More Info: BT981689

Component: Carrier-Grade NAT

Symptoms:
TMM crash due to out of memory.

Conditions:
-- IPsec ALG virtual server in BIG-IP passes traffic normally.
-- IPsec ALG connections are aborted. A common cause of IPsec ALG failure is CGNAT translation failures.

Impact:
TMM reaches memory limits. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Fixed a tmm memory leak related to IPsec ALG connections.

Fixed Versions:
14.1.4.2, 15.1.4.1


981461-4 : Unspecified DNS responses cause TMM crash

Links to More Info: K45407662, BT981461


981385-3 : AVRD does not send HTTP events to BIG-IQ DCD

Links to More Info: BT981385

Component: Application Visibility and Reporting

Symptoms:
AVRD does not send HTTP events to BIG-IQ data collection device (DCD).

Conditions:
This happens under normal operation.

Impact:
AVRD does not write Traffic Capture logs for analysis. Cannot analyze issues when Traffic Capture does not provide event information.

Workaround:
None.

Fixed Versions:
13.1.4, 14.1.4.2, 15.1.3, 16.0.1.2


981273-2 : APM webtop hardening

Links to More Info: K41997459, BT981273


981169-2 : F5 TMUI XSS vulnerability CVE-2021-22994

Links to More Info: K66851119, BT981169


981069-1 : Reset cause: "Internal error ( requested abort (payload release error))"

Links to More Info: BT981069

Component: Application Security Manager

Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"

Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type

Impact:
Traffic is affected.

Workaround:
Any of the following actions can resolve the issue:

1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Fix:
Fixed an issue that was triggering resets on traffic.

Fixed Versions:
15.1.4, 16.1.1


980821-2 : Traffic is processed by All Port Virtual Server instead of Specific Virtual Server that is configured.

Links to More Info: BT980821

Component: Local Traffic Manager

Symptoms:
Traffic is directed to a virtual server that is configured with port any even though there is a virtual server with a specific port that the traffic should match.

Conditions:
There are two virtual servers configured:
  - One with a specific port and ip-protocol 'any'
  - One with port any and a specific ip-protocol

Impact:
Traffic destined to the port matches the any-port virtual server rather than the specific port virtual server.

Workaround:
Create individual listeners for specific protocols.

For example, given the configuration:
  ltm virtual vs-port80-protoAny {
    destination 10.1.1.1:80
    ip-protocol any
    ...
  }
  ltm virtual vs-portAny-protoTCP {
    destination 10.1.1.1:0
    ip-protocol TCP
    ...
  }

Replace the vs-port80-protoAny with virtual servers configured for the specific protocols desired:
  ltm virtual vs-port80-protoTCP {
    destination 10.1.1.1:80
    ip-protocol TCP
    ...
  }
  ltm virtual vs-port80-protoUDP {
    destination 10.1.1.1:80
    ip-protcol UDP
    ...
  }

Fix:
More specific virtual server now gets more priority than wildcard virtual server to process traffic.

Fixed Versions:
14.1.4.2, 15.1.3.1, 16.0.1.2


980809-2 : ASM REST Signature Rule Keywords Tool Hardening

Links to More Info: K41351250, BT980809


980593 : LSN logging stats are always 0 for log_attempts and log_failures in tmctl fw_lsn_log_stat table

Links to More Info: BT980593

Component: Advanced Firewall Manager

Symptoms:
LSN logging stats are always 0 (zero) for log_attempts and log_failures in tmctl table fw_lsn_log_stat if lsn_legacy_mode is set as disabled.

Conditions:
The lsn_legacy_mode value is disabled.

Impact:
The log_attempts and log_failures are always 0 in tmctl table fw_lsn_log_stat.

Workaround:
None

Fix:
Fixed an issue with log_attempts and log_failures.

Fixed Versions:
15.1.5.1


980325-5 : Chmand core due to memory leak from dossier requests.

Links to More Info: BT980325

Component: TMOS

Symptoms:
Chmand generates a core file when get_dossier is run continuously.

Due to excessive dossier requests, there is a high consumption of memory. The program is terminated with signal SIGSEGV, Segmentation fault.

Conditions:
Repeated/continuous dossier requests during licensing operations.

Impact:
Chmand crashes; potential traffic impact while chmand restarts.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


980125-3 : BD Daemon may crash while processing WebSocket traffic

Links to More Info: K42051445, BT980125


978833-2 : Use of CRL-based Certificate Monitoring Causes Memory Leak

Links to More Info: BT978833

Component: Local Traffic Manager

Symptoms:
TMM memory use increases and the aggressive mode sweeper activates.

Conditions:
CRL certificate validator is configured.

Impact:
TMM ssl and ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
None.

Fix:
Use of CRL-based certificate monitoring no longer causes memory leak.

Fixed Versions:
14.1.4.4, 15.1.4.1


977053-2 : TMM crash on standby due to invalid MR router instance

Links to More Info: BT977053

Component: Service Provider

Symptoms:
In high availability (HA) setup, TMM on the standby device may crash due to an invalid Message Routing (MR) router instance.

Conditions:
-- HA environment.
-- Connection mirroring is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM on the standby device no longer crashes under these conditions.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


977005-1 : Network Firewall Policy rules-list showing incorrect 'Any' for source column

Links to More Info: BT977005

Component: Advanced Firewall Manager

Symptoms:
Network Firewall Policy rules-list shows incorrect 'Any' for source column.

Conditions:
- Create a policy under Security :: Network Firewall : Policies.
- Create a rules list with some rules in it.
- Add the rules list to the Policy.
- Verify the GUI shows 'any' under the source column of the root tree of the policy.

Impact:
GUI shows 'Any' extra text under the source column

Workaround:
None

Fix:
The GUI no longer shows extra text

Fixed Versions:
14.1.4.2, 15.1.4


976925-2 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT976925


976669-2 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

Fix:
Critical files are not deleted during secondary blade reboot.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


976505-2 : Rotated restnoded logs will fail logintegrity verification.

Links to More Info: BT976505

Component: TMOS

Symptoms:
On enabling the logintegrity feature, the rotated restnoded logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restnoded logs fail logintegrity verification.

Workaround:
None

Fix:
Restnoded logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


976501-2 : Failed to establish VPN connection

Links to More Info: BT976501

Component: Access Policy Manager

Symptoms:
VPN client exits with message "Failed to establish VPN connection"

Conditions:
-- Connect to Network Access using web browser.
-- Disconnect and then click on the Network Access resource again in the Webtop
-- Internet Explorer browser

Impact:
Client will be unable to launch the VPN tunnel from the browser.

Workaround:
Clear cache in the browser and retry.
Disable caching in the browser.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3


976365 : Traffic Classification hardening&start;

Links to More Info: BT976365

Component: Traffic Classification Engine

Symptoms:
Traffic Classification IM packages do not follow current best practices.

Conditions:
- Traffic Classification enabled
- IM packages updated by an authenticated administrative user

Impact:
Traffic Classification IM packages do not follow current best practices.

Workaround:
No Workaround

Fix:
Traffic Classification IM packages now follow current best practices.

Fixed Versions:
14.1.4.3, 15.1.3.1


976337-1 : i40evf Requested 4 queues, but PF only gave us 16.

Links to More Info: BT976337

Component: TMOS

Symptoms:
During BIG-IP system boot, a message is logged:

i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.

Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)

Impact:
A message is logged but it is benign and can be ignored.

Fixed Versions:
15.1.5.1, 16.1.2.2


975809-1 : Rotated restjavad logs fail logintegrity verification.

Links to More Info: BT975809

Component: TMOS

Symptoms:
After enabling the logintegrity feature, the rotated restjavad logs fail logintegrity verification.

Conditions:
Logintegrity support feature is enabled:

list sys db logintegrity.support
sys db logintegrity.support {
    value "enable"
}

Impact:
Rotated restjavad logs fail logintegrity verification.

Workaround:
None

Fix:
Restjavad logs are now verified successfully by the logintegrity utility.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


975593-3 : TMM may crash while processing IPSec traffic

Links to More Info: K06323049, BT975593


975589-4 : CVE-2020-8277 Node.js vulnerability

Links to More Info: K07944249, BT975589


975465-2 : TMM may consume excessive resources while processing DNS iRules

Links to More Info: K65397301, BT975465


975233-2 : Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

Links to More Info: K52510511, BT975233


974881-2 : Tmm crash with SNAT iRule configured with few supported/unsupported events with diameter traffic

Links to More Info: BT974881

Component: Service Provider

Symptoms:
Currently, for diameter, a SNAT iRule can be configured with MR_INGRESS and MR_FAILED events. Certain events can cause tmm to crash.

Conditions:
A SNAT iRule is configured with the events CLIENT_ACCEPTED, DIAMETER_INGRESS and DIAMETER_EGRESS for diameter

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed a tmm crash related to handling certain events in an iRule.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


974501-1 : Excessive memory usage by mirroring subsystem when remirroring

Links to More Info: BT974501

Component: Local Traffic Manager

Symptoms:
Aggressive sweeper messages are seen in /var/log/ltm similar to the following:
Dec 31 02:35:44 bigip1 warning tmm[25306]: 011e0002:4: sweeper_segment_cb_any: Aggressive mode /Common/default-eviction-policy activated (0) (global memory). (26227799/30854144 pages)

In severe cases, tmm might restart and generate a core file due to an out of memory condition.

Conditions:
The active BIG-IP has a large number of mirrored fastL4 connections.
The active BIG-IP reconnects the statemirror connection to the standby BIG-IP. This is indicated by messages similar to the following in /var/log/ltm:
Dec 31 02:35:37 bigip1 err tmm[25306]: 01340001:3: high availability (HA) Connection with peer 10.25.0.11:1029 for traffic-group /Common/traffic-group-1 established.

Impact:
A portion of the connections handled by the BIG-IP might be dropped causing traffic interruption for those connections. In severe cases, tmm might restart causing traffic interruption.

Fix:
The memory utilization when remirroring fastL4 flows has been improved to allow remirroring to handle a larger number of connections.

Fixed Versions:
15.1.2.1


974341-2 : REST API: File upload

Links to More Info: K08402414, BT974341


974241-1 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades

Links to More Info: BT974241

Component: TMOS

Symptoms:
Mcpd exists with error similar to:

01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'

Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled

Impact:
Mcpd restarts leading to failover.

Workaround:
Use standard customization and not modern customization.

Fixed Versions:
15.1.4, 16.1.1


974205-3 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
12.1.6, 14.1.4.4, 15.1.4


973673-1 : CPU spikes when the LDAP operational timeout is set to 180 seconds

Links to More Info: BT973673

Component: Access Policy Manager

Symptoms:
By default, the LDAP operation timeout is 180 seconds, and this can cause CPU spikes.

Conditions:
-- BIG-IP configured with a per-request access policy.
-- A high traffic load containing a lot of LDAP Auth and LDAP Query operations occurs.

Impact:
High LDAP traffic load can cause cpu spikes and traffic disruption.

Fix:
Reduced LDAP operational timeout to 50 sec for per-request based LDAP Auth and LDAP Query requests as accessV2 mpi request timeout is 60 sec only.

Fixed Versions:
15.1.5


973409-5 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


973333-5 : TMM buffer-overflow vulnerability CVE-2021-22991

Links to More Info: K56715231, BT973333


973261-2 : GTM HTTPS monitor w/ SSL cert fails to open connections to monitored objects

Links to More Info: BT973261

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d does not try to open TCP connections if a HTTPS monitor contains a cert/key.
/var/log/gtm shows:

err big3d[19217]: 01333001:3: Start: SSL error:02001002:system library:fopen:No such file or directory
err big3d[19217]: 01333001:3: Start: SSL error:20074002:BIO routines:FILE_CTRL:system lib
err big3d[19217]: 01333001:3: Start: SSL error:140CE002:SSL routines:SSL_use_RSAPrivateKey_file:system lib
err big3d[19217]: 01330014:3: CSSLSocket:: Unable to get the session.

Conditions:
GTM HTTPS monitor with non-default cert/key.

Impact:
Unable to use HTTPs monitor.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


973201-2 : F5OS BIG-IP tenants allow OS upgrade to unsupported TMOS versions&start;

Links to More Info: BT973201

Component: TMOS

Symptoms:
Releases prior to BIG-IP 14.1.4 allow the installation of incompatible versions of BIG-IP software and cause the tenant to become unusable in F5OS.

Conditions:
This happens when you upload an incompatible version of BIG-IP software into the F5OS BIG-IP tenant and begins a live upgrade.

Impact:
Tenant is unusable when upgrading to an unsupported F5OS BIG-IP version.

Workaround:
None

Fix:
F5OS BIG-IP v14.1.4 and later prevents installation of an invalid F5OS BIG-IP version.

Fixed Versions:
14.1.4, 15.1.4


972489-2 : BIG-IP Appliance Mode iControl hardening

Component: iApp Technology

Symptoms:
When operating in Appliance mode iControl does not follow current best practices.

Conditions:
- Authenticated administrative user
- Appliance mode license
- iControl request

Impact:
Appliance mode iControl does not follow current best practices.

Workaround:
N/A

Fix:
iControl now follows current best practices while operating under and Appliance mode license.

Behavior Change:
Restjavad.disablerpmtasks with default value true and restjavad.disablepackagemanagementtasks with default value false were introduced.

When restjavad.disablerpmtasks is true, /mgmt/shared/rpm-tasks endpoint won't be accessible. Otherwise will be accessible.

When restjavad.disablepackagemanagementtasks is true, /mgmt/shared/package-management-tasks endpoint won't be accessible. Otherwise will be accessible.

Fixed Versions:
15.1.5.1


971297-2 : DNSKEYS Type changed from external to internal and Keys are not stored in HSM after upgrade&start;

Links to More Info: BT971297

Component: Global Traffic Manager (DNS)

Symptoms:
DNSSEC keys which are stored on netHSM type is changed from FIPS external to internal during the upgrade.

Conditions:
-- BIG-IP with a NetHSM license
-- BIG-IP uses external DNSSEC keys stored in the NetHSM
-- The BIG-IP device is upgraded

Impact:
The keys are stored locally following the upgrade.

Workaround:
None.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


970829-5 : iSeries LCD incorrectly displays secure mode

Links to More Info: K03310534, BT970829

Component: Device Management

Symptoms:
On iSeries platforms, the LCD continuously displays secure mode and does not respond to user input.

Conditions:
This occurs if the admin password is anything other than the default on iSeries platforms.

Impact:
The LCD does not respond to user input. The LCD continuously displays secure mode. The /var/log/touchscreen_lcd fills up with error messages:

-- err lcdui[1236]: URL: http://127.4.2.1/mgmt/tm/sys/failover, result: 'Host requires authentication' (204), HTTP method 2, status 401.


The restjavad-audit.*.log may contain similar messages

[I][19005][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/shared/identified-devices/config/device-info","status":401,"from":"127.4.2.2"}
[I][19007][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/global-settings","status":401,"from":"127.4.2.2"}
[I][19009][18 Mar 2021 21:25:02 UTC][ForwarderPassThroughWorker] {"user":"local/null","method":"GET","uri":"http://localhost:8100/mgmt/tm/sys/failover","status":401,"from":"127.4.2.2"}

Workaround:
None

Fix:
The LCD now functions normally, and no authentication errors appear in the logs.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


970329-3 : ASM hardening

Links to More Info: K70134152, BT970329

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


969713-1 : IPsec interface mode tunnel may fail to pass packets after first IPsec rekey

Links to More Info: BT969713

Component: TMOS

Symptoms:
IPsec tunnel initially works until the IPsec (ESP) SA is re-negotiated.

Conditions:
-- IKEv2
-- IPsec tunnel uses interface mode ipsec-policy
-- IPsec SAs are re-negotiated, for example after the SA lifetime expires
-- Traffic selector narrowing occurs due to the BIG-IP and remote peer having different selectors configured

Impact:
IPsec tunnel suddenly stops forwarding packets across the tunnel

Workaround:
-- Configure the traffic-selectors to be identical on both the BIG-IP and remote IPsec peer.

Fix:
IPsec tunnel forwards packets after IPsec SAs are re-established.

Fixed Versions:
15.1.4


969637-2 : Config may fail to load with "FIPS 140 operations not available on this system" after upgrade&start;

Links to More Info: BT969637

Component: Local Traffic Manager

Symptoms:
After upgrade, configuration load fails with a log:
"FIPS 140 operations not available on this system"

Conditions:
-- A small subset of the following BIG-IP platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Configuration load fails and the device does not come online.

Fixed Versions:
14.1.4.4, 15.1.4


969509-4 : Possible memory corruption due to DOS vector reset

Links to More Info: BT969509

Component: Advanced Firewall Manager

Symptoms:
Unpredictable result due to possible memory corruption

Conditions:
DOS vector configuration change

Impact:
Memory corruption

Fix:
Added correct logic to reset DOS vector.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


969385-2 : Automatic attach/detach BeWAF policy to virtual server stops working for all virtual servers.

Links to More Info: BT969385

Component: BIG-IP Risk Engine

Symptoms:
Automatic attach/detach BeWAF policy to a virtual server stops working for all virtual servers if at least one virtual server has a regular ASM policy with TAP profile

Conditions:
Define Virtual Servers with DOS profiles, along with Virtual Servers that are managed by cloud (Cortex)

Impact:
Detaching virtual servers from DOS can cause the attach option to be disabled.

Workaround:
Do not define virtual servers with cloud along with virtual servers managed by cloud (Applications).

Fix:
None

Fixed Versions:
15.1.3, 16.0.1.2


969317-3 : "Restrict to Single Client IP" option is ignored for vmware VDI

Links to More Info: BT969317

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2.1


969213-1 : VMware: management IP cannot be customized via net.mgmt.addr property

Links to More Info: BT969213

Component: TMOS

Symptoms:
IP addresses provided for VM customization in VMware are ignored. net.mgmt.addr and net.mgmt.gw properties supposed to be used when customization of IP addresses during VM setup is desired. But the addresses are ignored.

Conditions:
VMware only. Happens in any of the ways in which address are supplied via net.mgmt.addr and net.mgmt.gw. See https://clouddocs.f5.com/cloud/public/v1/vmware/vmware_setup.html for scenario where net.mgmt.addr and net.mgmt.gw can be set. VM customization profiles still work properly.

Impact:
Management IP cannot be customized in VMware during the VM setup.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


969105-2 : HA failover connections via the management address do not work on vCMP guests running on VIPRION

Links to More Info: BT969105

Component: TMOS

Symptoms:
A high availability (HA) failover connection using the management IP addresses does not work on vCMP guests running on a VIPRION device.

BIG-IP instances running directly on hardware, on Virtual Edition, and as vCMP guests running on an appliance are unaffected.

HA failover connections using self IPs are unaffected.

Conditions:
-- vCMP guest running on a VIPRION device
-- high availability (HA) failover connection using the management IP addresses (unicast and/or multicast)

Impact:
Failover state determination over the management port is permanently down.

Workaround:
While self IP-based high availability (HA) failover connections are not affected by this issue, F5 recommends configuring failover connections over both management IPs and self IPs (as detailed in K37361453: Configuring network failover for redundant VIPRION systems :: https://support.f5.com/csp/article/K37361453).

To mitigate this issue, run the following command on each blade of every guest:
touch /var/run/chmand.pid


The workaround does not survive a reboot, so a more permanent workaround is to edit the file /config/startup and add a line to touch /var/run/chmand.pid.

Add this line to the end of /config/startup:

(sleep 120; touch /var/run/chmand.pid) &

Note: The sleep time of 120 seconds should be tested as it depends on how quickly or slowly the Guest starts up, so the appropriate value for one system may differ from another system.


Alternatively, You can use instructions in K11948: Configuring the BIG-IP system to run commands or scripts upon system startup :: https://support.f5.com/csp/article/K11948 to issue commands at system startup after verification if mcpd is up and ready, e.g.:

#!/bin/bash
source /usr/lib/bigstart/bigip-ready-functions
wait_bigip_ready

# Customized startup command(s) can be added below this line.
touch /var/run/chmand.pid
# Customized startup command(s) should end above this line.

You may also request an Engineering Hotfix from F5.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


968893-2 : TMM crash when processing APM traffic

Links to More Info: K93526903, BT968893


968741-1 : Traffic Intelligence pages not visible

Links to More Info: BT968741

Component: Traffic Classification Engine

Symptoms:
When trying to access TCE Signature Update Page from the GUI:
Traffic Intelligence -> Applications -> Signature Update

The page will not load.

Conditions:
Clicking on Traffic Intelligence -> Applications -> Signature Update will show a blank page.

Impact:
You will not be able access the Traffic Intelligence -> Applications -> Signature page in the GUI.

Workaround:
None

Fix:
TMUI pages for Traffic classification will be accessible from TMUI : Traffic Intelligence -> Applications -> Signature

Fixed Versions:
15.1.4


968733-6 : CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service

Links to More Info: K42202505, BT968733


968725-3 : Linux Kernel Vulnerability CVE-2017-10661

Links to More Info: K04337834, BT968725


968657-2 : Added support for IMDSv2 on AWS

Links to More Info: BT968657

Component: TMOS

Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:

get_dossier call on the command line fails with:
        01170003:3: halGetDossier returned error (1): Dossier generation failed.

This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.

Conditions:
AWS instances started with IMDSv2.

Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.

Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
 
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Fixed Versions:
15.1.5.1, 16.1.2.1


968641-2 : Fix for zero LACP priority

Links to More Info: BT968641

Component: Local Traffic Manager

Symptoms:
A LACP priority of zero prevents connectivity to Cisco trunks.

Conditions:
LACP priority becomes 0 when system MAC address has 00:00 at the end.

Impact:
BIG-IP may be unable to connect to Cisco trunks.

Workaround:
None.

Fix:
Eliminate LACP priority equal 0

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


968581-2 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description

Links to More Info: BT968581

Component: Local Traffic Manager

Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.

Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.

Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.

Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.

Fixed Versions:
15.1.5.1, 16.1.2.2


968533 : Rate limiting is performed for all PUSH packets in the hardware even when "Only Count Suspicious Events" is enabled for the push flood vector.

Links to More Info: BT968533

Component: Advanced Firewall Manager

Symptoms:
When a PUSH flood vector is programmed to hardware after a flood is detected, rate limiting is performed on all the PUSH packets even when "Only Count Suspicious Events" is enabled.

Conditions:
-- Push flood vector is triggered.
-- Rate limiting is enabled for the push flood vector.
-- The issue is observed only on the hardware platform.

Impact:
The packets with PUSH flag for the good connections also get dropped even though "Only Count Suspicious Events" is enabled.

Workaround:
None

Fix:
Fixed an issue with rate limiting on PUSH packets.

Fixed Versions:
15.1.4.1


968421-2 : ASM attack signature doesn't matched

Links to More Info: K30291321, BT968421

Component: Application Security Manager

Symptoms:
A specific attack signature doesn't match as expected.

Conditions:
Undisclosed conditions.

Impact:
Attack signature does not match as expected, request is not logged.

Workaround:
N/A

Fix:
Attack signature now matches as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4.1, 14.1.4.2, 15.1.2.1, 16.0.1.2


968349 : TMM crashes with unspecified message

Links to More Info: K19012930, BT968349


967905-2 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4, 16.0.1.2


967889-1 : Incorrect information for custom signature in DoS Protection:DoS Overview (non-http)

Links to More Info: BT967889

Component: Advanced Firewall Manager

Symptoms:
Custom signature of virtual server shows incorrect attack information.

Conditions:
-- Virtual server has a custom signature
-- An attack is mitigated
-- View the custom signature information via Security :: DoS Protection : DoS Overview (non-HTTP)

Impact:
GUI shows incorrect information for custom signature

Fix:
GUI shows correct information for custom signature

Fixed Versions:
14.1.4, 15.1.3


967745 : Last resort pool error for the modify command for Wide IP

Links to More Info: BT967745

Component: TMOS

Symptoms:
System reports error for the modify command for Wide IP.

01b60021:3: Last resort pool type not specified for Wide IP 9084.example.com of type A.

Conditions:
Running the modify command involving last-resort-pool and not specifying a type or name for the object.

Impact:
The object is not modified, and the system reports an error.

Workaround:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Append the command with last-resort-pool a <pool_name>, for example:

modify a 9084.example.com aliases replace-all-with { 9084.example1.com } last-resort-pool a pool1_test

Fix:
The GSLB type needs to be given for any and all TMSH commands that utilize GTM Wide IPs or GTM Pools.

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.1


967101-2 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.

Links to More Info: BT967101

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)

Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.

Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


967093-1 : In SSL forward proxy when the signing CA cert and end-entity cert has a different signature algorithm, the SSL connection may fail

Links to More Info: BT967093

Component: Local Traffic Manager

Symptoms:
In SSL forward proxy, the client side handshake may fail with the message: fwdp lookup error.

Conditions:
The handshake failure occurs when the certificate chain consists of different key types. For example, the following cert chain may fail the handshake:

root CA (rsa) --> intermediate CA1 (rsa) --> intermediate CA2 (ec) --> end-entity cert (ec)

The signing CA which is intermediate CA2 has a key of EC type, but cert is signed by RSA signature. The end-entity cert has a key of EC type, but cert is signed by ECDSA.
In this case, the signer cert has different signature from that of the end-entity cert.

Impact:
SSL forward proxy handshake fails.

Fix:
Fixed an issue with SSL forward handshakes.

Fixed Versions:
15.1.5


966901-2 : CVE-2020-14364: Qemu Vulnerability

Links to More Info: K09081535, BT966901


966701-2 : Client connection flow is aborted when data is received by generic msg filter over sctp transport in BIG-IP

Links to More Info: BT966701

Component: Service Provider

Symptoms:
Client connections are aborted when the generic message router profile is used in conjunction with the SCP transport profile.

Conditions:
-- SCTP transport profile
-- MRF generic msg router profile

Impact:
BIG-IP is unable to process the traffic received over the SCTP transport for MRF generic message routing

Fix:
Enable the return type in generic msg filter when data received over SCTP transport

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


966681-1 : NAT translation failures while using SP-DAG in a multi-blade chassis

Links to More Info: BT966681

Component: Carrier-Grade NAT

Symptoms:
NAT translation fails

Conditions:
-- VIPRION multi-blade chassis
-- Configure AFM NAT/CGNAT and attach the AFM NAT Policy / lsnpool to the virtual server
-- Configure sp-dag on the vlans

Impact:
Traffic failure, performance degraded

Workaround:
Change the DB variable tm.lsn.retries to the maximum value of 4096

Fix:
Increase the number of attempts in selecting local translation IP (an IP when used makes the return packet to land on the same TMM where the NAT selection is happening). This can be controlled with DB variable tm.lsn.retries. The actual attempts is 16 times the value set in this db variable.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


966277-1 : BFD down on multi-blade system

Links to More Info: BT966277

Component: TMOS

Symptoms:
After a secondary blade reboots in a multi-blade system, bi-directional forwarding detection (BFD) stops functioning.

Conditions:
-- Multi-blade VIPRION environment
-- BFD enabled
-- A secondary blade reboots

Impact:
BFD flaps on the secondary blade that was rebooted. The BFD session flap clears the routes on the peer.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


966073-1 : GENEVE protocol support

Links to More Info: BT966073

Component: TMOS

Symptoms:
BIG-IP software does not support the GENEVE protocol.

Conditions:
-- AWS Gateway load balancer is in use, which uses the GENEVE protocol

Impact:
GENEVE protocol is unsupported.

Workaround:
None.

Fix:
BIG-IP software now supports the GENEVE protocol.

Fixed Versions:
15.1.4.1


965853-2 : IM package file hardening&start;

Links to More Info: K08510472, BT965853


965785-2 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Links to More Info: BT965785

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


965617-3 : HSB mitigation is not applied on BDoS signature with stress-based mitigation mode

Links to More Info: BT965617

Component: Advanced Firewall Manager

Symptoms:
BDoS signature attacks are mitigated in software rather than via HSB

Conditions:
Dynamic or custom signature in stress-based mitigation mode on appliance with HSB support

Impact:
More resources loading during DDoS attack

Fix:
Correct free spot search with offloading to HSB

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


965581-2 : Statistics are not reported to BIG-IQ

Links to More Info: BT965581

Component: Application Visibility and Reporting

Symptoms:
After a BIG-IP system is attached to BIG-IQ, there are no statistics reported. The 'avrd' process periodically fails with a core on the BIG-IP system.

Conditions:
A BIG-IP system is attached to BIG-IQ.

Impact:
No statistics collected.

Fix:
The avrd process no longer fails, and statistics are collected as expected.

Fixed Versions:
14.1.4, 15.1.4


965485-3 : CVE-2019-5482 Heap buffer overflow in the TFTP protocol handler in cURL

Links to More Info: K41523201


965229-2 : ASM Load hangs after upgrade&start;

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


965205-2 : BIG-IP dashboard downloads unused widgets

Links to More Info: BT965205

Component: TMOS

Symptoms:
The BIG-IP dashboard page downloads all widgets, even widgets that are not visible on the dashboard.

Conditions:
This occurs when viewing the BIG-IP dashboard.

Impact:
Slower-than-necessary GUI response, and the dashboard shows higher-than-necessary CPU utilization.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1


965037-1 : SSL Orchestrator does not send HTTP CONNECT tunnel payload to services

Links to More Info: BT965037

Component: Local Traffic Manager

Symptoms:
In some cases, when Services in SSL Orchestrator (service-connect agent in per-request policy) is inserted after Category lookup for CONNECT request hostname, the HTTP CONNECT tunnel payload/data is not sent to services.

Conditions:
SSL Orchestrator use case and Services are inserted after Category lookup for CONNECT request hostname

Impact:
HTTP CONNECT tunnel payload is not sent to services

Workaround:
None

Fix:
HTTP CONNECT tunnel payload is now sent to services.

Fixed Versions:
15.1.4.1


964941-1 : IPsec interface-mode tunnel does not initiate or respond after config change

Links to More Info: BT964941

Component: TMOS

Symptoms:
After reconfiguring an interface-mode IPsec tunnel, the IPsec tunnel may fail to initiate or negotiate as a Responder.

Conditions:
-- IPsec interface mode
-- Changing the IPsec tunnel configuration

Impact:
Remote networks cannot be reached because BIG-IP refuses to negotiate IPsec tunnel.

Workaround:
Reboot or restart tmm.

For ikev1 peers it will also be necessary to restart tmipsecd after restarting tmm.

Fix:
Valid changes to the IPsec tunnel configuration result in the tunnel negotiation happening.

Fixed Versions:
15.1.4


964897-2 : Live Update - Indication of "Update Available" when there is no available update

Links to More Info: BT964897

Component: Application Security Manager

Symptoms:
Live Update notifies you that an update is available even though there is no available update.

Conditions:
The latest file is installed but not present on the system and the second-latest file has an 'error' status

Impact:
Live Update erroneously indicates that an update is available.

Workaround:
1. upload the latest file that is not present on the system with scp to '/var/lib/hsqldb/live-update/update-files/'
2. restart 'tomcat' service:
> bigstart restart tomcat

Fix:
Fixed an issue with Live Update notification.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


964585-3 : "Non OK return code (400) received from API call" is logged for ProtocolInspection auto update

Links to More Info: BT964585

Component: Protocol Inspection

Symptoms:
- Protocol Inspection autoupdate logs "Non OK return code (400) received from API call" when the F5 download site does not contain Protocol Inspection Update container for the BIG-IP version.

Conditions:
- Protocol Inspection auto update is enabled.
- The BIG-IP version does not have the ProtocolInspection container in the relevant download section on F5 downloads.

Impact:
- The error message does not accurately explain the cause of the problem.

Workaround:
None.

Fix:
- More context is added to the log message when Protocol Inspection file is not present on the downloads site.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


964577-3 : IPS automatic IM download not working as expected

Links to More Info: BT964577

Component: Protocol Inspection

Symptoms:
IPS automatic download of IM packages from the F5 Downloads site does not complete as expected.

IPS automatic IM download considers the BIG-IP software major and minor version numbers.

However, the IPS library is dependent only on major version numbers. The site should constrain IM package download only to those that are compatible with the major version.

Conditions:
Auto download of IM package for IPS.

Impact:
New minor releases, such as BIG-IP v15.1.1 and later, cannot download IPS IM packages.

Workaround:
Manually download the IM package and upload it onto the BIG-IP system.

Fix:
Minor releases of BIG-IP software can now automatically download the IM package without issue.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


964489-2 : Protocol Inspection IM package hardening

Links to More Info: K08510472, BT964489


964245-2 : ASM reports and enforces username always

Links to More Info: BT964245

Component: Application Security Manager

Symptoms:
When session tracking is enabled and configured to enforce usernames for a specific list of login URLs, the username which arrives in an Authorization header is being enforced even if the request to the URL with the Authorization is not configured at all as a login URL.

Conditions:
Session tracking is enabled for login URLs with the Username Threshold set to 1.

Impact:
Username from the Authorization appears with status = BLOCK-ALL in the session tracking status list, even though session tracking is not configured for that URL.

Workaround:
None

Fix:
Username from the Authorization not appearing with status = BLOCK-ALL in session tracking status list.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


964037 : Error: Exception response while loading properties from server

Links to More Info: BT964037

Component: Access Policy Manager

Symptoms:
The General Customization interface for Endpoint Security in the GUI cannot be used for Access Profile with modern customization due to interface error.

Conditions:
-- Access Profile with modern customization
-- General Customization interface for Endpoint Security

Impact:
You are unable to modify Endpoint Security interface strings

Fixed Versions:
15.1.4.1


963713-1 : HTTP/2 virtual server with translate-disable can core tmm

Links to More Info: BT963713

Component: Local Traffic Manager

Symptoms:
Tmm crashes while passing HTTP/2 traffic

Conditions:
-- HTTP/2 virtual server
-- Port and address translation disabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not configure an HTTP/2 virtual server with translate-disable

Fix:
Tmm does not crash anymore.

Fixed Versions:
15.1.4


963705-3 : Proxy ssl server response not forwarded

Links to More Info: BT963705

Component: Local Traffic Manager

Symptoms:
A server response may not be forwarded after TLS renegotiation.

Conditions:
-- Proxy ssl enabled
-- A server renegotiation occurs

Impact:
Server response may not be not forwarded

Fix:
Proxy ssl will now forward server response after renegotiation

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


963541-2 : Net-snmp5.8 crash

Links to More Info: BT963541

Component: TMOS

Symptoms:
Snmpd crashes.

Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.

Impact:
Snmpd crashes.

Fixed Versions:
15.1.5.1, 16.1.2.2


963485-1 : Performance issue with data guard

Links to More Info: BT963485

Component: Application Security Manager

Symptoms:
End user clients encounter poor network performance. Due to a correlation with ID 963461 it can lead to a crash.

Conditions:
-- The server response is compressed.
-- Data guard is enabled.

Impact:
Slow response time.

Workaround:
-- Disable data guard or block the data instead of masking it.

-- Force server sending uncompressed response using an iRule:

when HTTP_REQUEST {
HTTP::header remove Accept-Encoding
}

Fixed Versions:
15.1.4


963461-1 : ASM performance drop on the response side

Links to More Info: BT963461

Component: Application Security Manager

Symptoms:
Clients encounter a longer time to respond from the BIG-IP

Conditions:
-- One of the following features is enabled:
   - convictions
   - csrf
   - ajax.
-- The response is HTML
-- The response has many tags

Impact:
Slow performance. May lead to a bd crash on specific responses. Traffic disrupted while bd restarts.

Fixed Versions:
15.1.4, 16.0.1.2


963237-3 : Non-EDNS response with RCODE FORMERR are blocked by AFM MARFORM vector.

Links to More Info: BT963237

Component: Advanced Firewall Manager

Symptoms:
When a client sends a DNS request to a NON EDNS capable server, the server may send a legitimate response with RCODE FORMERR and no DNS data. The MALFORM DNS vector blocks those requests.

Conditions:
-- The client sends a DNS request to NON EDNS capable server
-- The server replies with RCODE FORMERR and no DNS data.

Impact:
AFM erroneously detects an attack and mitigates it, and the client does not get a responses from the EDNS server

Workaround:
Disable DNS MALFORM vector mitigation or put the EDNS server in allow list.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


963049-1 : Unexpected config loss when modifying protected object

Links to More Info: BT963049

Component: TMOS

Symptoms:
A virtual server configuration is changed unexpectedly.

Conditions:
- Create virtual server with two client SSL profiles
- Modify same virtual server in Protected Objects panel.

Impact:
Virtual servers client SSL profiles are removed if you have more than one profile.

Workaround:
None

Fix:
Virtual server client SSL profiles are no longer removed from the config if the update happens through Protected Objects panel in the GUI.

Fixed Versions:
15.1.3


963017-2 : The tpm-status-check service shows System Integrity Status: Invalid when Engineering Hotfix installed

Links to More Info: BT963017

Component: TMOS

Symptoms:
Upon booting a BIG-IP hardware system running an Engineering Hotfix version of BIG-IP v14.1.0 or later, messages of the following form may be logged in the LTM log file (/var/log/ltm):

err tpm-status[####]: System Integrity Status: Invalid
info tpm-status-check[####]: System Integrity Status: Invalid

In addition, a message similar to the following may appear on the serial console while the system is booting:

[ ###.######] tpm-status-check[####]: Checking System Integrity Status
[ ###.######] tpm-status-check[####]: sh: /bin/rpm: Permission denied
[ ###.######] tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid

Similar messages appear when viewing the status of the tpm-status-check service via the systemctl utility:

# systemctl -l status tpm-status-check.service
* tpm-status-check.service - F5 Trusted Platform Module
   Loaded: loaded (/usr/lib/systemd/system/tpm-status-check.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since <...>
 Main PID: #### (code=exited, status=1/FAILURE)

<...> tpm-status-check[####]: Checking System Integrity Status
<...> tpm-status-check[####]: sh: /bin/rpm: Permission denied
<...> tpm-status[####]: TPM Status Version 15.1.1.0.6.6
<...> tpm-status[####]: TMOS BIG-IP 15.1.1-0.0.6.0
<...> tpm-status[####]: BIOS 0614 v3.10.032.0
<...> tpm-status[####]: BIOS SIRR 2019-05-30_08-46-02
<...> tpm-status-check[####]: tpm-status-check: System Integrity Status: Invalid
<...> systemd[1]: tpm-status-check.service: main process exited, code=exited, status=1/FAILURE
<...> systemd[1]: Unit tpm-status-check.service entered failed state.
<...> systemd[1]: tpm-status-check.service failed.


However, checking the System Integrity Status using the 'tpm-status' or 'tmsh run sys integrity status-check' command shows 'System Integrity Status: Valid'.

Conditions:
This may occur under the following conditions:

-- Running BIG-IP v14.1.0 or later.
-- Using Engineering Hotfixes containing fixes for the following bugs:
   - ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html)
   - ID946745 (https://cdn.f5.com/product/bugtracker/ID946745.html)
-- Using hardware platforms that include a Trusted Platform Module (TPM), including:
   - BIG-IP i2000, i4000, i5000, i7000, i10000, i11000, i15000 Series appliances
   - VIPRION B4450 blades

Impact:
The tpm-status-check service inaccurately indicates that the System Integrity Status is not Valid.

This is incorrect, and conflicts with the accurate System Integrity Status provided by the 'tpm-status' utility and 'tmsh run sys integrity status-check' command.

Workaround:
To observe the correct System Integrity Status, do either of the following:
-- Use the 'tpm-status' utility.
-- Run the command:
tmsh run sys integrity status-check

Fix:
This incorrect status reporting has been corrected.

Fixed Versions:
14.1.4, 15.1.3


962817-2 : Description field of a JSON policy overwrites policy templates description

Links to More Info: BT962817

Component: Application Security Manager

Symptoms:
Creating a UTF-8 policy using a template for the first time creates a binary policy the system uses the next time you create a UTF-8 policy with the same template.

If the creation occurs via JSON policy import, the description field of the JSON policy overwrites the description from the template, and the next time you create a UTF-8 policy using the same template, the system uses the description from the first JSON policy.

Conditions:
Create an initial UTF-8 policy with some template using a JSON policy with a custom description.

Impact:
The next time you create a UTF-8 policy with the same template, unless you provide a description, the system uses the one from the initially created JSON policy instead the template.

Workaround:
Before creating the second policy, remove the binary file that was created from the first run. For example if the template used was Fundamental:

rm -f /ts/install/policy_templates/fundamental.bin

Fix:
The binary file now contains the correct description.

Fixed Versions:
15.1.3, 16.0.1.1


962589-2 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Links to More Info: BT962589

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.1


962497 : BD crash after ICAP response

Links to More Info: BT962497

Component: Application Security Manager

Symptoms:
BD crash when checking ICAP job after ICAP response

Conditions:
BD is used with ICAP feature

Impact:
Traffic disrupted while BD restarts.

Workaround:
N/A

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


962433-4 : HTTP::retry for a HEAD request fails to create new connection

Links to More Info: BT962433

Component: Local Traffic Manager

Symptoms:
In case of a HEAD request, BIG-IP fails to set up a new connection to the server with the HTTP::retry iRule.

Conditions:
1.) Basic HTTP profile is configured on BIG-IP
2.) BIG-IP sends the HEAD request to the server and gets error response
3.) iRule with HTTP::retry is configured
4.) The system is using the default (non-debug) TMM version

Impact:
BIG-IP might send the retry HEAD request after the connection is closed, more specifically after the server has sent a FIN, the retry is leaked on the network.

Fixed Versions:
13.1.4.1, 14.1.4.3, 15.1.4


962341 : BD crash while processing JSON content

Links to More Info: K00602225, BT962341


962249-2 : Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Links to More Info: BT962249

Component: TMOS

Symptoms:
Non-ePVA platform shows 'Tcpdump starting DPT providers:ePVA Provider' in /var/log/ltm

Conditions:
This message shows always on all platforms.

Impact:
No functional impact.

Fix:
Does not show this message on non-epva platforms.

Fixed Versions:
15.1.4


962177-2 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
13.1.4.1, 14.1.4, 15.1.4, 16.0.1.2


962069-3 : Excessive resource consumption while processing OSCP requests via APM

Links to More Info: K79428827, BT962069


961509-2 : ASM blocks WebSocket frames with signature matched but Transparent policy

Links to More Info: BT961509

Component: Application Security Manager

Symptoms:
WebSocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
WebSocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No

Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


960749-2 : TMM may crash when handling 'DNS Cache' or 'Network DNS Resolver' traffic

Links to More Info: BT960749

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes, dumps a core file, and restarts.

Conditions:
-- The configuration includes one or more 'DNS Cache' or 'Network DNS Resolver' objects.

-- The DNS Cache or Network DNS Resolver objects receive traffic.

Impact:
Traffic disrupted while tmm restarts. A redundant unit will fail over.

Fix:
TMM no longer crashes when 'DNS Cache' or 'Network DNS Resolver' objects handle traffic.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


960437-2 : The BIG-IP system may initially fail to resolve some DNS queries

Links to More Info: BT960437

Component: Global Traffic Manager (DNS)

Symptoms:
Configurations that use a 'DNS Cache' or 'Network DNS Resolver' are affected by an issue whereby the system may initially fail to resolve some DNS queries.

Subsequent queries for the same domain name, however, work as expected.

Only some domain names are affected.

Conditions:
- The BIG-IP system is configured with either a DNS Cache or Network DNS Resolver.

- The cache is still empty in regard to the domain name being resolved (for example, TMM has just started).

- The cache configuration specifies 'Use IPv6' (the default) but the system has no IPv6 default route.

Impact:
Initial DNS resolution of some domain names fails. Regardless of whether this happens via a DNS cache or Network DNS Resolver, the failure is returned to the client.

In the case of a DNS Cache, the client may just be returned with no record. In the case of a Network DNS Resolver, the failure will depend on the feature using the resolver.

For instance, SWG, SSL Orchestrator, or the HTTP Explicit Forward Proxy, in general, are examples of features that rely on a Network DNS Resolver. In this case, the client's browser will fail to connect to the requested destination, and the client will be shown a proxy error.

Workaround:
Disable 'Use IPv6' in the affected DNS Cache or Network DNS Resolver.

1a. Go to DNS :: Caches :: Cache list.
OR
1b. Go to Network :: DNS Resolvers :: DNS Resolver list.
2. Select the item you want to update in the list.
3. Uncheck 'Use IPv6'
4, Select Update.

You can keep the object in this state (with no consequences) until you define an IPv6 default route on the system, and you wish for the system to also use IPv6 to connect to Internet name-servers.

Fix:
DNS resolution works as expected, with domains resolving the first time they are queried.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


960369-2 : Negative value suggested in Traffic Learning as max value

Links to More Info: BT960369

Component: Application Security Manager

Symptoms:
Negative value suggested in Traffic Learning as max value

Conditions:
A huge parameter value is seen in traffic

Impact:
Wrong learning suggestion issued

Workaround:
Manually change maximum allowed value on the parameter to ANY

Fix:
After fix correct suggestion is issued - suggest to change maximum parameter value to ANY

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


959889-2 : Cannot update firewall rule with ip-protocol property as 'any'

Links to More Info: BT959889

Component: TMOS

Symptoms:
Cannot update the firewall rule with 'any' value as the ip-protocol from the BIG-IP system GUI.

Conditions:
-- Create a rule and set protocol to TCP or UDP
-- From the GUI, change the protocol to "Any" and update

Impact:
Cannot update the firewall rule from GUI.

Fix:
The GUI now allows updating firewall rules with 'any' as an ip-protocal.

Fixed Versions:
14.1.4, 15.1.3


959629-2 : Logintegrity script for restjavad/restnoded fails

Links to More Info: BT959629

Component: TMOS

Symptoms:
The logintegrity script used to rotate the signature files for restnoded results in frequent cron errors similar to:

find: '14232restnoded_log_pattern': No such file or directory.

Conditions:
When the logintegrity script runs.

Impact:
If the logintegrity script runs, the signature files for restnoded will not be in sync.

Workaround:
Modify the script file /usr/bin/rest_logintegrity:

1. mount -o remount,rw /usr

2. cp /usr/bin/rest_logintegrity /usr/bin/rest_logintegrity_original

3. vi /usr/bin/rest_logintegrity

4. Replace the following lines:
restnoded_log_pattern=/var/log/restnoded/restnoded.[1-9]*.log
restjavad_log_pattern=/var/log/restjavad*.[1-9]*.log

With the lines:
restjavad_log_pattern=/var/log/restjavad*[1-9]*.log
restnoded_log_pattern=/var/log/restnoded/restnoded[1-9]*.log

5. Replace the line:
wc_restnoded=$(find $$restnoded_log_pattern -cnewer $filename | wc -l)

With the line:
wc_restnoded=$(find $restnoded_log_pattern -cnewer $filename | wc -l)

6. mount -o remount,ro /usr

Fix:
When logintegrity is enabled, signature files for restnoded log files are now generated and rotated.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


959121-4 : Not following best practices in Guided Configuration Bundle Install worker

Links to More Info: K74151369, BT959121


958465-2 : in BIG-IP Virtual Edition, TMM may prematurely shut down during initialization

Links to More Info: BT958465

Component: TMOS

Symptoms:
TMM may prematurely shut down during its initialization when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):

MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
A new TCL configuration element was added: "max_poll_pre_rfw", with a default value of 4, to modulate the function of "max_poll" in TMMs which are not yet Ready-For-World.

The value of "max_poll_pre_rfw" can be configured in the "tmm_base.tcl" file.

Fixed Versions:
14.1.4.4, 15.1.3.1, 16.0.1.2


958353-2 : Restarting the mcpd messaging service renders the PAYG VE license invalid.

Links to More Info: BT958353

Component: TMOS

Symptoms:
Upon mcpd service restart, the pay as you grow Virtual Edition license becomes invalid.

Conditions:
Restarting the mcpd messaging service.

Impact:
The license becomes expired. A message is displayed in the console:

mcpd[5122]: 01070608:0: License is not operational (expired or digital signature does not match contents).

Workaround:
If you cannot avoid restarting the mcpd messaging service, then you must issue the reloadlic command, or reboot the BIG-IP (using your preferred method).

Fix:
Fixed an issue with pay as you grow licenses following a mcpd restart.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


958093-3 : IPv6 routes missing after BGP graceful restart

Links to More Info: BT958093

Component: TMOS

Symptoms:
When BGP graceful restart is configured for peers in IPv4 unicast and IPv6 unicast address families, after graceful restart for both IPv4 and Ipv6 address families, routes from IPv6 unicast address family might be missing.

Conditions:
- Different BGP peers configured in IPv4 unicast and IPv6 unicast address families.
- BGP graceful restart happens for both IPv4 unicast and IPv6 unicast.

Impact:
Routes from IPv6 peers are missing. They are also not present in the RIB.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


958085-3 : IM installation fails with error: Spec file not found&start;

Links to More Info: BT958085

Component: Traffic Classification Engine

Symptoms:
IM installation fails with an error message:

ERROR Error during switching: Spec file not found

Conditions:
This can occur when deleting an IM file that is actively installing on one volume, and the BIG-IP system is booted from another volume.

Impact:
Upgrading/Downgrading to another IM does not work until you install a new BIG-IP image on the same disk.

Workaround:
None.

Fix:
During the init process, the system now installs FactoryDefaults if the active IM file is not found on disk.

Fixed Versions:
14.1.4.4, 15.1.4


957965-1 : Request is blocked by 'CSRF attack detected' violation with 'CSRF token absent'

Links to More Info: BT957965

Component: Application Security Manager

Symptoms:
Request is blocked by 'CSRF attack detected' violation.

Conditions:
- ASM provisioned
- ASM policy attached to a virtual server
- CSRF protection enabled in an ASM policy

Impact:
False positive request blocking occurs.

Workaround:
Disable 'CSRF attack detected' violation in the ASM policy.

Fix:
'CSRF attack detected' now works as expected.

Fixed Versions:
15.1.4


957905-2 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.

SIP Responses that don't contain a content_length header are accepted and forwarded to the client.

The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.

Conditions:
SIP request / response without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
N/A

Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.

content_length header is treated as optional for UDP and SCTP.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


957897-1 : Unable to modify gateway-ICMP monitor fields in the GUI

Links to More Info: BT957897

Component: TMOS

Symptoms:
While modifying a gateway-ICMP monitor you see the following error:

01070374:3: Cannot modify the address type of monitor /Common/<monitor_name>.

Conditions:
-- Using the GUI to modify a Gateway-ICMP monitor field.
-- The monitor is attached with a pool that has one or more pool members.

Impact:
You cannot update the Gateway-ICMP monitor fields via the GUI.

Workaround:
Use the tmsh command:
tmsh modify ltm monitor gateway-icmp <monitor_name> [<field> <new_value>]

For example, to update the description of a monitor named gw_icmp, use the following command:
modify ltm monitor gateway-icmp gw_icmp description new_description

Fix:
You can now update the Gateway-ICMP monitor fields via the GUI.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1


957337-1 : Tab complete in 'mgmt' tree is broken

Links to More Info: BT957337

Component: TMOS

Symptoms:
TMSH Command: "list mgmt shared <tab>" does not display the tab complete option. You may see an error:

(tmos)# list mgmt shared echo *tab*
Unexpected Error: "Object contains no "method" child value"

Conditions:
When mgmt is used in a tmsh command and you attempt to tab complete

Impact:
You are unable to configure objects in mgmt.

This issue also prevents users with the admin role from accessing the following REST endpoints:

shared/authz/users
shared/echo-js

The error returned was HTTP/1.1 401 F5 Authorization Required

Fix:
Fixed an issue with tab completion for certain commands in the 'mgmt' tree.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


957029-1 : MRF Diameter loop-detection is enabled by default

Links to More Info: BT957029

Component: Service Provider

Symptoms:
The default value of Message Routing Framework (MRF) Diameter loop detection is enabled.

Conditions:
Default diameter session profile loop detection configuration.

Impact:
System performance is impacted even if MRF Diameter loop detection is not used.

Workaround:
Disable loop detection in all message routing Diameter profiles when it is not needed.

Fix:
MRF Diameter loop detection is now disabled by default.

Note: If you expect MRF Diameter loop detection to be enabled, you must manually change the value after upgrading.

Fixed Versions:
15.1.4, 16.0.1.2


956589-1 : The tmrouted daemon restarts and produces a core file

Links to More Info: BT956589

Component: TMOS

Symptoms:
The tmrouted daemon restarts and produces a core file.

Conditions:
Exact trigger is unknown, but the issue was seen on a chassis setup during a blade failover

Impact:
Traffic disrupted while tmrouted restarts.

Workaround:
None

Fix:
Tmrouted daemon should not restart during blade reset

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.2.1


956373-2 : ASM sync files not cleaned up immediately after processing

Links to More Info: BT956373

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


956293-2 : High CPU from analytics-related REST calls - Dashboard TMUI

Links to More Info: BT956293

Component: TMOS

Symptoms:
When opening the GUI > Main > Statistics > Dashboard - the control plane CPU usage is around 7-15% on a completely empty system and Java consumes 3-5% CPU.

Conditions:
Leaving UI dashboard page left open.

Impact:
System performance is impacted if the dashboard page is kept open.

Fixed Versions:
14.1.4.4, 15.1.4


956133-3 : MAC address might be displayed as 'none' after upgrading.&start;

Links to More Info: BT956133

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.

Impact:
Traffic disrupted when the MAC address is set to 'none'.

Workaround:
N/A

Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.

Fixed Versions:
14.1.4.4, 15.1.4


956105-2 : Websocket URLs content profiles are not created as expected during JSON Policy import

Links to More Info: BT956105

Component: Application Security Manager

Symptoms:
Websocket URLs content profiles are not created as expected during JSON Policy import

Conditions:
Import JSON Policy with Websocket URLs configured with content profiles.

Impact:
Content profiles are not being added to the webscket URLs causing wrong configuration.

Workaround:
The content profiles can be manually associated after the import process using REST or GUI.

Fix:
Setting the correct profile reference during import.

Fixed Versions:
15.1.3, 16.0.1.2


956013-1 : System reports{{validation_errors}}

Links to More Info: BT956013

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.5, 16.1.2.1


955617-2 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
Modifying monitor properties gives error, if it is attached to a pool with Node/Pool member instance.

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties can't be modified if they are in use by a pool.

Workaround:
Remove monitor, modify it, and then add it back.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


955145-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT955145


955017-2 : Excessive CPU consumption by asm_config_event_handler

Links to More Info: BT955017

Component: Application Security Manager

Symptoms:
Asm_config_event_handler is consuming a lot of CPU while processing signatures after sync

Conditions:
This is encountered during a UCS load, or by a high availability (HA) configuration sync.

Impact:
Asm_config_server_rpc_handler.pl consumes excessive CPU and takes an exceedingly long time to complete.

Workaround:
Disable the signature staging action item for all policies.

Fixed Versions:
13.1.4.1, 14.1.4.4, 15.1.4, 16.0.1.2


954429-2 : User authorization changes for live update

Links to More Info: K23203045, BT954429


954425-2 : Hardening of Live-Update

Links to More Info: K61112120, BT954425


954381-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT954381


953845-1 : After re-initializing the onboard FIPS HSM, BIG-IP may lose access after second MCPD restart

Links to More Info: BT953845

Component: Local Traffic Manager

Symptoms:
When re-initializing an onboard HSM on particular platforms, BIG-IP may disconnect from the HSM after a second restart of the MCPD daemon.

This can occur when using administrative commands such as:
   -- tmsh run util fips-util init
   -- fipsutil init
   -- tmsh run util fips-util loginreset -r
   -- fipsutil loginreset -r

Conditions:
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F
  + vCMP guest on i5820-DF / i7820-DF
  + vCMP guest on 10350v-F

Impact:
BIG-IP is unable to communicate with the onboard HSM.

Workaround:
The last step in using "fipsutil init" is to restart all system services ("tmsh restart sys service all") or reboot.

Immediately before doing this:

-- open /config/bigip.conf in a text editor (e.g. vim or nano)
-- locate and delete the configuration "sys fipsuser f5cu" stanza, e.g.:

    sys fipsuser f5cu {
        password $M$Et$b3R0ZXJzCg==
    }

Fix:
Fixed an issue with re-initializing the onboard FIPS HSM.

Fixed Versions:
12.1.6, 13.1.4, 14.1.4, 15.1.3, 16.0.1.1


953729-2 : Advanced WAF/ASM TMUI authenticated remote command execution vulnerabilities CVE-2021-22989 and CVE-2021-22990

Links to More Info: K56142644 K45056101, BT953729


953677-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT953677


953393-2 : TMM crashes when performing iterative DNS resolutions.

Links to More Info: BT953393

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes and produces a core file.

Conditions:
The BIG-IP system configuration includes a Network DNS Resolver, which is referenced by another object (for example, a HTTP Explicit Forward Proxy profile) for DNS resolution.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You may be able to work around this issue by having the Network DNS Resolver work in forwarding/recursive mode rather than in resolving/iterative mode.

To do so, you configure a Forward Zone in the Network DNS Resolver for '.' (the DNS root). This causes DNS to send all DNS requests to a different, external resolver of your choice, which will perform recursive resolution.

The servers you configure for the '.' Forward Zone could be resolvers internal to your organization or public resolvers (e.g. Google DNS).

Fix:
TMM no longer crashes.

Fixed Versions:
15.1.2.1, 16.0.1.1


952557-2 : Azure B2C Provider OAuth URLs are updated for B2Clogin.com

Links to More Info: BT952557

Component: Access Policy Manager

Symptoms:
Microsoft has deprecated login.microsoftonline.com OAuth Azure Active Directory B2C (Azure AD B2C) URLs. The OAuth Provider templates are updated to support the newer URLs B2Clogin.com.

Conditions:
Azure AD B2C Provider may be non functional if URLs are using logic.microsoftonline.com.

Impact:
Older AD B2C URLs using login.microsoftonline.com may not be functional.

Workaround:
Update existing URLs when creating OAuth B2C providers to use B2Clogin.com.

For more information, see Azure Active Directory B2C is deprecating login.microsoftonline.com :: https://azure.microsoft.com/en-us/updates/b2c-deprecate-msol/.

Fix:
Azure B2C Provider OAuth URLs have been updated to use B2Clogin.com.

Fixed Versions:
14.1.4, 15.1.3


952545-2 : 'Current Sessions' statistics of HTTP2 pool may be incorrect

Links to More Info: BT952545

Component: Service Provider

Symptoms:
In HTTP2 full proxy deployment, the LTM pool 'cur_sessions' statistics may show an unusually large number, such as 18446743927680663552

Conditions:
-- HTTP2 full proxy deployment
-- A client sends multiple requests over multiple streams

Impact:
'Current Sessions' statistics can be used to track number of pending requests in the queue and it can underflow.

Workaround:
None.

Fix:
'Current Sessions' statistics of HTTP2 pool reports correctly.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


952509-2 : Cross origin AJAX requests are blocked in case there is no Origin header

Links to More Info: BT952509

Component: Application Security Manager

Symptoms:
When using Single Page Application, if a CORS request is sent without an Origin, the "Access-Control-Allowed-Origin" header is not set and the request is blocked.

Conditions:
-- ASM policy / DoS (with application) profile / Bot Defense Profile are attached to VS, with a "Single Page Application" flag enabled.
-- Client is using dosl7.allowed_origin option
-- CORS Request is sent without an Origin header.

Impact:
Request is blocked.

Workaround:
Use an iRule to add the Origin header according to the domain in the Referrer header.

Fix:
Check referrer header also when modifying CORS headers.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


951705-2 : iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

Links to More Info: K03009991, BT951705


951257-3 : FTP active data channels are not established

Links to More Info: K82034427, BT951257


951133-2 : Live Update does not work properly after upgrade&start;

Links to More Info: BT951133

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2, 16.1.1


950917-1 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4


950849-4 : B4450N blades report page allocation failure.&start;

Links to More Info: BT950849

Component: TMOS

Symptoms:
Despite having free memory, the BIG-IP system frequently logs kernel page allocation failures on B4450N blades to the /var/log/kern.log file like the following:

swapper/16: page allocation failure: order:2, mode:0x104020

After that, a stack trace follows. Note that the process name in the line ('swapper/16', in this example) varies. You may see generic Linux processes or processes specific to F5 in that line.

Conditions:
This occurs on B4450N blades regardless of configuration.

Impact:
As different processes can experience this issue, the system may behave unpredictably. For example, it is possible for a TMOS installation to fail as a result of this issue. Other processes may not exhibit any side effect as a result of this issue. The exact impact depends on which process becomes affected and how this process is designed to handle such a failure to allocate memory.

Workaround:
You must perform the workaround on each blade installed in the system.

-- If you want the workaround to survive reboots only, perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands:

# clsh "sysctl -w vm.min_free_kbytes=131072"
# clsh "echo -e '\n# Workaround for ID950849' >> /etc/sysctl.conf"
# clsh "echo 'vm.min_free_kbytes = 131072' >> /etc/sysctl.conf"

-- If you want the workaround to survive reboots, upgrades, RMAs, etc., perform the following procedure:

1) Log on to the advanced shell (BASH) of the primary blade of the affected VIPRION system.

2) Run the following commands (with the desired amount in KB):

# clsh "sysctl -w vm.min_free_kbytes=131072"
# echo -e '\n# Workaround for ID950849' >> /config/startup
# echo 'sysctl -w vm.min_free_kbytes=131072' >> /config/startup

Note that the last two commands are not wrapped inside 'clsh' because the /config/startup file is already automatically synchronized across all blades.

Once the issue is fixed in a future BIG-IP version, remove the workarounds:

-- To remove the first workaround:

1) Edit the /etc/sysctl.conf file on all blades and remove the added lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This will restore the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

-- To remove the second workaround:

1) Edit the /config/startup file on the primary blade only, and remove the extra lines at the bottom.

2) Reboot the system by running 'clsh reboot'. This restores the min_free_kbytes kernel parameter to its default value for the BIG-IP version you are running.

To verify the workaround is in place, run the following command (this should return the desired amount in KB):

# clsh "cat /proc/sys/vm/min_free_kbytes"

Fix:
The BIG-IP system no longer experiences kernel page allocation failures on B4450 (A114) blades.

Fixed Versions:
14.1.4.4, 15.1.3.1


950077-2 : TMUI authenticated remote command execution vulnerabilities CVE-2021-22987 and CVE-2021-22988

Links to More Info: K18132488 K70031188, BT950077


950017-2 : TMM may crash while processing SCTP traffic

Links to More Info: K94941221, BT950017


949933-1 : BIG-IP APM CTU vulnerability CVE-2021-22980

Links to More Info: K29282483, BT949933


949889-3 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Links to More Info: K04107324, BT949889


949721-2 : QUIC does not send control frames in PTO packets

Links to More Info: BT949721

Component: Local Traffic Manager

Symptoms:
When the QUIC PTO timer fires, it may resend some in-flight data. That data will not include any in-flight control frames.

Conditions:
A control frame is in-flight when the PTO timer fires.

Impact:
Minimal. The PTO timer is a mechanism to 'get ahead' of any lost packets and if a packet containing control frames is lost, those frames will be retransmitted.

Workaround:
None.

Fix:
Retransmittable control frames are now sent when the PTO timer fires.

Fixed Versions:
15.1.4.1, 16.0.1.2


949593-3 : Unable to load config if AVR widgets were created under '[All]' partition&start;

Links to More Info: BT949593

Component: Application Visibility and Reporting

Symptoms:
When upgrading to or loading saved configuration on BIG-IP software v13.0.0 or later, if the configuration contains AVR widgets created under a partition of '[All]', the config load fails.

Conditions:
This occurs if one or more AVR widgets in the configuration was created under the read-only '[All]' pseudo-partition.
This could have occurred if you were running a version of BIG-IP which did not include the fix for ID 721408.

Impact:
Upgrading to or loading an affected configuration on BIG-IP v13.x or later fails.

Workaround:
Manually edit the /config/bigip.conf configuration file and change '[All]' to 'Common':

# sed -i 's/\\\[All\]/Common/g' /config/bigip.conf
# tmsh load sys config
# tmsh save sys config

This should be done before upgrading to BIG-IP v13.x or later, or before saving configuration to be loaded later, or before loading a saved configuration from the config files.

Fix:
It is possible to successfully upgrade from or load a configuration containing one or more AVR widgets created under the read-only '\[All]' pseudo-partition or under other not existing partitions. With the current fix all partitions are changed to "Common" during upgrade.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.2


949477-1 : NTLM RPC exception: Failed to verify checksum of the packet

Links to More Info: BT949477

Component: Access Policy Manager

Symptoms:
NTLM authentication fails with the error:

RPC exception: Failed to verify checksum of the packet.

Conditions:
-- Start nlad process with 'encryption'.
-- Configure a user, and map that user to a huge number of groups.
-- Configure NTLM front-end authentication.

Impact:
User authentication fails.

Workaround:
1. Run the 'nlad' process with '-encrypt no' in the file /etc/bigstart/startup/nlad.

2. Disable encryption for nlad:
   # vim /etc/bigstart/startup/nlad

   change:
   exec /usr/bin/${service} -use-log-tag 01620000

   to:
   exec /usr/bin/${service} -use-log-tag 01620000 -encrypt no

3. Restart nlad to make the change effective, and to force the schannel to be re-established:
   # bigstart restart nlad

Fixed Versions:
14.1.4.4, 15.1.4.1


949145-5 : Improve TCP's response to partial ACKs during loss recovery

Links to More Info: BT949145

Component: Local Traffic Manager

Symptoms:
- A bursty retransmission occurs during TCP's loss recovery period.

Conditions:
- TCP filter is used.
- TCP stack is used instead of TCP4 stack (based on profile settings).
- Packet loss occurs during the data transfer and TCP's loss recovery takes place.

Impact:
The bursty retransmissions may lead to more data getting lost due to large amount of data being injected into the network.

Workaround:
In versions prior to v16.0.0, use a TCP profile which selects the TCP4 stack instead of the TCP stack. There is no workaround for version 16.0.0.

Fix:
Partial ACK handling during loss recovery is improved.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


948805-1 : False positive "Null in Request"

Links to More Info: BT948805

Component: Application Security Manager

Symptoms:
A false positive violation "Null in Request" is thrown erroneously.

Conditions:
-- BIG-IP receives a query string in the "Referrer" header

Impact:
False positive violation "Null in Request" is thrown

Workaround:
None

Fix:
Fixed a false positive violation.

Fixed Versions:
14.1.4.5, 15.1.4.1


948769-5 : TMM panic with SCTP traffic

Links to More Info: K05300051, BT948769


948757-2 : A snat-translation address responds to ARP requests but not to ICMP ECHO requests.

Links to More Info: BT948757

Component: Local Traffic Manager

Symptoms:
A snat-translation address with ARP enabled responds to ARP requests but not ICMP ECHO requests.

Conditions:
A snat-translation address is configured with ARP enabled.

Impact:
Application traffic should not be impacted, as external hosts trying to resolve the snat-translation and return traffic to it should still be able to do so; however, ping is an important network troubleshooting tool, and not being able to ping the address may create confusion.

Workaround:
None.

Fix:
A snat-translation now correctly responds to both ARP requests and ICMP ECHO requests.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1


948717-3 : F5-pf_daemon_cond_restart uses excessive CPU&start;

Links to More Info: BT948717

Component: TMOS

Symptoms:
The script /etc/init.d/f5-pf_daemon_cond_restart spawns a lot of ephemeral processes that collectively use about 10-15% of a core, regardless of the number of cores.

This is contributing to higher CPU usage after upgrading from an earlier version

Conditions:
On upgrade to a 15.1.x version, high CPU usage is observed.

Impact:
Higher CPU utilization on control plane, typically the equivalent of about 10-15% (of one core) extra.

Workaround:
None.

Fixed Versions:
15.1.3.1


948573-4 : Wr_urldbd list of valid TLDs needs to be updated

Links to More Info: BT948573

Component: Traffic Classification Engine

Symptoms:
Several new TLDs have been added and need to be classified. The classification results return "Unknown" when the new TLD is being queried.

Conditions:
New TLD is being queried

Impact:
The URL query with new TLDs can not be blocked with custom feed list.
Custom, Webroot, and Cloud returns Unknown category.

Workaround:
Configure CPM policy to classify traffic based on hostname or SNI rather than urlcat.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


948417-2 : Network Management Agent (Azure NMAgent) updates causes Kernel Panic

Links to More Info: BT948417

Component: Performance

Symptoms:
- TMM crashes
- kernel panics
- BIG-IP core file created
- Cloud Failover Extension unexpected behavior (where applicable)

Conditions:
- BIG-IP Azure Virtual Edition
- Azure Host performs a Network Management Agent (NMAgent) update while TMM is running
- BIG-IP VE using Accelerated Networking

Impact:
- Traffic disrupted while tmm restarts
- BIG-IP restarts
- Cloud Failover Extension state data lost (where applicable)

Workaround:
- Disable Accelerated Networking on BIG-IP network interfaces (Reversed settings from Azure documentation)

     Individual VMs & VMs in an availability set
     First stop/deallocate the VM or, if an Availability Set, all the VMs in the Set:
           Azure CLI
                az vm deallocate \
                --resource-group myResourceGroup \
                --name myVM
    Important, please note, if your VM was created individually, without an availability set, you only need to stop/deallocate
    the individual VM to disable Accelerated Networking. If your VM was created with an availability set, all VMs contained in
    the availability set will need to be stopped/deallocated before disabling Accelerated Networking on any of the NICs.

    Once stopped, disable Accelerated Networking on the NIC of your VM:
           Azure CLI
                az network nic update \
                --name myNic \
                --resource-group myResourceGroup \
                --accelerated-networking false
    Restart your VM or, if in an Availability Set, all the VMs in the Set and confirm that Accelerated Networking is disabled:
           Azure CLI
                az vm start --resource-group myResourceGroup \
                --name myVM

Fixed Versions:
15.1.4


948113-3 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1, 16.1.2


948073-2 : Dual stack download support for IP Intelligence Database

Links to More Info: BT948073

Component: Advanced Firewall Manager

Symptoms:
IP Intelligence cannot function if the BIG-IP management IP network is strict IPv6.

Conditions:
- IP Intelligence License installed
- Management IP is configured with only IPv6 addresses.

Impact:
The BIG-IP systems configured with IPv6 management networks cannot use IP Intelligence features even though they have installed IP Intelligence licenses.

Workaround:
None

Fix:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.

Behavior Change:
BIG-IP can now download the IP Intelligence database over IPv4 and IPv6 management networks.

Fixed Versions:
15.1.4


947925-1 : TMM may crash when executing L7 Protocol Lookup per-request policy agent

Links to More Info: BT947925

Component: SSL Orchestrator

Symptoms:
TMM may crash when executing the L7 Protocol Lookup per-request policy agent.

Conditions:
-- APM or SSL Orchestrator is licensed and provisioned.
-- L7 Protocol Lookup agent is included in the per-request policy for APM/SWG use cases.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM does not crash anymore when executing the L7 Protocol Lookup agent in the per-request policy.

Fixed Versions:
14.1.4.3, 15.1.4


947865-2 : Pam-authenticator crash - pam_tacplus segfault or sigabort in tac_author_read

Links to More Info: BT947865

Component: TMOS

Symptoms:
Pam-authenticator cores. There is a log message in /var/log/user/log:

err pam-authenticator: tac_author_read: short author header, -1 of 12: Connection reset by peer

Conditions:
-- TACACS auth configured on BIG-IP
-- A BIG-IP user authenticates and the user is a TACACS user
-- The TACACS server resets the connection.

Impact:
Pam-authenticator fails with segfault or sigabrt, and the user is unable to authenticate to BIG-IP.

Fixed Versions:
14.1.4, 15.1.3


947529-2 : Security tab in virtual server menu renders slowly

Links to More Info: BT947529

Component: TMOS

Symptoms:
When a large number of virtual servers use the same ASM policy from a manually-created LTM Traffic policy, the Security tab of the virtual server takes a long time to load.

Conditions:
Large number of virtual servers using the same ASM policy

Impact:
Loading of Security tab of a virtual server takes a long time

Workaround:
NA

Fix:
Security tab of a virtual server loads fast

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1


947341-1 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.

Links to More Info: BT947341

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.

Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

2. To identify the empty partitions, look into:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"

3. For every partition that is empty, manually (or via shell script) execute this sql:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"

   Note: <empty_partition_name> must be substituted with the partition name, for example p100001.


4. Increase 'open_files_limit' to '10000'.
--------------------------------

   In the /etc/my.cnf file:
   1. Change the value of the 'open_files_limit' parameter to 10000.
   2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5. pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases the default 'open_files_limit' to '10000'.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2, 16.1.2


946953-1 : HTTP::close used in iRule might not close connection.

Links to More Info: BT946953

Component: Local Traffic Manager

Symptoms:
HTTP::close used in an iRule might not close the connection. For example:

when HTTP_REQUEST {
    HTTP::close
    HTTP::respond 200 -version 1.1 content "OK" Content-Type text/plain
  }

Conditions:
Using HTTP::close along with HTTP::respond

Impact:
HTTP connection can be re-used.

Workaround:
Explicitly add close header in the HTTP::respond. For example:

HTTP::respond 200 content "OK" Connection close

Fix:
Fixed an issue where HTTP::close might not close a connection.

Fixed Versions:
15.1.3, 16.0.1.1


946745-2 : 'System Integrity: Invalid' after Engineering Hotfix installation

Links to More Info: BT946745

Component: TMOS

Symptoms:
The 'tmsh run sys integrity status-check -a -v' or 'tpm-status' commands incorrectly report system integrity status as 'Invalid' even when the system software has not been modified.

Conditions:
This occurs if all of the following conditions are true:

-- BIG-IP software v14.1.0 or later version.
-- Engineering Hotfix installed on TPM-supported BIG-IP platform.
-- The Engineering Hotfix contains a fix for ID893885 (https://cdn.f5.com/product/bugtracker/ID893885.html).
-- The Engineering Hotfix contains an updated 'sirr-tmos' package.

Impact:
Incorrect presentation of system software status; the status shows INVALID when it is actually valid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status now shows the correct system integrity status when an Engineering Hotfix is installed.

Fixed Versions:
14.1.4, 15.1.3


946481-1 : Virtual Edition FIPS not compatible with TLS 1.3

Links to More Info: BT946481

Component: Local Traffic Manager

Symptoms:
A TLS 1.3 handshake failure occurs when using openssl's AES-GCM cipher in FIPS mode.

Conditions:
FIPS mode and attempting TLS 1.3 with cipher AES-GCM

Impact:
Handshake failure for TLS 1.3

Workaround:
Disable FIPS mode, or alternately use non AES-GCM cipher for TLS 1.3.

Fix:
TLS 1.3 AES-GCM in FIPS mode now works correctly.

Fixed Versions:
14.1.4.6, 15.1.5.1


946377-2 : HSM WebUI Hardening

Links to More Info: K24301698, BT946377


946325-2 : PEM subscriber GUI hardening

Links to More Info: K25451853, BT946325


946185-1 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'&start;

Links to More Info: BT946185

Component: iApp Technology

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


946125-2 : Tmm restart adds 'Revoked' tokens to 'Active' token count

Links to More Info: BT946125

Component: Access Policy Manager

Symptoms:
End users are unable to access an application even though the active tokens are far less than allowed limit, with this error:
/Common/my_oauth:Common: Request Access Token from Source ID <id> IP <ip> failed. Error Code (access_denied) Error Description (This user has reached configured access token limit.)

Conditions:
1. configure per user access token limit
2. revoke some tokens
3. restart tmm

Impact:
User is denied access even though token limit per user is not reached

Fix:
Fixed an issue where users were unable to log in after a tmm restart.

Fixed Versions:
14.1.4.4, 15.1.4


946089-2 : BIG-IP might send excessive multicast/broadcast traffic.

Links to More Info: BT946089

Component: TMOS

Symptoms:
BIG-IP might transmit excessive multicast/broadcast traffic.

Conditions:
-- BIG-IP Virtual Edition with more than one TMM.
-- Number of excessive packets is directly proportional to the number of TMMs.

Impact:
Excessive multicast/broadcast traffic.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


946081-1 : Getcrc tool help displays directory structure instead of version

Links to More Info: BT946081

Component: Application Security Manager

Symptoms:
When getcrc tool displays help to the end user, it displays a directory structure instead of version.

Conditions:
Displaying help in getcrc utility.

Impact:
Version information is not displayed.

Fix:
Getcrc utility help now displays version information.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


945997-2 : LTM policy applied to HTTP/2 traffic may crash TMM

Links to More Info: BT945997

Component: Local Traffic Manager

Symptoms:
When an LTM policy is applied to HTTP/2 traffic and refers to TCL expression(s), TMM may crash.

Conditions:
-- A virtual is configured with http and http2 profiles.
-- An LTM policy is published and refers to TCL expression(s).
-- The policy is attached to the virtual server.

Impact:
Traffic disrupted while tmm restarts.

Fix:
BIG-IP properly processes LTM policy with TCL expression(s) when it is applied to a virtual handling HTTP/2 traffic.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


945853-2 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession

Links to More Info: BT945853

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during a configuration change.

Conditions:
This occurs under the following conditions:

-- Create/modify/delete multiple virtual servers in quick succession.

-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes during a configuration change.

Fixed Versions:
15.1.3


945789-1 : Live update cannot resolve hostname if IPv6 is configured.

Links to More Info: BT945789

Component: Application Security Manager

Symptoms:
Live update does not work when BIG-IP DNS is configured to use IPv6.

Conditions:
BIG-IP DNS uses IPv6.

Impact:
-- Unable to install latest updates to signatures.
-- Unable to import user-defined signatures.

Workaround:
If possible, use IPv4 for DNS.

An alternative workaround could be to configure a working IPv4 address in the "/etc/hosts" file, by issuing the following command from the advanced shell (bash):

    echo "165.160.15.20 callhome.f5.net" >> /etc/hosts

Fix:
Replaced deprecated gethostbyname which does not work well with IPv6 with getaddrinfo.

Fixed Versions:
15.1.4.1


945265-4 : BGP may advertise default route with incorrect parameters

Links to More Info: BT945265

Component: TMOS

Symptoms:
If a BGP neighbor is configured with 'default originate,' the nexthop advertised for the default route may be incorrect.

Conditions:
-- Dynamic routing enabled.
-- Using BGP.
-- BGP neighbor configured with 'default originate'.

Impact:
The default route advertised via BGP is not acceptable to peers until the BGP session is cleared.

Workaround:
In imish, run the command:
clear ip bgp <affected neighbor address>

Fix:
BGP suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.

Behavior Change:
BGP now suppresses a route advertisement between BGP speakers configured in the same AS with the same router-id.

Previously, the route was not acceptable to peers until the BGP session was cleared, resulting in potentially incorrect parameters.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


945109-2 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Links to More Info: K46641512, BT945109


944785-2 : Admd restarting constantly. Out of memory due to loading malformed state file

Links to More Info: BT944785

Component: Anomaly Detection Services

Symptoms:
Admd consumes more than 10GB of RSS
Wrong signature statistics and possible memory corruption, potentially results in high memory consumption.

Conditions:
-- Upgrading from 13.x, 14.x to 15.x
-- Device service clustering configuration
-- App-Protect-DOS signatures configured.

Impact:
ADMD not working, ADMD constantly restarting, consuming all of the system memory. Out of memory. ADMD killed due to memory consumption

Workaround:
Make sure that all the devices within a cluster are running compatible state file version (either all with versions before 15.1.0.x or after), if not, then:
1. Stop ADMD on all of those devices: bigstart stop admd
2. Upgrade or Downgrade the BIG-IP version to match the above criteria.
3. Remove the old state files: rm -rf /var/run/adm/*
4. Start ADMD: bigstart start ADMD

If there is an issue on a single blade device, then:
1. Stop ADMD on all of those machines: bigstart stop admd
2. Remove the old state files: rm -rf /var/run/adm/*
3. Start ADMD: bigstart start ADMD

Fix:
No more memory corruption, no OOM nor ADMD restarts.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.2


944641-1 : HTTP2 send RST_STREAM when exceeding max streams

Links to More Info: BT944641

Component: Local Traffic Manager

Symptoms:
If the SETTINGS_MAX_CONCURRENT_STREAMS setting is exceeded, BIG-IP sends a GOAWAY frame; however, browsers expect a RST_STREAM and the GOAWAY frame results in a half-rendered web page.

Conditions:
The maximum streams setting is exceeded on a HTTP/2 connection.

Impact:
BIG-IP sends a GOAWAY frame, and the browser shows a half-rendered page.

Workaround:
None.

Fix:
BIG-IP now sends a RST_STREAM if the maximum streams setting is exceeded.

Fixed Versions:
14.1.4, 15.1.4, 16.0.1.1


944513-2 : Apache configuration file hardening

Links to More Info: BT944513

Component: TMOS

Symptoms:
Apache configuration file did not follow security best practice.

Conditions:
Normal system operation with httpd enabled.

Impact:
Apache configuration file did not follow security best practice.

Workaround:
None

Fix:
Apache configuration file has been hardened to follow security best practice.

Fixed Versions:
14.1.4.6, 15.1.4


944441-2 : BD_XML logs memory usage at TS_DEBUG level

Links to More Info: BT944441

Component: Application Security Manager

Symptoms:
There are two messages in BD_XML logs that the system reports at the TS_DEBUG log level, but they should be logged as TS_INFO.

BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1687|after create of profile 754. (xml memory 5111702493 bytes)
BD_XML|DEBUG |Sep 10 14:51:19.335|1456|xml_validation.cpp:1586|add profile 755. name: /ws/replanifierIntervention_V1-0 is soap? 1 (xml memory before add 5111702493 bytes)

Conditions:
These messages can occur when XML/JSON profiles are configured.

Impact:
Messages that should be logged at the TS_INFO level are logged at the TS_DEBUG level. These are informational log messages.

Workaround:
None

Fix:
The relevant two BD_XML logs are now categorized as TS_INFO.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


944121-1 : Missing SNI information when using non-default domain https monitor running in TMM mode.

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-TMM monitors do not send any packet when TLS1.3 monitor is used.

Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

 - Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
N/A

Fix:
N/A

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


943913-3 : ASM attack signature does not match

Links to More Info: K30150004, BT943913

Component: Application Security Manager

Symptoms:
When processing certain traffic, ASM attack signatures may not match as intended.

Conditions:
- ASM enabled
- Undisclosed attack signature variation

Impact:
ASM attack signature does not match or trigger further processing.

Workaround:
N/A

Fix:
ASM now processes traffic as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3.1, 16.0.1.2


943793-2 : Neurond continuously restarting.

Links to More Info: BT943793

Component: TMOS

Symptoms:
Neurond continuously restarts.

Conditions:
-- BIG-IP iSeries hardware platform
-- issuing the command "service --status-all"

Impact:
Neuron communications will be impacted.

Workaround:
N/A

Fix:
Fix for handling neurond.init script treating unknown arg as "start": Added code for default case to handle all unknown args.

Fixed Versions:
14.1.4, 15.1.5.1


943669-1 : B4450 blade reboot

Links to More Info: BT943669

Component: TMOS

Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.

Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.

Impact:
Traffic disrupted while the blade reboots.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when needed.

Fixed Versions:
15.1.2, 16.1.2.2


943577-2 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Links to More Info: BT943577

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.

If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.

1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
    cat /config{/partitions/*,}/bigip{_base,}.conf |
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' ) > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt

3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


943125-2 : ASM bd may crash while processing WebSocket traffic

Links to More Info: K18570111, BT943125


943101-2 : Tmm crash in cipher group delete.

Links to More Info: BT943101

Component: Local Traffic Manager

Symptoms:
Deleting a cipher group associated with multiple profiles could cause tmm crash.

Conditions:
Deleting a cipher group associated with multiple profiles.

Impact:
Traffic disrupted while tmm restarts.

Fix:
Fixed an issue with cipher group delete.

Fixed Versions:
14.1.3, 15.1.4


943081-3 : Unspecified HTTP/2 traffic may cause TMM to crash

Links to More Info: K90603426, BT943081


942965-2 : Local users database can sometimes take more than 5 minutes to sync to the standby device

Links to More Info: BT942965

Component: Access Policy Manager

Symptoms:
Local db sync to standby devices take more than 5 minutes to sync

Conditions:
High availability (HA) setup
 - add a local db user in the active device
 - Wait for it to get synced to the standby device
 - Sometimes the sync may not happen in 5 minutes.

Impact:
Sync of the changes to the local user db may take several minutes to sync to the standby devices.

Workaround:
None.

Fixed Versions:
14.1.4.5, 15.1.5


942701-2 : TMM may consume excessive resources while processing HTTP traffic

Links to More Info: K35408374, BT942701


942581-1 : Timestamp cookies do not work with hardware accelerated flows

Links to More Info: BT942581

Component: Advanced Firewall Manager

Symptoms:
Time stamp cookies and hardware accelerated flows are mutually exclusive.

Conditions:
Time stamp cookie enabled for TCP flows on a VLAN with hardware offload enabled as well.

Impact:
Reduced traffic throughput and increased CPU usage

Fix:
FPGA and software enhancement to allow hardware accelerate of TCP flows that have time stamp cookie enabled.

Fixed Versions:
15.1.2


942549-2 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Links to More Info: BT942549

Component: TMOS

Symptoms:
During boot of a i15xxx system you see the message:

Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Conditions:
This issue can occur on any i15xxx device, although some devices exhibit the failure consistently and others never exhibit the issue.

Impact:
When this failure occurs in a system, the system is inoperable.

Workaround:
In order to workaround this issue, the system must be updated to install a script that is capable of resetting the hardware device during the HSB load process.

If it's not possible to install an EHF with the updated script or a version of BIG-IP with the fix, then it can be installed manually by providing the fw_update_post.init file and replacing it in /etc/init.d/fw_update_post. It is recommended that the existing fw_update_post is backed-up and this is only done in cases where the EHF or a fixed version of BIG-IP cannot be installed.

Fix:
A 'Dataplane INOPERABLE - Only 7 HSBs found. Expected 8' condition caused by a PCIE linking failure is resolved by an updated HSB load script which correctly resets BIG-IP i15xxx system hardware during boot.

Persistent 'Dataplane INOPERABLE' messages, after this fix is installed, indicate an unrelated failure.

Fixed Versions:
14.1.4.4, 15.1.4.1


942497-1 : Declarative onboarding unable to download and install RPM

Links to More Info: BT942497

Component: TMOS

Symptoms:
Installation of declarative onboarding RPM fails.

Conditions:
Use of icontrollx_package_urls in tmos_declared block to download/install RPMs via a URL.

Impact:
RPMs cannot be downloaded for declarative onboarding where RPMs are referenced via URL.

Workaround:
RPMs must be installed manually.

Fix:
The installation directory was updated to fix the RPM installation issue.

Fixed Versions:
15.1.2.1, 16.0.1.1


942185-2 : Non-mirrored persistence records may accumulate over time

Links to More Info: BT942185

Component: Local Traffic Manager

Symptoms:
Persistence records accumulate over time due to expiration process not reliably taking effect. The 'persist' memory type grows over time.

Conditions:
-- Non-cookie, non-mirrored persistence configured.
-- No high availability (HA) configured or HA connection permanently down.
-- Traffic that activates persistence is occurring.

Impact:
Memory pressure eventually impacts servicing of traffic in a variety of ways. Aggressive sweeper runs and terminates active connections. TMM may restart. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Persistence records are now reliably expired at the appropriate time.

Fixed Versions:
15.1.4, 16.0.1.2


941929-2 : Google Analytics shows incorrect stats, when Google link is redirected.

Links to More Info: BT941929

Component: Application Security Manager

Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
-- Google link is responded to (by the server) with a redirect.

-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
None

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


941893-3 : VE performance tests in Azure causes loss of connectivity to objects in configuration

Links to More Info: BT941893

Component: TMOS

Symptoms:
When performance tests are run on BIG-IP Virtual Edition (VE) in Microsoft Azure, the BIG-IP system loses all connectivity to the pools, virtual servers, and management address. It remains unresponsive until it is rebooted from the Azure console.

Conditions:
Running performance tests of VE in Azure.

Impact:
The GUI becomes unresponsive during performance testing. VE is unusable and must be rebooted from the Azure console.

Workaround:
Reboot from the Azure console to restore functionality.

Fixed Versions:
15.1.4


941853-1 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Links to More Info: BT941853

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2, 16.0.1.1


941649-2 : Local File Inclusion Vulnerability

Links to More Info: K63163637, BT941649


941625-1 : BD sometimes encounters errors related to TS cookie building

Links to More Info: BT941625

Component: Application Security Manager

Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:

-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.

-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.

Impact:
The cookie is not built and an error is logged.

Workaround:
None.

Fixed Versions:
15.1.4, 16.1.1


941621-2 : Brute Force breaks server's Post-Redirect-Get flow

Links to More Info: K91414704, BT941621

Component: Application Security Manager

Symptoms:
Brute Force breaks server's Post-Redirect-Get flow

Conditions:
ASM policy is attached to VS
Brute force protection is enabled.
CSI challenge or Captcha are in use.
Server implements Post-Redirect-Get flow.

Impact:
Brute Force breaks server's Post-Redirect-Get flow

Workaround:
None

Fix:
Support PRG mechanism in brute force mitigations.

Fixed Versions:
13.1.4, 14.1.4, 15.1.3, 16.0.1.1


941481-2 : iRules LX - nodejs processes consuming excessive memory

Links to More Info: BT941481

Component: Local Traffic Manager

Symptoms:
iRule LX nodejs processes can leak memory. The iRule LX plugin nodejs processes memory usage climbs over time and does not return to prior levels.

You can check the iRule LX plugins memory usage using the command:

tmsh show ilx plugin <PLUGIN_NAME>' under 'Memory (bytes):

Memory (bytes)
  Total Virtual Size 946.8M
  Resident Set Size 14.5K

Conditions:
-- iRulesLX in use.

Impact:
iRule LX nodejs processes memory usage keeps growing.
The unbounded memory growth can eventually impact other Linux host daemons.

Workaround:
Restart the iRule LX plugin that is leaking memory:

tmsh restart ilx plugin <PLUGIN_NAME>

Fixed Versions:
14.1.4.4, 15.1.4


941449-2 : BIG-IP Advanced WAF and ASM XSS vulnerability CVE-2021-22993

Links to More Info: K55237223, BT941449


941257-1 : Occasional Nitrox3 ZIP engine hang

Links to More Info: BT941257

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 ZIP engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
BIG-IP appliance that uses the Nitrox 3 hardware compression chip: 5xxx, 7xxx, 12250 and B2250.

You can check if your platform has the nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable http compression

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


941249-2 : Improvement to getcrc tool to print cookie names when cookie attributes are involved

Links to More Info: BT941249

Component: Application Security Manager

Symptoms:
The name provided by getcrc tool provides incorrect ASM cookie name when cookie attributes path or/and domain is/are present in response from server

Conditions:
This is applicable when domain and path cookie attributes are present in response from server

Impact:
ASM cookie name which is displayed is incorrect

Workaround:
None

Fix:
More options need to be added to getcrc tool such that it caters for path/domain cookie attribute/s

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


941169-4 : Subscriber Management is not working properly with IPv6 prefix flows.

Links to More Info: BT941169

Component: Policy Enforcement Manager

Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.

Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).

Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.2.1


941089-3 : TMM core when using Multipath TCP

Links to More Info: BT941089

Component: Local Traffic Manager

Symptoms:
In some cases, TMM might crash when processing MPTCP traffic.

Conditions:
A TCP profile with 'Multipath TCP' enabled is attached to a virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround other than to disable MPTCP.

Fix:
TMM no longer produces a core.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.2


940897-3 : Violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached

Links to More Info: BT940897

Component: Application Security Manager

Symptoms:
False positive violations are detected for incorrect parameter in case of "Maximum Array/Object Elements" is reached with enabled "Parse Parameter".

Conditions:
"JSON data does not comply with format settings" and "Illegal meta character in value" violations are enabled and content profile parsing is enabled in ASM.

Impact:
False positives detected, such as "Illegal meta character in value" violation and attack signature for incorrect context.

Workaround:
N/A

Fix:
No false positives detected.

Fixed Versions:
12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


940885-2 : Add embedded SR-IOV support for Mellanox CX5 Ex adapter

Links to More Info: BT940885

Component: TMOS

Symptoms:
The Mellanox CX5 Ex adapter is not supported by the BIG-IP with a tmm embedded SR-IOV network driver.

Conditions:
A BIG-IP Virtual Edition system configured to use one or more Mellanox CX5 Ex adapters in SR-IOV mode.

Impact:
Systems using a CX5 Ex adapter will have to use the sock driver rather than the Mellanox driver.

Fix:
Added the CX5 Ex device ID to the BIG-IP's Mellanox SR-IOV driver so that it can be used with that adapter.

Fixed Versions:
14.1.4.4, 15.1.4.1


940665-1 : DTLS 1.0 support for PFS ciphers

Links to More Info: BT940665

Component: Local Traffic Manager

Symptoms:
When using DTLS 1.0 the following two PFS ciphers are no longer negotiated and they cannot be used in a DTLS handshake/connection.

* ECDHE-RSA-AES128-CBC-SHA
* ECDHE-RSA-AES256-CBC-SHA

Conditions:
DTLS 1.0 is configured in an SSL profile.

Impact:
ECDHE-RSA-AES128-CBC-SHA and ECDHE-RSA-AES256-CBC-SHA are unavailable.

Fixed Versions:
15.1.4, 16.0.1.2


940401-2 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Links to More Info: BT940401

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.

Fix:
Section now reads 'Rooting Detection'.

Fixed Versions:
12.1.5.3, 13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


940317-4 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317


940261-3 : Support IPS package downloads via HTTP proxy.

Links to More Info: BT940261

Component: Protocol Inspection

Symptoms:
IPS package download via HTTP proxy does not work.

2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.

Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered

Impact:
The IPS IM package fails to download.

Workaround:
No workaround.

Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.2


940249-2 : Sensitive data is not masked after "Maximum Array/Object Elements" is reached

Links to More Info: BT940249

Component: Application Security Manager

Symptoms:
If "Maximum Array/Object Elements" is reached and "JSON data does not comply with format settings" is detected, then all sensitive
data after last allowed element is not masked.

Conditions:
Define JSON profile, set "JSON data does not comply with format settings" to blocking and set "Maximum Array/Object Elements" to desired value.

Impact:
Data after last allowed element is not masked.

Fix:
Now the values are masked.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


940209 : Chunked responses with congested client connection may result in server-side TCP connections hanging until timeout.

Links to More Info: BT940209

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, the BIG-IP system may not properly close established server-side connections causing subsequent HTTP/2 requests to stall.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
HTTP/2 requests intermittently stall due to the existing server-side TCP connection remaining open.

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
HTTP/2 requests no longer stall, as the server side TCP connection is properly closed.

Fixed Versions:
14.1.4, 15.1.2


940185-2 : icrd_child may consume excessive resources while processing REST requests

Links to More Info: K11742742, BT940185


940177-1 : Certificate instances tab shows incorrect number of instances in certain conditions

Links to More Info: BT940177

Component: TMOS

Symptoms:
The SSL Certificate instances tab shows an incorrect number of instances when the Cert name and the Key name match. This does not occur when the cert and key are different names.

Conditions:
-- SSL certificate and key names match
-- Viewing the SSL certificate list in the GUI

Impact:
All the custom profiles will be listed when only select instances for ca-bundle cert are expected

Fix:
The correct number of instances of certificates is now displayed.

Fixed Versions:
15.1.5


940021-3 : Syslog-ng hang may lead to unexpected reboot

Links to More Info: BT940021

Component: TMOS

Symptoms:
A syslog-ng issue with remote logging to an invalid remote syslog server may lead to unexpected reboot.

The BIG-IP may unexpectedly reboot after a host watchdog timeout when syslog-ng gets hung up.

Logs via syslog-ng are no longer written, though logging not via syslog-ng continues unaffected.
This happens at the time of the last 'Syslog connection broken' in /var/log/messages before reboot.
That message will appear without a preceding 'Syslog connection established' just before it with same timestamp.

At this time syslog-ng typically spins, using near 100% CPU (just one core equivalent, not all CPU capacity on system).

Typically things appear fine on rest of system - there will usually be adequate CPU and memory.
Hours or days later graphs will have a gap of usually tens of minutes to hours before an unexpected reboot.

Post reboot logs (in /var/log/sel for iSeries or ltm log otherwise) show this is a host watchdog reboot.
After reboot the system runs correctly, though if the syslog-ng remote server was invalid this remains the case.

Conditions:
Invalid syslog-ng server configuration or broken connection from BIG-IP toward configured syslog-ng remote server.

A server is configured as a remote syslog destination on the BIG-IP, but it or an intervening system responds to stream of log messages by breaking connection eg by sending ICMP port unreachable to BIG-IP.

Syslog-ng will note the connection attempt and that it has broken usually in the same second, and do so every 60s when it retries.
There may be many of these log pairs, repeating every minute in /var/log/messages, such as:

  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection established; fd='14', server='AF_INET(192.168.1.1:514)', local='AF_INET(0.0.0.0:0)'
  Nov 25 03:14:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

The final log will of a broken connection only, usually one minute after the last established/broken pair.

  Nov 25 03:15:01 localhost.localdomain notice syslog-ng[12452]: Syslog connection broken; fd='14', server='AF_INET(192.168.1.1:514)', time_reopen='60'

Impact:
Very rarely syslog-ng hangs in a non-functional state. Sometimes, this may lead to an unexpected reboot of BIG-IP. Loss of logs before restart and traffic disrupted while BIG-IP restarts.

Workaround:
Ensure syslog-ng server configuration is valid, and that the server is reachable.

Fix:
Fixed an issue with syslog-ng hang occasionally causing a system restart.

This fix is not a complete fix. You will still need to remove unused syslog-ng servers from the BIG-IP configuration.

ID 1040277 tracks the remaining issue.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


939961-2 : TCP connection is closed when necessary after HTTP::respond iRule.

Links to More Info: BT939961

Component: Local Traffic Manager

Symptoms:
After HTTP::respond iRule, when "Connection: close" header is sent to the client, TCP connection is not closed.

Conditions:
- TCP profile is used.
- HTTP profile is used.
- HTTP::respond iRule is used (via HTTP_RESPONSE).
- HTTP sends "Connection: close" header.

Impact:
TCP connection lives longer than needed.

Workaround:
N/A

Fix:
TCP connection is closed when necessary after responding with HTTP::respond iRule.

Fixed Versions:
15.1.2, 16.0.1.2


939877-1 : OAuth refresh token not found

Links to More Info: BT939877

Component: Access Policy Manager

Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:

err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)

Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb

Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.

Workaround:
Clear/reset the Authorization code column value manually:

As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }

Copy the value corresponding to <db_name>.

Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)

mysql> use <db_name>;

mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';

(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)

Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.

Fixed Versions:
14.1.4.4, 15.1.4, 16.1.2


939845-2 : BIG-IP MPTCP vulnerability CVE-2021-23004

Links to More Info: K31025212, BT939845


939841-2 : BIG-IP MPTCP vulnerability CVE-2021-23003

Links to More Info: K43470422, BT939841


939541-2 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE

Links to More Info: BT939541

Component: TMOS

Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.

Fix:
TMM no longer shuts down prematurely during initialization.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


939529-2 : Branch parameter not parsed properly when topmost via header received with comma separated values

Links to More Info: BT939529

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.

Fix:
The BIG-IP system now ensures the branch field inserted in the via header same for INVITE and CANCEL messages.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.4, 15.1.2.1, 16.0.1.1


939421-2 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow

Links to More Info: K38481791, BT939421


939085-2 : /config/ssl/ssl.csr directory disappears after creating certificate archive

Links to More Info: BT939085

Component: Local Traffic Manager

Symptoms:
Creating a certificate archive removes the /config/ssl/ssl.csr directory.

Conditions:
This occurs while creating a certificate archive.

Impact:
Missing /config/ssl/ssl.csr directory is causing Integrity Check to fail on an intermittent basis.

Workaround:
Recreate /config/ssl/ssl.csr directory and set correct file permissions:

mkdir /config/ssl/ssl.csr
chmod 755 /config/ssl/ssl.csr/
chcon -R --reference=/config/ssl/ssl.crt/ /config/ssl/ssl.csr

Fix:
The ssl.csr directory is no longer deleted on archive creation.

Fixed Versions:
14.1.4.6, 15.1.5.1


938233-2 : An unspecified traffic pattern can lead to high memory accumulation and high CPU utilization

Links to More Info: K93231374


938165-1 : TMM Core after attempted update of IP geolocation database file

Links to More Info: BT938165

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.

For more information, see K11176: Downloading and installing updates to the IP geolocation database :: https://support.f5.com/csp/article/K11176#restore.

Fix:
The BIG-IP system now validates the region/country strings returned by the geolocation database for IP addresses used in the traffic.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


938149-1 : Port Block Update log message is missing the "Start time" field

Links to More Info: BT938149

Component: Advanced Firewall Manager

Symptoms:
Port Block Update log message is missing the "Start time" field.

Conditions:
-- Configure PBA mode in AFMNAT/CGNAT with subscriber awareness.
-- Trigger PBA Update log messages with change in susbsriber name for the same client IP address.

Impact:
NAT Log information is not usable for accounting purpose.

Fix:
Set the "start time" and "duration" log fields for all types of PBA log messages.

Fixed Versions:
14.1.2.1, 15.1.2, 16.0.1.1


937769-2 : SSL connection mirroring failure on standby with sslv2 records

Links to More Info: BT937769

Component: Local Traffic Manager

Symptoms:
Standby device in TLS/SSL connection-mirroring config does not handle SSLv2 records correctly.

Conditions:
SSLv2 records processed by standby high availability (HA) device.

Impact:
Standby device fails handshake, active will finish handshake resulting in non mirrored connection.

Fix:
Standby ssl connection mirroring now handles sslv2 records correctly

Fixed Versions:
15.1.5.1


937749-3 : The 'total port blocks' value for NAT stats is limited to 64 bits of range

Links to More Info: BT937749

Component: Advanced Firewall Manager

Symptoms:
The 'total port blocks' value, which can be found in PBA 'tmctl' tables, 'tmsh show', and SNMP, is limited to 64 bits of range. The upper 64 bits of the value are not taken into account.

Conditions:
This always occurs, but affects only systems whose configuration makes the 'total port blocks' value exceed 64 bits of range.

Impact:
Incorrect statistics.

Workaround:
None.

Note: For those who really need this value, it is still possible to manually calculate it, but that is not a true workaround.

Fixed Versions:
15.1.3


937637-3 : BIG-IP APM VPN vulnerability CVE-2021-23002

Links to More Info: K71891773, BT937637


937365-2 : LTM UI does not follow best practices

Links to More Info: K42526507, BT937365


937333-2 : Incomplete validation of input in unspecified forms

Links to More Info: K29500533, BT937333


937281-3 : SSL Orchestrator pool members are limited to 20 with Standalone license

Links to More Info: BT937281

Component: SSL Orchestrator

Symptoms:
BIG-IP limits the SSL Orchestrator Standalone license to only allow six pool members.

Conditions:
-- SSL Orchestrator add-on license is installed

Impact:
You are only able to configure six pool members in SSLO.

Workaround:
None.

Fix:
BIG-IP supports up to 20 pool members (up from 6) with the SSL Orchestrator standalone license.

Fixed Versions:
15.1.1, 16.0.0.1


936773-2 : Improve logging for "double flow removal" TMM Oops

Links to More Info: BT936773

Component: Local Traffic Manager

Symptoms:
/var/log/tmm contains this entry
notice Oops @ 0x286feeb:1127: double flow removal

Conditions:
The conditions under which this message is logged are unknown or may vary. This item is for logging the flow tuple and virtual server name to aid in diagnosing the cause.

Impact:
None

Fixed Versions:
14.1.4.4, 15.1.4.1


936557-2 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Links to More Info: BT936557

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.

Fix:
SYN segment retransmissions now correctly use 0 as the acknowledgement number.

Fixed Versions:
13.1.5, 14.1.4.5, 15.1.4.1


936441-2 : Nitrox5 SDK driver logging messages

Links to More Info: BT936441

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
15.1.5.1, 16.1.2.2


936125-2 : SNMP request times out after configuring IPv6 trap destination

Links to More Info: BT936125

Component: TMOS

Symptoms:
SNMP request is times out.

Conditions:
This issue happens with TMOS version v15.1.0.4 or beyond after a IPv6 trap destination is configured.

Impact:
No response is returned for SNMP request.

Workaround:
Restart SNMP daemon by running the following TMSH command:

restart sys service snmpd

Fix:
N/A

Fixed Versions:
15.1.3, 16.0.1.1


935801-4 : HSB diagnostics are not provided under certain types of failures

Links to More Info: BT935801

Component: TMOS

Symptoms:
In rare cases where the HSB detects an error and triggers a high-availability (HA) failover, HSB-specific diagnostic data is not provided.

An example are XLMAC errors, which can be seen in the TMM logs:

<13> Jul 25 18:49:41 notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
<13> Jul 25 18:49:41 notice high availability (HA) failover action is triggered due to XLMAC/FCS erros on HSB1 on bus 3.

Conditions:
The HSB detects an internal error.

Impact:
There is less HSB data for analysis when an internal HSB occurs.

Workaround:
None.

Fix:
Dump HSB registers on all HSB-initiated high-availability (HA) failovers.

Fixed Versions:
14.1.4.5, 15.1.2


935721-5 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Links to More Info: K82252291, BT935721


935593-4 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Links to More Info: BT935593

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.

Fixed Versions:
13.1.5, 14.1.3.1, 15.1.2, 16.0.1.1


935433-2 : iControl SOAP

Links to More Info: K53854428, BT935433


935401-2 : BIG-IP Advanced WAF and ASM iControl REST vulnerability CVE-2021-23001

Links to More Info: K06440657, BT935401


935293-2 : 'Detected Violation' Field for event logs not showing

Links to More Info: BT935293

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.

Fix:
The eventlog is reserving space for violations.

Fixed Versions:
13.1.3.5, 14.1.4, 15.1.3, 16.0.1.1


935249-2 : GTM virtual servers have the wrong status

Links to More Info: BT935249

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.

Fix:
The HTTP status code is now correctly searched only in the first line of the response.

Fixed Versions:
15.1.5, 16.1.2.1


935029-3 : TMM may crash while processing IPv6 NAT traffic

Links to More Info: K04048104, BT935029


934993-2 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams

Links to More Info: BT934993

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.

Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.

Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.

Workaround:
None.

Fix:
When a peer exceeds a number of concurrent streams allowed by BIG-IP systems, it sends GOAWAY with a REFUSED_STREAM error code and allows graceful completion of all open streams, and then terminates the connection.

Fixed Versions:
15.1.2, 16.0.1.1


934941-2 : Platform FIPS power-up self test failures not logged to console

Links to More Info: BT934941

Component: TMOS

Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.

Conditions:
A FIPS failure occurs during the power-up self test.

Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.

Workaround:
None.

Fixed Versions:
14.1.3.1, 15.1.3


934721-2 : TMM core due to wrong assert

Links to More Info: BT934721

Component: Application Visibility and Reporting

Symptoms:
TMM crashes with a core

Conditions:
AFM and AVR provisioned and collecting ACL statistics.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security :: Reporting : Settings : Reporting Settings : Network Firewall Rules.

Fix:
Fixed a tmm crash related to ACL statistics

Fixed Versions:
15.1.2.1, 16.0.1.1


934461-2 : Connection error with server with TLS1.3 single-dh-use.

Links to More Info: BT934461

Component: Local Traffic Manager

Symptoms:
Connection failure with TLS1.3 and single-dh-use configured.

Conditions:
14.1 with TLS1.3 single-dh-use.

Impact:
Connection failure in 14.1 versions.

Workaround:
Disable single-dh-use, or disable tls1.3.

Fix:
14.1 now supports TLS1.3 single-dh-use and hello retry on serverside.

Fixed Versions:
14.1.3, 15.1.4


934393-2 : APM authentication fails due to delay in sessionDB readiness

Links to More Info: BT934393

Component: Access Policy Manager

Symptoms:
APM Authentication fails, and apmd cores when trying to connect to sessionDB.

Conditions:
-- APM configured.
-- SAML SP configured.

Impact:
It takes a long time to create the configuration snapshot. Authentication fails and apmd cores.

Workaround:
Restart all services by entering the following command:
tmsh restart /sys service all

Note: Restarting all services causes temporary traffic disruption.

Fix:
The sessionDB readiness has been corrected so that authentication succeeds.

Fixed Versions:
14.1.3, 15.1.4


934241-2 : TMM may core when using FastL4's hardware offloading feature

Links to More Info: BT934241

Component: TMOS

Symptoms:
TMM cores.

Conditions:
FastL4's hardware offloading is used.

Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.

Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.

Workaround:
Disable PVA/EPVA on all FastL4 profiles

Fix:
Fix the internal logic error.

Fixed Versions:
15.1.0.5


934065-1 : The turboflex-low-latency and turboflex-dns are missing.

Links to More Info: BT934065

Component: TMOS

Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.

Conditions:
The turboflex-low-latency or turboflex-dns in use.

Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.

Workaround:
None.

Fix:
The turboflex-low-latency and turboflex-dns profiles are restored.

Fixed Versions:
15.1.3, 16.0.1.2


933777-1 : Context use and syntax changes clarification

Links to More Info: BT933777

Component: Application Visibility and Reporting

Symptoms:
There are two context and syntax-related issues:

-- In v14.x, the context for tmsh analytics commands related to server side connections changed. For example, 'total-server-side-conns' became a simple 'server-side-conns'.

-- In v13.x and 14.x, the calculation method for 'max-tps' changed from cumulative to commutative.

Conditions:
This occurs in either of the following scenarios:
-- Using tmsh analytics commands related to max-tps in v13.x or later.
-- Using tmsh analytics commands related to server side connections in BIG-IP v14.x and later.

Impact:
Stats names do not reflect their actual values. The 'max-tps' value is no longer valid for client IP context. These changes might have varied impacts, depending on your configuration.

Workaround:
None

Fix:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Behavior Change:
-- Label names for tmsh analytics commands related to server side connections changed (for example: the tmsh display name changed from 'total-server-side-conns' to 'server-side-conns', with similar changes for the other server side connection stats).

-- The 'max-tps' formula changed to be commutative instead of cumulative, so it is no longer relevant in the 'client-ip' context.

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


933741-2 : BIG-IP FPS XSS vulnerability CVE-2021-22979

Links to More Info: K63497634, BT933741


933461-4 : BGP multi-path candidate selection does not work properly in all cases.

Links to More Info: BT933461

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


933409-2 : Tomcat upgrade via Engineering Hotfix causes live-update files removal&start;

Links to More Info: BT933409

Component: TMOS

Symptoms:
After applying an Engineering Hotfix ISO that contains an updated tomcat package, live-update files are inadvertently removed and live update no longer works properly.

Conditions:
Occurs after installing an Engineering Hotfix that contains the tomcat package.

Impact:
Live-update functionality does not work properly.

Workaround:
Although there is no workaround, you can install an updated Engineering Hotfix that uses a fixed version of the live-install package.

Fix:
Fixed an issue with inadvertently removing live-update files while applying an Engineering Hotfix.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


933405-2 : Zonerunner GUI hangs when attempting to list Resource Records

Links to More Info: K34257075, BT933405

Component: Global Traffic Manager (DNS)

Symptoms:
Zonerunner GUI hangs when attempting to list Resource Records; mcpd times out.

Conditions:
Attempt to list Resource Records in Zonerunner GUI.

Impact:
Zonerunner hangs.

Workaround:
Zonerunner GUI is unusable until this issue is resolved. Use tmsh.

Fixed Versions:
14.1.4, 15.1.4.1, 16.0.1.1


933129-2 : Portal Access resources are visible when they should not be

Links to More Info: BT933129

Component: Access Policy Manager

Symptoms:
For Access Policy created with Customization type: modern, Portal Access resource is still present on user's webtop after the checkbox "Publish on Webtop" is disabled in config

Conditions:
-- Access Policy created with Customization type: modern
-- Disable the checkbox "Publish on Webtop" for any Portal Access resource

Impact:
Disabled Portal Access resource visible on the webtop when it should be hidden.

Workaround:
Re-create Access Policy with Customization type: standard

Fix:
Disabled Portal Access resource is hidden on user's webtop

Fixed Versions:
15.1.4.1


932937-2 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Links to More Info: BT932937

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
    after 1
}

Fix:
HTTP Explicit Proxy configurations no longer results in connections hanging until idle timeout.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1


932825-2 : Delayed Gratuitous ARPs may cause traffic to go to the previous active BIG-IP device

Links to More Info: BT932825

Component: Local Traffic Manager

Symptoms:
When the standby system in a High Availability (HA) group becomes active, it sends out gratuitous ARPs to advertise its ownership of IP addresses and direct traffic to itself. In rare conditions, when becoming active, other processes may send out traffic before Gratuitous ARPs are generated.

Conditions:
-- HA configured
-- Protocols in use that generate frequent and fast signaling messages

Impact:
This has been observed as an issue for IPsec during failover, causing tunnel stability issues after failover. No other protocols are known to be affected by the issue.

Workaround:
None

Fix:
When the standby device in an HA pair becomes active, Gratuitous ARPs are prioritized over other traffic.

Fixed Versions:
15.1.1


932737-2 : DNS & BADOS high-speed logger messages are mixed

Links to More Info: BT932737

Component: Anomaly Detection Services

Symptoms:
Both DNS and BADOS messages use the same family ID, and the reported messages are categorized together.

Conditions:
BADOS & DNS are run together and application is under attack (BADOS). At this point, BIG-IP will generate BADOS messages using an ID that conflicts with DNS messages.

Impact:
Reporting will be confusing.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


932497-3 : Autoscale groups require multiple syncs of datasync-global-dg

Links to More Info: BT932497

Component: TMOS

Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.

Conditions:
Browser Challenges update image is automatically downloaded.

Impact:
Peers are not synced.

Workaround:
Manually sync datasync-global-db group.

Fix:
Perform full sync for each change when having multiple live update changes in a row.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


932485-3 : Incorrect sum(hits_count) value in aggregate tables

Links to More Info: BT932485

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


932437-2 : Loading SCF file does not restore files from tar file&start;

Links to More Info: BT932437

Component: TMOS

Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.

Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:

01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles

Impact:
Restoring SCF does not restore contents of file objects.

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1


932233-2 : '@' no longer valid in SNMP community strings

Links to More Info: BT932233

Component: TMOS

Symptoms:
The '@' character is no longer valid in SNMP community strings.

Conditions:
Attempting to use the '@' character in SNMP community strings.

Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.

Workaround:
Use a community string that does not contain the '@' character.

Fixed Versions:
15.1.2, 16.0.1.1


932213-2 : Local user db not synced to standby device when it is comes online after forced offline state

Links to More Info: BT932213

Component: Access Policy Manager

Symptoms:
Local user db is not synced to the standby device when it comes online after being forced offline.

Conditions:
Valid high availability (HA) configuration.
- Make the standby device forced offline
- create a new local db user in the online device
- bring back the standby device online.

Impact:
The newly created user is not synced to the standby device unless localdbmgr is restarted on the standby.

Workaround:
None

Fix:
Fixed the issue by handling the forced offline scenario.

Fixed Versions:
14.1.4.5, 15.1.4.1


932137-5 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Links to More Info: BT932137

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


932133-2 : Payloads with large number of elements in XML take a lot of time to process

Links to More Info: BT932133

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


932065-2 : iControl REST vulnerability CVE-2021-22978

Links to More Info: K87502622, BT932065


932033 : Chunked response may have DATA frame with END_STREAM prematurely

Links to More Info: BT932033

Component: Local Traffic Manager

Symptoms:
When an HTTP/2 profile is configured on the client side, chunked responses are always sent unchunked. When a connection to a client is congested, BIG-IP systems may send the END_STREAM flag before transmitting a whole payload.

Conditions:
-- A virtual server with an HTTP/2 profile configured on the client side.
-- A server responds with a chunked response.

Impact:
A browser may not receive the whole payload, or it may not recognize that the payload has been delivered fully (partially prior to the DATA frame with END_STREAM flag, partially after the frame).

Workaround:
Configure an HTTP profile on the client side with a value of 'unchunk' on the response-chunking option.

Fix:
BIG-IP systems no longer send a DATA frame with END_STREAM flag prematurely when a connection to a client is congested.

Fixed Versions:
14.1.4, 15.1.2


931837-1 : NTP has predictable timestamps

Links to More Info: K55376430, BT931837


931677-5 : IPv6 hardening

Links to More Info: K64124988, BT931677


931513-3 : TMM vulnerability CVE-2021-22977

Links to More Info: K14693346, BT931513


930905-4 : Management route lost after reboot.

Links to More Info: BT930905

Component: TMOS

Symptoms:
Management route lost after reboot, leading to no access to BIG-IP systems via management address.

Conditions:
-- 2NIC BIG-IP Virtual Edition template deployed in GCP (see https://github.com/F5Networks/f5-google-gdm-templates/tree/v3.0.3/supported/standalone/2nic/existing-stack/byol).

-- The instance is rebooted.

Impact:
After rebooting, the default route via the management interface no longer exists in the routing table. BIG-IP administrators are unable to connect to BIG-IP Virtual Edition via the management address.

Workaround:
Use either of the following workarounds:

-- Delete the route completely and reinstall the route.

-- Restart mcpd:
bigstart restart mcpd

Fixed Versions:
14.1.4, 15.1.2.1, 16.0.1.1


930741-2 : Truncated or incomplete upload of a BIG-IP image causes kernel lockup and reboot

Links to More Info: BT930741

Component: TMOS

Symptoms:
If there is a truncated BIG-IP software image in /shared/images, a kernel lockup and reboot could occur.

One way to have a truncated image in /shared/images is by using iControl/SOAP to upload the image. Using SOAP, the image is uploaded in chunks, so until the last chunk is uploaded, the image is not complete/is truncated.

Conditions:
-- Truncated BIG-IP image in /shared/images
-- Using SOAP to upload the image.

Impact:
Traffic disruption caused by the reboot.

Workaround:
If you are using SOAP to upload BIG-IP software images, upload them to /shared first and then move them to /shared/images.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2


930633-3 : Delay in using new route updates by existing connections on BIG-IP.

Links to More Info: BT930633

Component: TMOS

Symptoms:
If routes are updated in BIG-IP by static or dynamic methods, the existing connections will not use the new routes until ~1-8 seconds later.

Conditions:
Routes for existing connections on the BIG-IP are updated.

Impact:
Performance might be degraded when routes are updated for existing connections on BIG-IP.

Fix:
Added DB varible "tmm.inline_route_update". When enabled, packets are checked for new routes before sending out. Its disabled by default.

Behavior Change:
A new db variable has been added, called tmm.inline_route_update. It is disabled by default. When enabled, packets are checked for new routes before sending out.

Fixed Versions:
14.1.4.5, 15.1.5.1


930385-3 : SSL filter does not re-initialize when an OCSP object is modified

Links to More Info: BT930385

Component: Local Traffic Manager

Symptoms:
Create an OCSP object using DNS resolver ns1, associate the OCSP object to SSL profile and a virtual.

Then, modify the OCSP object to DNS resolver ns2.

After the modification, wait for cache-timeout and cache-error-timeout and then connect to virtual again. The nameserver contacted is still ns1.

Conditions:
An OCSP object is configured and modified.

Impact:
The wrong nameserver is used after modification to the OCSP object.

Fix:
After the fix, the correct nameserver will be contacted after the OCSP object is modified.

Fixed Versions:
14.1.3, 15.1.4


930005-2 : Recover previous QUIC cwnd value on spurious loss

Links to More Info: BT930005

Component: Local Traffic Manager

Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.

Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.

Impact:
Inefficient use of bandwidth in the presence of packet reordering.

Workaround:
None.

Fix:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.

Behavior Change:
QUIC congestion window is restored to its pre-recovery value on a spurious loss recovery.

Fixed Versions:
15.1.3, 16.0.1.1


929909-2 : TCP Packets are not dropped in IP Intelligence

Links to More Info: BT929909

Component: Advanced Firewall Manager

Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets

Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned

Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.

Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.

Fixed Versions:
15.1.5.1, 16.1.2.2


929213-1 : iAppLX packages not rolled forward after BIG-IP upgrade&start;

Links to More Info: BT929213

Component: Device Management

Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.

1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

-> Performing an upgrade

-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX

Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI

Workaround:
The package needs to be uninstalled and installed again for use.

Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again

Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300

tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.

Note: The maximum db key value of 600 may be needed in some cases.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


929077-2 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Links to More Info: BT929077

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


929001-3 : ASM form handling improvements

Links to More Info: K48321015, BT929001

Component: Application Security Manager

Symptoms:
Under certain conditions, the ASM form handler may not enforce as expected.

Conditions:
- Brute force protection is configured

Impact:
Enforcement not triggered as expected.

Workaround:
N/A

Fix:
ASM now processes forms as expected.

Fixed Versions:
11.6.5.3, 12.1.6, 13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


928857-2 : Use of OCSP responder may leak X509 store instances

Links to More Info: BT928857

Component: Local Traffic Manager

Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fixed Versions:
14.1.4, 15.1.3


928805-2 : Use of OCSP responder may cause memory leakage

Links to More Info: BT928805

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fixed Versions:
14.1.4, 15.1.3


928789-2 : Use of OCSP responder may leak SSL handshake instances

Links to More Info: BT928789

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic disruption due to TMM restart.

Workaround:
No workaround.

Fixed Versions:
14.1.4, 15.1.3


928717-3 : [ASM - AWS] - ASU fails to sync

Links to More Info: BT928717

Component: Application Security Manager

Symptoms:
Live Update configuration is not updated.

Conditions:
-- The BIG-IP device being removed from the device group is also the last commit originator. (You might encounter this on AWS as a result of auto-scale.)
-- A new device is added to the device group.
-- Initial sync is pushed to the new device.

Impact:
Automatic signature updates (ASU) fail to sync.

Workaround:
Make a spurious change to Live Update from another device in the group and sync it to the group, for example:

1. Set the 'Installation of Automatically Downloaded Updates' to Scheduled and save.
2. Then return the setting to its previous state, and save again.

Fixed Versions:
14.1.4.4, 15.1.4


928697-2 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT

Links to More Info: BT928697

Component: TMOS

Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.

Conditions:
The initiator sends more than one proposal.

Impact:
Diagnosing connection issues is more difficult.

Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.

Fixed Versions:
15.1.4, 16.0.1.2


928685-2 : ASM Brute Force mitigation not triggered as expected

Links to More Info: K49549213, BT928685

Component: Application Security Manager

Symptoms:
Under certain conditions the Brute Force mitigation will not be triggered.

Conditions:
- ASM enabled
- Brute Force mitigation enabled

Impact:
Brute Force mitigation is not triggered as expected.

Workaround:
The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening:

when ASM_REQUEST_DONE

{
    if { [catch { HTTP::username } ] } {
     
     log local0. "ERROR: bad username";
     
     ASM::raise bad_auth_header_custom_violation â€¨   
   }
}

Fix:
Brute Force mitigation is now triggered as expected.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.3, 16.0.1.2


928553-3 : LSN64 with hairpinning can lead to a tmm core in rare circumstances

Links to More Info: BT928553

Component: Carrier-Grade NAT

Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.

Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.

Impact:
Tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable full proxy config of hairpinning.

Fix:
Tmm does not crash anymore.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


928321-1 : K19166530: XSS vulnerability CVE-2020-27719

Links to More Info: K19166530, BT928321


928037-2 : APM Hardening

Links to More Info: K15310332, BT928037


928029-2 : Running switchboot from one tenant in a chassis filled with other tenants/blades gives a message that it needs to reboot the chassis

Links to More Info: BT928029

Component: TMOS

Symptoms:
Wrong popup message for switchboot popup "This will restart the chassis. Continue?".

Conditions:
Run "switchboot" command

Impact:
A confusing popup message is displayed.

Workaround:
NA

Fix:
Updated the switchboot popup message "This will restart BIG-IP tenant. Continue?"

Fixed Versions:
14.1.3, 15.1.4


927993-1 : Built-in SSL Orchestrator RPM installation failure

Links to More Info: K97501254, BT927993

Component: SSL Orchestrator

Symptoms:
Attempting to install the built-in SSL Orchestrator RPM results in the following error:

Failed to load IApp artifacts from f5-iappslx-ssl-orchestrator: java.lang.IllegalStateException: Failed to post templates to block collection.

Conditions:
In the BIG-IP TMUI, the BIG-IP administrator navigates to the SSL Orchestrator Configuration page. This would automatically invoke the installation of the built-in SSL Orchestrator RPM, resulting in the failure.

Impact:
The built-in SSL Orchestrator RPM is not installed and SSL Orchestrator management is not possible.

Workaround:
Step 1. Run the following commands in the BIG-IP command line:

# Get ID for f5-ssl-orchestrator-dg-data:
id1=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-data") | .id')

# Get ID for f5-ssl-orchestrator-dg-template:
id2=$(restcurl shared/iapp/blocks/ | jq -r '.items[] | select(.name == "f5-ssl-orchestrator-dg-template") | .id')

# Temporarily unlink the "f5-ssl-orchestrator-dg-data" (id1) dependency on "f5-ssl-orchestrator-dg-template" (id2).
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id1

# Remove all SSL Orchestrator block templates.
restcurl shared/iapp/blocks | jq -r '.items[] | select(.state == "TEMPLATE") | select(.name | startswith("f5-ssl-orchestrator")) | .id' | for x in $(cat) ; do restcurl -X DELETE shared/iapp/blocks/$x; done

# Remove the SSL Orchestrator RPM installation references (if any).
restcurl -X DELETE shared/iapp/global-installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99
restcurl -X DELETE shared/iapp/installed-packages/9beb912b-4f1c-3f95-94c3-eb1cbac4ab99

---

Step 2. Use the BIG-IP TMUI:
Log in to the TMUI and navigate to SSL Orchestrator > Configuration. This would refresh the related page and install the SSL Orchestrator RPM. Wait for the SSL Orchestrator configuration page to complete loading.

---

Step 3. Run the following commands in the BIG-IP command line:

# Restore the "f5-ssl-orchestrator-dg-data" dependency on "f5-ssl-orchestrator-dg-template".
restcurl -X PATCH -d "{\"baseReference\": {\"link\": \"https://localhost/mgmt/shared/iapp/blocks/$id1\"}}" shared/iapp/blocks/$id2

---

Step 4. Use the BIG-IP TMUI:
Refresh the SSL Orchestrator > Configuration page.

Fix:
Built-in SSL Orchestrator RPM installation failure

Fixed Versions:
12.1.5.3, 13.1.3.6, 14.1.3, 14.1.4, 15.1.2, 16.0.1.1


927941-5 : IPv6 static route BFD does not come up after OAMD restart

Links to More Info: BT927941

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted

Fix:
IPv6 static route BFD session now comes up after restarting the oamd process.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1


927901-4 : After BIG-IP reboot, vxnet interfaces come up as uninitialized

Links to More Info: BT927901

Component: TMOS

Symptoms:
1. After BIG-IP reboots, the vxnet interfaces come up as uninitialized.
2. The driver does not log any issues:
 echo "device driver [client-specific driver info] mlxvf5" >> /config/tmm_init.tcl

Conditions:
Running BIG-IP Virtual Edition (VE) v15.1.0.4 software.

Impact:
Vxnet driver requires manual intervention after reboot.

Workaround:
Tmsh enable/disable interface brings it back up until next reboot.

Fixed Versions:
15.1.0.5


927713-1 : Clsh reboot hangs when executed from the primary blade.

Links to More Info: BT927713

Component: Local Traffic Manager

Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.

Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.

Impact:
A secondary blade is not rebooted until clsh or ssh closes the connection to that blade.

Workaround:
Perform a reboot from the GUI.

Fix:
Running 'clsh reboot' on the primary blade or 'ssh reboot' on a secondary blade no longer hangs, so operations complete as expected.

Fixed Versions:
15.1.5.1


927617-2 : 'Illegal Base64 value' violation is detected for cookies that have a valid base64 value

Links to More Info: BT927617

Component: Application Security Manager

Symptoms:
A valid request that should be passed to the backend server is blocked.

Conditions:
-- A cookie name is defined in Security :: Application Security : Headers : Cookies List :: New Cookie, with Base64 Decoding enabled.

-- The cookie header that contain the valid cookie value is encoded to base64.

Impact:
A request is blocked that should not be.

Workaround:
Disable 'Base64 Decoding' for the desired cookie.

Fix:
Requests with valid base64 encoding cookies are now correctly passed by the enforcer.

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.3.1, 15.1.2, 16.0.1.1


927033-2 : Installer fails to calculate disk size of destination volume&start;

Links to More Info: BT927033

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


926997-1 : QUIC HANDSHAKE_DONE profile statistics are not reset

Links to More Info: BT926997

Component: Local Traffic Manager

Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.

Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.

Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.

Workaround:
Restart tmm to reset all statistics:

Impact of Workaround: Traffic disrupted while tmm restarts.

bigstart restart tmm

Fix:
QUIC HANDSHAKE_DONE profile statistics are reset properly.

Fixed Versions:
15.1.1, 16.0.1


926973-1 : APM / OAuth issue with larger JWT validation

Links to More Info: BT926973

Component: Access Policy Manager

Symptoms:
When the access profile type is OAuth-RS or ALL, and sends a request with a Bearer token longer than 4080 bytes in the Authorization header to the virtual server, OAuth fails with ERR_NOT_SUPPORTED.

Conditions:
Bearer token longer than 4080 bytes

Impact:
APM oauth fails with ERR_NOT_SUPPORTED.

Workaround:
None.

Fix:
OAuth can now handle bearer tokens longer than 4080 bytes.

Fixed Versions:
15.1.5


926929-3 : RFC Compliance Enforcement lacks configuration availability

Links to More Info: BT926929

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP request and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that require certain constructions after a header name may not function.

Workaround:
None

Fix:
A configuration item has been introduced to manage RFC-compliance options.

In releases 13.1.4, 14.1.4, 15.1.2.1 and 16.0.1.2 and in subsequent releases in those families, a global flag is used to control the enforcement:

    sys db tmm.http.rfc.allowwsheadername

The possible values are "enabled" and "disabled"; the default is "enabled".

In release 16.1.0 and subsequent releases, there are two per-profile options; these have been added to the Configuration Utility's configuration page for HTTP profiles, in the 'Enforcement' section:

-- Enforce RFC Compliance
-- Allow Space Header Name

The following sample output shows how the RFC-compliance and whitespace-enforcement settings might appear in tmsh, if enabled:

(tmos)# list ltm profile http http-wsheader
ltm profile http http-wsheader {
app-service none
defaults-from http
enforcement {
allow-ws-header-name enabled
rfc-compliance enabled
}
proxy-type reverse
}

Fixed Versions:
13.1.4, 14.1.4, 15.1.2.1, 16.0.1.2


926845-5 : Inactive ASM policies are deleted upon upgrade

Links to More Info: BT926845

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1, 16.1.2.2


926593-2 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Links to More Info: BT926593

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


926341-2 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade&start;

Links to More Info: BT926341

Component: Application Visibility and Reporting

Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.

Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.

Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.

Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.

When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4


925989 : Certain BIG-IP appliances with HSMs cannot upgrade to v15.1.0.4&start;

Links to More Info: BT925989

Component: Local Traffic Manager

Symptoms:
After upgrade to v15.1.0.4, config does not load. Logs show:

-- err mcpd[11863]: 01b50049:3: FipsUserMgr Error: Master key load failure.
-- err mcpd[11863]: 01070712:3: Caught configuration exception (0), FIPS 140 operations not available on this system.
-- err tmsh[14528]: 01420006:3: Loading configuration process failed.

Conditions:
-- Upgrading to v15.1.0.4.
-- Using the following platforms:
  + i5820-DF / i7820-DF
  + 5250v-F / 7200v-F
  + 10200v-F
  + 10350v-F

Impact:
Cannot upgrade to v15.1.0.4, and the system is offline.

Important: Although you cannot prevent this from happening (except by not upgrading to 15.1.0.4), you can boot back into the previous configuration to recover BIG-IP system operation.

Workaround:
None.

Fixed Versions:
15.1.0.5


925573-6 : SIGSEGV: receiving a sessiondb callback response after the flow is aborted

Links to More Info: BT925573

Component: Access Policy Manager

Symptoms:
A SIGSEGV error occurs after a connection is ended. This is an intermittent issue that inconsistently recurs.

Conditions:
APM Per-Request is processing a flow that has already been reset (RST) by another filter, such as HTTP or HTTP/2.

Impact:
Connections might reset. You might experience a tmm crash. This is an intermittent issue. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
14.1.4, 15.1.3


924961-2 : CVE-2019-20892: SNMP Vulnerability

Links to More Info: K45212738, BT924961


924945-3 : Fail to detach HTTP profile from virtual server

Links to More Info: BT924945

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.

Fixed Versions:
15.1.3, 16.0.1.2, 16.1.1


924929-2 : Logging improvements for VDI plugin

Links to More Info: BT924929

Component: Access Policy Manager

Symptoms:
If the Virtual Desktop Interface (VDI) plugin aborts, the names of the events are not logged in the APM log file.

Conditions:
- Virtual Desktop Interface (VDI) configured
- The plugin encounters a problem and aborts

Impact:
Event names are not displayed in the APM log.

Workaround:
None.

Fix:
Event names along with the exceptions are also seen in the APM log file.

Fixed Versions:
13.1.3.6, 14.1.3.1, 15.1.2.1, 16.0.1.1


924857-1 : Logout URL with parameters resets TCP connection

Links to More Info: BT924857

Component: Access Policy Manager

Symptoms:
TCP connection reset when 'Logout URI Include' configured.

Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
 /logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
 /logoff.html?a=b

Impact:
TCP connection resets, reporting BIG-IP APM error messages.

'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.


Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Workaround:
None

Fix:
The system now ignores unsupported query parameters.

Fixed Versions:
14.1.4.5, 15.1.2, 16.0.1.2


924521-2 : OneConnect does not work when WEBSSO is enabled/configured.

Links to More Info: BT924521

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.

Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.

Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.

Fix:
OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server-side connections.

Fixed Versions:
14.1.4.3, 15.1.4


924493-2 : VMware EULA has been updated

Links to More Info: BT924493

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.

Fix:
The EULA presented in VMware was out of date and has been updated.

Fixed Versions:
13.1.3.5, 14.1.2.8, 15.1.1, 16.0.1


924429-2 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Links to More Info: BT924429

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.

Fix:
The UCS installation script now reports the correct free disk space for the /var/tmp directory, allowing UCS archive installations to complete.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


924349-2 : DIAMETER MRF is not compliance with RFC 6733 for Host-ip-Address AVP over SCTP

Component: Service Provider

Symptoms:
Current Diameter CER/CEA messages does not advertise all HostIPAddresses.

Conditions:
-- Exchange Diameter messages CER/CEA between peers, configure a SNAT pool and an alternate address in the SCTP profile.
-- The CER from BIG-IP contains snatpool IP addresses
-- The CEA from BIG-IP contains alternate addresses

Impact:
Unable to see multiple HostIPAddress in CER/CEA

Fix:
Able to validate HostIpAddress as per RFC6733 on Diameter over SCTP.

Fixed Versions:
14.1.3.1, 15.1.1, 16.0.1


924301-1 : Incorrect values in REST response for DNS/SIP

Links to More Info: BT924301

Component: Application Visibility and Reporting

Symptoms:
Some of the calculations are inaccurate/missing in the AVR publisher for DNS and SIP, and incorrect values are shown in the REST response.

Conditions:
-- Device vector detection and mitigation thresholds are set to 10.
-- A detection and mitigation threshold is reached

Impact:
An incorrect value is calculated in the REST response.

Fix:
Fixed an issue with incorrect calculation for DNS/SIP mitigation

Fixed Versions:
15.1.2, 16.0.1.1


923301-2 : ASM, v14.1.x, Automatically apply ASU update on all ASMs in device group

Links to More Info: BT923301

Component: Application Security Manager

Symptoms:
From 14.1.0.2 and after, for ASMs in a device group, only the active device would update and install the attack signature update (ASU) and the ASU would then be synchronized and installed on other peer ASMs within the device group during a config sync.

Conditions:
Automatic installation of ASU on manual sync setup.

Impact:
- Since the standby ASM does not download/install the ASU during scheduled update, on a manual sync setup this would cause a difference in signature between the Active and Standby devices until a config sync takes place.
- When a failover occurs, the newly active device does not have the latest signature.

Workaround:
Manually sync the device group.

Fix:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Behavior Change:
A new sys db has been added, 'liveupdate.allowautoinstallonsecondary'. When it is set to true, automatic ASU installation will take place on each of the devices in the device group.

Fixed Versions:
14.1.4.4, 15.1.4, 16.0.1.2


923125-2 : Huge amount of admd processes caused oom

Links to More Info: BT923125

Component: Anomaly Detection Services

Symptoms:
The top command shows that a large number of admd processes are running.

Conditions:
-- Configuration with Sync-Failover device groups and BADOS.
-- Some stressful (unknown) condition occurs.

Impact:
Memory is exhausted.

Workaround:
Restart admd:
bigstart restart admd

Fix:
This issue no longer occurs.

Fixed Versions:
14.1.3.1, 15.1.2


922785-2 : Live Update scheduled installation is not installing on set schedule

Links to More Info: BT922785

Component: Application Security Manager

Symptoms:
A scheduled live update does not occur at the scheduled time.

Conditions:
A scheduled installation is set for only a single day, between 00:00-00:14.

Impact:
Automated installation does not initiate

Workaround:
There are two options:
1. Install the update manually.
2. Set two consecutive days where the second day is the day with the schedule set between 00:00-00:14

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


922665-2 : The admd process is terminated by watchdog on some heavy load configuration process

Links to More Info: BT922665

Component: Anomaly Detection Services

Symptoms:
The watchdog process in the BIG-IP ASM monitors terminates the admd process.

Conditions:
On some heavy load configuration process, such as version upgrade.

Impact:
Restart of admd daemon. The restarts may be continuous. No stress-based anomaly detection or behavioral statistics aggregation until admd restarts.

Workaround:
For the case of continuous restarts, a partial solution is to disable admd during busy periods such as upgrades. To do so, issue the following two commands, in sequence, after the upgrade is complete:

bigstart stop admd
bigstart start admd

Fixed Versions:
14.1.4.5, 15.1.5


922597-2 : BADOS default sensitivity of 50 creates false positive attack on some sites

Links to More Info: BT922597

Component: Anomaly Detection Services

Symptoms:
False DoS attack detected. Behavioral DoS (ASM) might block legitimate traffic.

Conditions:
This can occur for some requests that have high latency and low TPS.

Impact:
False DoS attack detected. Behavioral DoS (ASM) can block legitimate traffic.

Workaround:
Modify the default sensitivity value from 50 to 500:
tmsh modify sys db adm.health.sensitivity value 500

For some sites with server latency issues, you might also have to increase the health.sensitivity value; 1000 is a reasonable number.

The results is that the attack is declared later than for the default value, but it is declared and the site is protected.

Fix:
Default sensitivity value 500 now illuminates false positive DoS attacks declaration.

Fixed Versions:
14.1.4, 15.1.3


922297-2 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Links to More Info: BT922297

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

You see the following log entries in /var/log/tmm:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, you can see that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.

Fix:
Fixed a TMM startup deadloop stuck issue (when there are more than 10 interfaces and tmms/vCPUs).

Fixed Versions:
13.1.4, 14.1.4.1, 15.1.3, 16.0.1.2


922261-2 : WebSocket server messages are logged even it is not configured

Links to More Info: BT922261

Component: Application Security Manager

Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.

Impact:
Remote logging server overloaded with unexpected WebSocket messages.

Workaround:
Set response-logging=illegal in all remote logging profiles.

Fix:
BIG-IP sends WebSocket server messages to a remote logger only when it is enabled in the logging profile.

Fixed Versions:
14.1.4.2, 15.1.4, 16.0.1.2


922185-1 : LDAP referrals not supported for 'cert-ldap system-auth'&start;

Links to More Info: BT922185

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.

Impact:
The cert-ldap authentication does not work, so login fails.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.

Fixed Versions:
14.1.4.5, 15.1.4.1, 16.1.2


922105-3 : Avrd core when connection to BIG-IQ data collection device is not available

Links to More Info: BT922105

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4.1, 16.1.2


921881-2 : Use of IPFIX log destination can result in increased CPU utilization

Links to More Info: BT921881

Component: Local Traffic Manager

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.2


921721-1 : FIPS 140-2 SP800-56Arev3 compliance

Links to More Info: BT921721

Component: Local Traffic Manager

Symptoms:
BIG-IP is not compliant with a NIST revision to the SP800-56A standard for cryptographic algorithms.

Conditions:
Using cryptographic algorithms covered by this revision in a FIPS 140-2 deployment.

Impact:
BIG-IP will comply with the older standard.

Workaround:
Updated cryptographic key assurances and pair-wise consistency checks according to the SP800-56Arev3 standard.

Fixed Versions:
14.1.3, 15.1.3


921697-3 : Attack signature updates fail to install with Installation Error.&start;

Links to More Info: BT921697

Component: Application Security Manager

Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:

/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)

/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781

Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.

2. Installing a new ASU file

Impact:
The attack signature update fails.

Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.

Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:

1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg

2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800

3. Restart ASM.
# bigstart restart asm

Fixed Versions:
14.1.4.6, 15.1.5.1, 16.1.2.1


921677-2 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.

Links to More Info: BT921677

Component: Application Security Manager

Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:

Bot defense profile <profile full name> error: match-order should be unique.

Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot allow list items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.

2. Delete item with the value: match-order 2 (in tmsh), and save.

3. Switch to the GUI, add new allow list item, and save.

Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.

Workaround:
Drag between two items, and then drag back.

Fix:
Deletion of bot-related ordered items via tmsh no longer causes errors when adding new items via GUI.

Fixed Versions:
14.1.4, 15.1.3, 16.0.1.1


921625-2 : The certs extend function does not work for GTM/DNS sync group

Links to More Info: BT921625

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device, which results in that file being larger than 4000 bytes.

-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.

Fixed Versions:
13.1.3.6, 14.1.4, 15.1.3, 16.0.1.1


921421-3 : iRule support to get/set UDP's Maximum Buffer Packets

Links to More Info: BT921421

Component: Local Traffic Manager

Symptoms:
UDP profiles have a setting to set the Maximum Buffer Packets for UDP connections. This value cannot be modified with an iRule.

Conditions:
-- UDP profile is used.
-- You need to dynamically change the max buffer packets setting in an iRule.

Impact:
Unable to dynamically change the max buffer packets setting in an iRule.

Workaround:
None

Fix:
You can now dynamically change the max buffer packets setting in an iRule. The setting is UDP::max_buf_pkts

Behavior Change:
A new iRule command has been added, UDP::max_buf_pkts. This allows you to dynamically override the maximum number of packets setting in the UDP profile.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


921369 : Signature verification for logs fails if the log files are modified during log rotation

Links to More Info: BT921369

Component: TMOS

Symptoms:
Rotated log files that are modified immediately after log rotation and before signature generation can cause signature verification failure.

Conditions:
-- Log integrity feature is enabled.
-- A log rotation event occurs

Impact:
Signature verification may fail on rotated log files.

Fix:
Fixed an issue with signature verification failing on valid log files.

Fixed Versions:
15.1.1


921365-1 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby

Links to More Info: BT921365

Component: TMOS

Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.

Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs

This is a timing issue and can occur intermittently during a normal failover.

Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.

Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).

Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.

Fixed Versions:
15.1.4, 16.1.2


921361-2 : SSL client and SSL server profile names truncated in GUI

Links to More Info: BT921361

Component: TMOS

Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.

Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.

Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.

Note: The fields remain at the limited width even when the browser window is maximized.

Workaround:
Use tmsh to see the full SSL client and SSL server name.

Fixed Versions:
15.1.1, 16.0.1.1


921337-2 : BIG-IP ASM WebSocket vulnerability CVE-2021-22976

Links to More Info: K88230177, BT921337


921181 : Wrong error message upon bad credential stuffing configuration

Links to More Info: BT921181

Component: BIG-IP Risk Engine

Symptoms:
When you try to configure credential stuffing and provide invalid parameters, you see a misleading error:

HTML Tag-like Content in the Request URL/Body

Conditions:
Configuration of bad ApplicationID, Access Token or wrong service type, generates a validation error, but the error message is confusing.

Impact:
A misleading error is displayed.

Workaround:
None.

Fix:
Wrong error message upon bad credential stuffing configuration has been corrected.

Fixed Versions:
15.1.2.1


921065 : BIG-IP systems not responding to DPD requests from initiator after failover

Links to More Info: BT921065

Component: TMOS

Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.

Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.

Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.

Workaround:
None.

Fix:
Fixed an issue with the BIG-IP system not responding to DPD requests after failover.

Fixed Versions:
15.1.4


920961-2 : Devices incorrectly report 'In Sync' after an incremental sync

Links to More Info: BT920961

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy

Fix:
An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change:
There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable.

To enable the workaround, run the following command from the CLI on every device in the device group:
------------------------------------
# /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1

Operation completed successfully. Don't forget to restart ASM to apply changes.
------------------------------------

NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Fixed Versions:
14.1.3.1, 15.1.2, 16.0.1.1


920361-2 : Standby device name sent in Traffic Statistics syslog/Splunk messages

Links to More Info: BT920361

Component: Advanced Firewall Manager

Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.

Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.

Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.

Workaround:
None.

Fix:
Corrected Traffic Statistics syslog/Splunk messages to show the hostname of the active instead of the standby device in logging messages.

Fixed Versions:
14.1.3.1, 15.1.1


920301-1 : Unnecessarily high number of JavaScript Obfuscator instances when device is busy

Links to More Info: BT920301

Component: TMOS

Symptoms:
When the device has high CPU or I/O rate, it can cause the JavaScript Obfuscator to run multiple times simultaneously, causing even higher CPU usage.

Conditions:
-- ASM/DoS/FPS are provisioned.
-- BIG-IP device is experiencing a high CPU or I/O rate.

Impact:
High CPU Usage.

Workaround:
None.

Fix:
The system now avoids creating multiple JavaScript Obfuscator processes.

Fixed Versions:
14.1.3.1, 15.1.2


920197-3 : Brute force mitigation can stop mitigating without a notification

Links to More Info: BT920197

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.0.1.2


920149-1 : Live Update default factory file for Server Technologies cannot be reinstalled

Links to More Info: BT920149

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.1


919989-2 : TMM does not follow TCP best practices

Links to More Info: K64571774, BT919989


919841-3 : AVRD may crash while processing Bot Defense traffic

Links to More Info: K45143221, BT919841


919745-2 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Links to More Info: BT919745

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.

Fix:
Fixed an issue with 'NaN' being reported in the first line of the downloaded dashboard .csv files.

Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1


919553-2 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Links to More Info: BT919553

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.

Fix:
GTM/DNS monitors based on the TCP protocol no longer fail when the server's response spans multiple packets.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


919465-2 : A dwbld core on configuration changes on IP Intelligence policy

Links to More Info: BT919465

Component: Advanced Firewall Manager

Symptoms:
A dwbld core occurs on configuration changes on IP Intelligence policy.

Conditions:
Configuration changes on IP Intelligence policy with assigned feed-list.

Impact:
A dwbld restart. Enforcement of dynamic white/black configuration does not occur while dwbld restarts.

Workaround:
None.

Fix:
Feed-list entries should not be present in list of entries with expiration.

Fixed Versions:
15.1.5


919381-1 : Extend AFM subscriber aware policy rule feature to support multiple subscriber groups

Component: Advanced Firewall Manager

Symptoms:
Currently AFM does not have support to match rules against multiple subscriber policies

Conditions:
-- AFM provisioned
-- You wish to match rules against multiple subscriber policies

Impact:
AFM rules cannot be matched against multiple subscriber policies

Workaround:
None

Fix:
Enhancing the AFM rules matching against multiple subscriber policies

Fixed Versions:
15.1.2.1


919317-5 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Links to More Info: BT919317

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1


919305-2 : Appliance mode is not working on BIG-IP 14.1.x tenant deployed on VELOS.

Links to More Info: BT919305

Component: TMOS

Symptoms:
Appliance mode does not enable on BIG-IP 14.1.x tenants deployed on VELOS.

Conditions:
A BIG-IP 14.1.3 tenant is deployed on VELOS with Appliance Mode enabled.

Impact:
The appliance mode restriction is not working as expected. The root account still has bash access.

Workaround:
N/A

Fix:
Appliance mode will now function when configured on a BIG-IP tenant deployed on VELOS.

Fixed Versions:
15.1.4


919301-3 : GTP::ie count does not work with -message option

Links to More Info: BT919301

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.

Fixed Versions:
13.1.5, 14.1.4.4, 15.1.4, 16.1.1


919249-2 : NETHSM installation script hardening

Links to More Info: K47662005, BT919249


919001-2 : Live Update: Update Available notification is shown twice in rare conditions

Links to More Info: BT919001

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
This can be encountered on the first load of the Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.

Fix:
Notification is shown only once in all cases.

Fixed Versions:
14.1.2.8, 15.1.2, 16.0.1.1


918933-2 : The BIG-IP ASM system may not properly perform signature checks on cookies

Links to More Info: K88162221, BT918933

Component: Application Security Manager

Symptoms:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Conditions:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Impact:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Workaround:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fix:
For more information, please see:
https://support.f5.com/csp/article/K88162221

Fixed Versions:
11.6.5.3, 12.1.5.3, 13.1.3.6, 14.1.2.8, 15.1.2, 16.0.1.1


918717-2 : Exception at rewritten Element.innerHTML='<a href></a>'

Links to More Info: BT918717

Component: Access Policy Manager

Symptoms:
If the "href" attribute of an anchor tag in a web application does not have any value, an exception will be thrown.

Conditions:
-- Rewrite enabled
-- The href attribute of an anchor tag on a web page does not have a value, for example:

<script>
    d = document.createElement('div')
    try {
      d.innerHTML = "<a href b=1>click</a>"
    }catch(e){
      alert(e.message);
    }
  </script>

Impact:
Web page does not load properly.

Workaround:
Find the "href" attributes of anchor tag and give some empty value to it:

Before:
<a href></a>

After:
<a href=""></a>

Fix:
Fixed an issue with rewrite of anchors that contain an empty href attribute.

Fixed Versions:
15.1.4.1


918597-5 : Under certain conditions, deleting a topology record can result in a crash.

Links to More Info: BT918597

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
Topology record changes are now done in a way that prevents the possibility of TMM crashing when making load balancing decisions in which the record is used.

Fixed Versions:
13.1.4.1, 14.1.4.2, 15.1.4, 16.0.1.2


918409-2 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Links to More Info: BT918409

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

    a. mount -o remount,rw /usr
    b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm25 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm26 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm27 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}

    c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm

Fixed Versions:
13.1.5, 14.1.4.6, 15.1.5.1


918317-2 : SSL Orchestrator resets subsequent requests when HTTP services are being used.

Links to More Info: BT918317

Component: SSL Orchestrator

Symptoms:
When connections are reused for subsequent requests, the subsequent requests might get aborted with reset cause 'connector service reconnected'.

Conditions:
SSL Orchestrator with HTTP services and multiple requests in a connection.

Impact:
Subsequent requests might get aborted with reset cause 'connector service reconnected'.

Workaround:
None

Fix:
SSL Orchestrator no longer aborts subsequent requests in the same connection.

Fixed Versions:
14.1.4.4, 15.1.4


918209-3 : GUI Network Map icons color scheme is not section 508 compliant

Links to More Info: BT918209

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.

Fix:
Modified the color codes. Now the Network Map icons color scheme is section 508 compliant.

Fixed Versions:
14.1.2.8, 15.1.0.5, 16.0.1


918169-1 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Links to More Info: BT918169

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.

Fix:
The GTM/DNS HTTPS monitor no longer fails when the SSL peer performs an unclean shutdown.

Fixed Versions:
13.1.3.6, 14.1.2.7, 15.1.2, 16.0.1.1


918097-3 : Cookies set in the URI on Safari

Links to More Info: BT918097

Component: Application Security Manager

Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.

Impact:
A cookie is set on the URL.

Workaround:
None.

Fix:
A new db variable has been added, botdefense.safari_redirect_no_cookie_mode, to allow you to control whether the cookie is added to the URL.

Behavior Change:
BIG-IP systems now have an option to set the cookie using a set-cookie header in the response and not save it as part of the URL.

This is done by a new BigDB variable:
tmsh modify botdefense.safari_redirect_no_cookie_mode value disable

Default value is the original behavior (enable), which sets the cookie in the URl.

NOTE: If the site is using iFrames, changing this BigDB variable might cause the cookie to be ignored and therefore for requests to be blocked.

Fixed Versions:
14.1.4.1, 15.1.3, 16.0.1.2


918081-1 : Application Security Administrator role cannot create parent policy in the GUI

Links to More Info: BT918081

Component: Application Security Manager

Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created

Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.

Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.

Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.

Fix:
The Application Security Administrator role can now create the parent policy when required.

Fixed Versions:
15.1.1, 16.0.1.1


917509-3 : BIG-IP ASM vulnerability CVE-2020-27718

Links to More Info: K58102101, BT917509


917469-2 : TMM may crash while processing FPS traffic

Links to More Info: K53821711, BT917469


917005-5 : ISC BIND Vulnerability: CVE-2020-8619

Links to More Info: K19807532


916969-3 : Support of Microsoft Identity 2.0 platform

Links to More Info: BT916969

Component: Access Policy Manager

Symptoms:
BIG-IP does not support Template for Microsoft Identity Platform 2.0.

Conditions:
This is encountered if you want to use Template for Microsoft Identity Platform 2.0 as an identity provider.

Impact:
Unable to configure Microsoft Identity Platform 2.0 on BIG-IP.

Workaround:
OAuth provider has a custom template which provides the ability to configure and discover using new endpoints.

Fixed Versions:
14.1.4, 15.1.3


916821-2 : iControl REST vulnerability CVE-2021-22974

Links to More Info: K68652018, BT916821


916781-1 : Validation error while attaching DoS profile to GTP virtual

Links to More Info: BT916781

Component: Service Provider

Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.

Conditions:
Attach DoS security profile to GTP virtual server.

Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.

Workaround:
None.

Fix:
Create GTP virtual profile and attach DoS security profile to it. No validation error should be reported.

Fixed Versions:
15.1.4, 16.0.1


916753-2 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core

Links to More Info: BT916753

Component: Global Traffic Manager (DNS)

Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.

Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:

    RESOLV::lookup @/Common/my_dns_virtual www.example.com

Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.

For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:

instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53

Fixed Versions:
15.1.2, 16.0.1.1


916589-2 : QUIC drops 0RTT packets if CID length changes

Links to More Info: BT916589

Component: Local Traffic Manager

Symptoms:
QUIC sometimes rejects valid 0RTT packets.

Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.

Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.

Workaround:
None.

Fix:
Fixed an issue with 0RTT packets when using QUIC.

Fixed Versions:
15.1.0.5, 16.0.1.1


915981-3 : BIG-IP SCP hardening

Links to More Info: K38271531, BT915981


915957-1 : The wocplugin may get into a restart loop when AAM is provisioned

Links to More Info: BT915957

Component: Local Traffic Manager

Symptoms:
When AAM is provisioned the wocplugin resource allocation may fail, which could result in a restart loop of the plugin. This renders the AAM module nonfunctional.

Conditions:
Application Acceleration Manager (AAM) is provisioned

Impact:
AAM is not functional

Workaround:
None

Fix:
The wocplugin is now correctly provisioned and runs without restarts.

Fixed Versions:
14.1.3, 15.1.2


915825-2 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Links to More Info: BT915825

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1


915773-1 : Restart of TMM after stale interface reference

Links to More Info: BT915773

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
14.1.4.4, 15.1.4.1, 16.1.2


915713-2 : Support QUIC and HTTP3 draft-29

Links to More Info: BT915713

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.

Conditions:
Browser requests draft-29.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.

Fix:
The BIG-IP system now supports draft-29 and draft-28, and has removed draft-27 support.

Fixed Versions:
15.1.1, 16.0.1.1


915689-1 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Links to More Info: BT915689

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.

Fix:
HTTP/2 response headers now properly use the dynamic header table index when possible.

Fixed Versions:
13.1.3.5, 14.1.3.1, 15.1.1, 16.0.1


915605-6 : Image install fails if i