Supplemental Document : BIG-IP 16.1.4.3 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.1.4

BIG-IP Analytics

  • 16.1.4

BIG-IP Link Controller

  • 16.1.4

BIG-IP LTM

  • 16.1.4

BIG-IP PEM

  • 16.1.4

BIG-IP AFM

  • 16.1.4

BIG-IP FPS

  • 16.1.4

BIG-IP DNS

  • 16.1.4

BIG-IP ASM

  • 16.1.4
Updated Date: 04/22/2024

BIG-IP Release Information

Version: 16.1.4.3
Build: 3.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Known Issues in BIG-IP v16.1.x

Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1366025-2 CVE-2023-44487 K000137106, BT1366025 A particular HTTP/2 sequence may cause high CPU utilization. 16.1.4.3, 15.1.10.4


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1495217-3 3-Major   TMUI hardening 16.1.4.3, 15.1.10.4
1492361-2 3-Major   TMUI Security Hardening 16.1.4.3, 15.1.10.4
1360917-4 4-Minor   TMUI hardening 16.1.4.3, 15.1.10.4



Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1361169-2 CVE-2023-40534 K000133467, BT1361169 Connections may persist after processing HTTP/2 requests 17.1.1.1, 16.1.4.2
1117229-1 CVE-2022-26377 K26314875, BT1117229 CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp 17.1.1.1, 16.1.4.2, 15.1.10.3
1391357-1 CVE-2023-43125 K000136909, BT1391357 Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address 17.1.1.1, 16.1.4.2, 15.1.10.3
1381357-2 CVE-2023-46748 K000137365, BT1381357 CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability 17.1.1.1, 16.1.4.2, 15.1.10.3
1240121-1 CVE-2022-36760 K000132643, BT1240121 CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp 17.1.1.1, 16.1.4.2, 15.1.10.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1354253-2 3-Major K000137322, BT1354253 HTTP Request smuggling with redirect iRule 17.1.1.1, 16.1.4.2, 15.1.10.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1316277-2 3-Major K000137796, BT1316277 Large CRL files may only be partially uploaded 17.1.1, 16.1.4.2, 15.1.10.3



Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1324745-2 CVE-2023-41373 K000135689, BT1324745 An undisclosed TMUI endpoint may allow unexpected behavior 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6


Functional Change Fixes

None



Cumulative fixes from BIG-IP v16.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1167897-6 CVE-2022-40674 K44454157, BT1167897 [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c 17.1.1, 16.1.4, 15.1.9
1121661-2 CVE-2023-40534 K000133467, BT1121661 TMM may core while processing HTTP/2 requests 17.1.0, 16.1.4
981917-4 CVE-2020-8286 K15402727 CVE-2020-8286 - cUrl Vulnerability 17.1.1, 16.1.4, 15.1.10
949857-7 CVE-2024-22389 K32544615, BT949857 Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync 17.1.1, 16.1.4, 15.1.9
884541-9 CVE-2023-40537 K29141800, BT884541 Improper handling of cookies on VIPRION platforms 17.1.0, 16.1.4, 15.1.9
1314301-2 CVE-2024-23805 K000137334, BT1314301 TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled 17.1.1, 16.1.4, 15.1.10
1295661-2 CVE-2023-38418 K000134746, BT1295661 BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 17.1.1, 16.1.4
1289189-3 CVE-2024-24775 K000137333, BT1289189 In certain traffic patterns, TMM crash 17.1.1, 16.1.4, 15.1.10
1271349-3 CVE-2023-25690 K000133098, BT1271349 CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy 17.1.1, 16.1.4, 15.1.9
1238629-1 CVE-2024-21763 K000137521, BT1238629 TMM core when processing certain DNS traffic with bad actor (BA) enabled 17.1.1, 16.1.4, 15.1.10
1220629-3 CVE-2024-23314 K000137675, BT1220629 TMM may crash on response from certain backend traffic 17.1.1, 16.1.4, 15.1.9
1208529-4 CVE-2023-41085 K000132420, BT1208529 TMM crash when handling IPSEC traffic 17.1.0, 16.1.4, 15.1.9
1195489-2 CVE-2024-22093 K000137522, BT1195489 iControl REST input sanitization 17.1.1, 16.1.4, 15.1.9
1189465-3 CVE-2023-24461 K000132539, BT1189465 Edge Client allows connections to untrusted APM Virtual Servers 17.1.0.3, 16.1.4, 15.1.9
1189461-3 CVE-2023-36858 K000132563, BT1189461 BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 17.1.1, 16.1.4
1183453-1 CVE-2022-31676 K87046687 Local privilege escalation vulnerability (CVE-2022-31676) 17.1.0, 16.1.4, 15.1.9
1167929-4 CVE-2022-40674 K44454157, BT1167929 CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c 17.1.1, 16.1.4, 15.1.9
1161733-4 CVE-2023-40542 K000134652, BT1161733 Enabling client-side TCP Verified Accept can cause excessive memory consumption 17.1.0, 16.1.4, 15.1.9
1153969-2 CVE-2024-23979 K000134516, BT1153969 Excessive resource consumption when processing LDAP and CRLDP auth traffic 17.1.1, 16.1.4, 15.1.9
1133013-3 CVE-2023-43746 K41072952, BT1133013 Appliance mode hardening 17.1.0, 16.1.4, 15.1.9
1126285-1 CVE-2024-21849 K000135873, BT1126285 TMM might crash with certain HTTP traffic 17.1.0, 16.1.4
1122441-5 CVE-2015-1283, CVE-2021-45960,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143 K19473898, BT1122441 Upgrading the libexpat library 17.1.0, 16.1.4, 15.1.9
1111097-6 CVE-2022-1271 K000130546, BT1111097 gzip arbitrary-file-write vulnerability CVE-2022-1271 17.1.0, 16.1.4, 15.1.9
1107293-7 CVE-2021-22555 K06524534, BT1107293 CVE-2021-22555: Linux kernel vulnerability 17.1.0, 16.1.4, 15.1.8
1102881-4 CVE-2021-25217 K08832573, BT1102881 dhclient/dhcpd vulnerability CVE-2021-25217 17.1.0, 16.1.4, 15.1.9
1098829-6 CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 K19473898, BT1098829 Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 17.1.0, 16.1.4, 15.1.9
1093813-2 CVE-2002-20001, CVE-2022-40735 K83120834, BT1093813 DH Key Agreement vulnerability in APM server side components 17.1.0, 16.1.4
1093253-8 CVE-2021-3999 K24207649 CVE-2021-3999 Glibc Vulnerability 17.1.0, 16.1.4, 15.1.9
1091601-9 CVE-2022-23218, CVE-2022-23219 K52308021, BT1091601 Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 17.1.0, 16.1.4, 15.1.9
1091453-6 CVE-2022-23308 K32760744, BT1091453 libxml2 vulnerability CVE-2022-23308 17.1.0, 16.1.4, 15.1.8
1089225-4 CVE-2021-4034 K46015513, BT1089225 Polkit pkexec vulnerability CVE-2021-4034 17.1.0, 16.1.4, 15.1.8
1077301-4 CVE-2021-23133 K67416037, BT1077301 CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del 17.1.0, 16.1.4, 15.1.8
1075733-3 CVE-2018-14348 K26890535, BT1075733 Updated libcgroup library to fix CVE-2018-14348 17.1.0, 16.1.4, 15.1.9
1075689-3 CVE-2020-25692,CVE-2020-25709,CVE-2020-12243,CVE-2019-13565,CVE-2020-25710,CVE-2020-36222,CVE-2020-36226,CVE-2020-36228,CVE-2020-36227,CVE-2021-27212,CVE-2020-36223,CVE-2020-36221,CVE-2020-36225,CVE-2020-36224,CVE-2019-13057 K56241216, BT1075689 Multiple CVE fixes for OpenLDAP library 17.1.0, 16.1.4, 15.1.8
1075657-3 CVE-2020-12825 K01074825, BT1075657 CVE-2020-12825 - libcroco vulnerability 17.1.1, 16.1.4, 15.1.10
1070753-4 CVE-2020-27216
CVE-2021-28169
CVE-2021-34428
CVE-2018-12536
K33548065, BT1070753 CVE-2020-27216: Eclipse Jetty vulnerability 17.1.1, 16.1.4, 15.1.9
1061977-3 CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 K31781390, BT1061977 Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 17.1.1, 16.1.4, 15.1.10
1057393-3 CVE-2019-18197 K10812540, BT1057393 CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText 17.0.0, 16.1.4, 15.1.8
1051305-4 CVE-2021-34798 K72382141, BT1051305 CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests 17.0.0, 16.1.4, 15.1.7
1043821-1 CVE-2023-42768 K26910459, BT1043821 Inconsistent user role handling across configuration UIs 17.1.0, 16.1.4, 15.1.9
972545-7 CVE-2024-23976 K91054692, BT972545 iApps LX does not follow best practices in appliance mode 17.1.1, 16.1.4, 15.1.9
966541-1 CVE-2023-43485 K06110200, BT966541 Improper data logged in plaintext 17.1.0, 16.1.4, 15.1.9
950605-6 CVE-2020-14145 K48050136, BT950605 Openssh insecure client negotiation CVE-2020-14145 17.1.0, 16.1.4, 15.1.9
905937-8 CVE-2023-41253 K98334513, BT905937 TSIG key value logged in plaintext in log 17.1.0, 16.1.4, 15.1.9
785197-5 CVE-2019-9075 K42059040, BT785197 binutils vulnerability CVE-2019-9075 17.1.0, 16.1.4, 15.1.9
651029-12 CVE-2023-45219 K20307245, BT651029 Sensitive information exposed during incremental sync 17.1.0, 16.1.4, 15.1.9
1238321-4 CVE-2022-4304 K000132943 OpenSSL Vulnerability CVE-2022-4304 17.1.0.1, 16.1.4, 15.1.10
1235813-9 CVE-2023-0215 K000132946, BT1235813 OpenSSL vulnerability CVE-2023-0215 17.1.0.1, 16.1.4, 15.1.10
1235801-4 CVE-2023-0286 K000132941, BT1235801 OpenSSL vulnerability CVE-2023-0286 17.1.1, 16.1.4, 15.1.10
1189457-3 CVE-2023-22372 K000132522, BT1189457 Hardening of client connection handling from Edge client. 16.1.4, 15.1.9
1123537-9 CVE-2022-28615 K40582331, BT1123537 CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() 17.1.1, 16.1.4, 15.1.9
1121965-2 CVE-2022-28614 K58003591, BT1121965 CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() 17.1.0, 16.1.4, 15.1.9
1099341-4 CVE-2018-25032 K21548854, BT1099341 CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs 17.1.1, 16.1.4, 15.1.9
1089921-6 CVE-2022-0359 K08827426, BT1089921 Vim vulnerability CVE-2022-0359 17.1.0, 16.1.4, 15.1.9
1089233-4 CVE-2022-0492 K54724312 CVE-2022-0492 Linux kernel vulnerability 17.1.0, 16.1.4, 15.1.9
1088445-7 CVE-2022-22720 K67090077, BT1088445 CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body 17.1.1, 16.1.4, 15.1.9
1070905-4 CVE-2017-7656 K21054458, BT1070905 CVE-2017-7656 jetty: HTTP request smuggling using the range header 17.1.1, 16.1.4, 15.1.9
1041577-4 CVE-2024-21782 K98606833, BT1041577 SCP file transfer system, completing fix for 994801 17.1.1, 16.1.4, 15.1.9
1021245-3 CVE-2019-20907 K78284681, BT1021245 CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive 17.1.0, 16.1.4, 15.1.9
1018997-1 CVE-2023-41964 K20850144, BT1018997 Improper logging of sensitive DB variables 17.1.0, 16.1.4, 15.1.9
1009157-1 CVE-2023-39447 K47756555, BT1009157 AGC hardening 16.1.4, 15.1.8
1296489-3 CVE-2024-23603 K000138047, BT1296489 ASM UI hardening 17.1.1, 16.1.4, 15.1.10
1057445-3 CVE-2019-13118 K96300145, BT1057445 CVE-2019-13118 libxslt vulnerability: uninitialized stack data 17.0.0, 16.1.4, 15.1.8
1057437-3 CVE-2019-13117 K96300145, BT1057437 CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers 17.0.0, 16.1.4, 15.1.8
1057149-3 CVE-2019-11068 K30444545, BT1057149 CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite 17.0.0, 16.1.4, 15.1.8


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1088037-3 1-Blocking BT1088037 VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers 17.1.0, 16.1.4, 15.1.8
1053589-1 1-Blocking BT1053589 DDoS functionality cannot be configured at a Zone level 16.1.4, 15.1.8
1282181-1 3-Major   High CPU or increased translation errors following upgrade or restart when DAG distribution changes 16.1.4
1211513-2 3-Major BT1211513 HSB loopback validation feature 17.1.1, 16.1.4, 15.1.10
1144373-4 3-Major BT1144373 BIG-IP SFTP hardening 17.1.0, 16.1.4, 15.1.9
1040609-1 3-Major K21800102, BT1040609 RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. 17.1.0, 16.1.4, 15.1.9


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1315193-1 1-Blocking   TMM Crash in certain condition when processing IPSec traffic 17.1.1, 16.1.4
1284969-1 1-Blocking BT1284969 Adding ssh-rsa key for passwordless authentication 17.1.0.1, 16.1.4
1224125-1 1-Blocking BT1224125 When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used. 17.1.0, 16.1.4
1173441-3 1-Blocking BT1173441 The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired 17.1.0, 16.1.4, 15.1.9
1161913-1 1-Blocking BT1161913 Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE 16.1.4
1116845-4 1-Blocking BT1116845 Interfaces using the xnet driver are not assigned a MAC address 17.1.0, 16.1.4, 15.1.9
995849-1 2-Critical BT995849 Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c 17.0.0, 16.1.4, 15.1.9
994033-3 2-Critical BT994033 The daemon httpd_sam does not recover automatically when terminated 17.1.1, 16.1.4, 15.1.9
993481-1 2-Critical BT993481 Jumbo frame issue with DPDK eNIC 17.1.1, 16.1.4, 15.1.10
967905-5 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
950201-3 2-Critical BT950201 Tmm core on GCP 17.1.1, 16.1.4, 15.1.9
888765-2 2-Critical BT888765 After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files 16.1.4
723109-2 2-Critical BT723109 FIPS HSM: SO login failing when trying to update firmware 17.1.1, 16.1.4, 15.1.10
1290889-4 2-Critical K000134792, BT1290889 TMM disconnects from processes such as mcpd causing TMM to restart 17.1.1, 16.1.4, 15.1.9
1256841-1 2-Critical BT1256841 AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script 17.1.1, 16.1.4, 15.1.10
1232997-1 2-Critical BT1232997 IPSEC: The tmm process may exit with 'Invalid policy remote index' 16.1.4, 15.1.10
1225789-2 2-Critical BT1225789 The iHealth API is transitioning from SSODB to OKTA 17.1.1, 16.1.4, 15.1.9
1209709-4 2-Critical BT1209709 Memory leak in icrd_child when license is applied through BIG-IQ 17.1.1, 16.1.4, 15.1.9
1195377 2-Critical BT1195377 Getting Service Indicator log for disallowed RSA-1024 crypto algorithm 17.1.0, 16.1.4
1181613-1 2-Critical BT1181613 IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete 17.1.0, 16.1.4
1178221-3 2-Critical BT1178221 In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT 17.1.0, 16.1.4, 15.1.9
1144477-1 2-Critical BT1144477 IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted 17.1.0, 16.1.4
1136429-4 2-Critical BT1136429 Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group 17.1.0, 16.1.4, 15.1.9
1134301-3 2-Critical BT1134301 IPsec interface mode may stop sending packets over tunnel after configuration update 17.1.0, 16.1.4, 15.1.9
1128629 2-Critical BT1128629 Neurond crash observed during live install through test script 17.1.0, 16.1.4, 15.1.9
1110893-4 2-Critical BT1110893 Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy 17.1.0, 16.1.4, 15.1.9
1105901-2 2-Critical BT1105901 Tmm crash while doing high-speed logging 17.1.1, 16.1.4, 15.1.10
1095217-1 2-Critical BT1095217 Peer unit incorrectly shows the pool status as unknown after merging the configuration 17.1.0, 16.1.4, 15.1.9
1085805-2 2-Critical BT1085805 UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. 17.1.0, 16.1.4
1085597-1 2-Critical BT1085597 IKEv1 IPsec peer cannot be created in config utility (web UI) 17.1.0, 16.1.4
1082941-2 2-Critical   System account hardening 17.1.0, 16.1.4, 15.1.9
1076909-4 2-Critical BT1076909 Syslog-ng truncates the hostname at the first period. 17.1.0, 16.1.4, 15.1.9
1075713-2 2-Critical   Multiple libtasn1 vulnuerabilities 17.1.1, 16.1.4
1075677-2 2-Critical   Multiple GnuTLS Mend findings 17.1.1, 16.1.4, 15.1.10
1035121-4 2-Critical BT1035121 Configsync syncs the node's monitor status 17.0.0, 16.1.4, 15.1.9
1023829-2 2-Critical BT1023829 Security->Policies in Virtual Server web page spins mcpd 100%, which later cores 17.0.0, 16.1.4, 15.1.9
998225-6 3-Major BT998225 TMM crash when disabling/re-enabling a blade that triggers a primary blade transition. 17.0.0, 16.1.4, 15.1.9
995097-1 3-Major BT995097 Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. 17.0.0, 16.1.4, 15.1.10
992813-7 3-Major BT992813 The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. 17.0.0, 16.1.4, 15.1.10
989501-2 3-Major BT989501 A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus 17.1.1, 16.1.4, 15.1.10
987301-3 3-Major BT987301 Software install on vCMP guest via block-device may fail with error 'reason unknown' 17.0.0, 16.1.4, 15.1.9
966949-6 3-Major BT966949 Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node 17.1.0, 16.1.4, 15.1.9
964125-6 3-Major BT964125 Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. 17.1.1, 16.1.4, 15.1.10
936093-5 3-Major BT936093 Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline 17.1.1, 16.1.4, 15.1.9
930393-2 3-Major BT930393 IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration 17.1.0, 16.1.4, 15.1.10
925469-2 3-Major BT925469 SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo 17.1.0, 16.1.4, 15.1.9
921149-6 3-Major BT921149 After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy 17.1.0, 16.1.4, 15.1.9
906273-1 3-Major BT906273 MCPD crashes receiving a message from bcm56xxd 17.1.1, 16.1.4, 15.1.10
804529-1 3-Major BT804529 REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools 17.1.1, 16.1.4, 15.1.10
662301-8 3-Major BT662301 'Unlicensed objects' error message appears despite there being no unlicensed config 17.1.0, 16.1.4, 15.1.9
1238693-2 3-Major BT1238693 Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 17.1.0.1, 16.1.4
1232521-2 3-Major   SCTP connection sticking on BIG-IP even after connection terminated 17.1.1, 16.1.4, 15.1.9
1166329-2 3-Major BT1166329 The mcpd process fails on secondary blades, if the predefined classification applications are updated. 17.1.0, 16.1.4
1160805-2 3-Major BT1160805 The scp-checkfp fail to cat scp.whitelist for remote admin 16.1.4, 15.1.9
1154933-4 3-Major   Improper permissions handling in REST SNMP endpoint 17.1.0, 16.1.4, 15.1.9
1153865-4 3-Major BT1153865 Restjavad OutOfMemoryError errors and restarts after upgrade 17.1.0, 16.1.4, 15.1.9
1146017-1 3-Major BT1146017 WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile 17.1.0, 16.1.4, 15.1.9
1136921-4 3-Major BT1136921 BGP might delay route updates after failover 17.1.1, 16.1.4, 15.1.10
1128169-1 3-Major BT1128169 TMM core when IPsec tunnel object is reconfigured 17.1.0, 16.1.4
1127169 3-Major BT1127169 The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG 17.1.0, 16.1.4
1126805-3 3-Major BT1126805 TMM CPU usage statistics may show a lower than expected value on Virtual Edition 17.1.0, 16.1.4, 15.1.9
1124209-3 3-Major BT1124209 Duplicate key objects when renewing certificate using pkcs12 bundle 17.1.1, 16.1.4, 15.1.9
1123885-2 3-Major BT1123885 A specific type of software installation may fail to carry forward the management port's default gateway. 17.1.0, 16.1.4, 15.1.9
1121517-2 3-Major BT1121517 Interrupts on Hyper-V are pinned on CPU 0 16.1.4, 15.1.10
1113961-1 3-Major K43391532, BT1113961 BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China 17.1.0, 16.1.4, 15.1.9
1112537-2 3-Major BT1112537 LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. 17.1.1, 16.1.4, 15.1.10
1112109-4 3-Major K000134769, BT1112109 Unable to retrieve SCP files using WinSCP or relative path name 17.1.0, 16.1.4, 15.1.9
1111629-4 3-Major BT1111629 Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors 17.1.0, 16.1.4, 15.1.9
1111421-1 3-Major BT1111421 IPsec SA info cannot be viewed in TMSH or the web UI 17.1.0, 16.1.4
1106489-2 3-Major BT1106489 GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. 16.1.4, 15.1.10
1102849-3 3-Major BT1102849 Less-privileged users (guest, operator, etc) are unable to run top level commands 17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1101453-1 3-Major BT1101453 MCPD SIGABRT and core happened while deleting GTM pool member 17.1.0, 16.1.4, 15.1.9
1100409-4 3-Major BT1100409 Valid connections may fail while a virtual server is in SYN cookie mode. 17.1.0, 16.1.4, 15.1.9
1100321 3-Major BT1100321 MCPD memory leak 17.1.0, 16.1.4, 15.1.10
1100125-4 3-Major BT1100125 Per virtual SYN cookie may not be activated on all HSB modules 17.1.0, 16.1.4, 15.1.10
1091725-4 3-Major BT1091725 Memory leak in IPsec 17.1.0, 16.1.4, 15.1.9
1088429-4 3-Major BT1088429 Kernel slab memory leak 17.1.0, 16.1.4, 15.1.9
1086517-2 3-Major BT1086517 TMM may not properly exit hardware SYN cookie mode 17.1.0, 16.1.4, 15.1.6.1
1085837-2 3-Major BT1085837 Virtual server may not exit from hardware SYN cookie mode 17.1.0, 16.1.4, 15.1.6.1
1084781-6 3-Major   Resource Admin permission modification 17.1.0, 16.1.4, 15.1.9
1081649-2 3-Major BT1081649 Remove the "F5 iApps and Resources" link from the iApps->Package Management 17.1.0, 16.1.4, 15.1.9
1081641-4 3-Major BT1081641 Remove Hyperlink to Legal Statement from Login Page 17.1.0, 16.1.4, 15.1.10
1080297-1 3-Major BT1080297 ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration 17.1.0, 16.1.4, 15.1.9
1077533-1 3-Major BT1077533 BIG-IP fails to restart services after mprov runs during boot. 17.1.1, 16.1.4, 15.1.10
1077405-2 3-Major BT1077405 Ephemeral pool members may not be created with autopopulate enabled. 17.1.0, 16.1.4, 15.1.9
1076785-2 3-Major BT1076785 Virtual server may not properly exit from hardware SYN Cookie mode 17.1.0, 16.1.4, 15.1.5.1
1069337-2 3-Major   CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument 17.1.0, 16.1.4, 15.1.9
1063237-4 3-Major BT1063237 Stats are incorrect when the management interface is not eth0 16.1.4, 15.1.9
1062953-1 3-Major BT1062953 Unable to save configuration via tmsh or the GUI. 17.0.0, 16.1.4
1053557-2 3-Major BT1053557 Support for Mellanox CX-6 17.1.0, 16.1.4, 15.1.9
1048709-2 3-Major BT1048709 FCS errors between the switch and HSB 17.1.0, 16.1.4, 15.1.8
1044089-3 3-Major BT1044089 ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. 17.1.1, 16.1.4, 15.1.10
1032821-7 3-Major BT1032821 Syslog: invalid level/facility from /usr/libexec/smart_parse.pl 17.0.0, 16.1.4, 15.1.9
1029105-1 3-Major BT1029105 Hardware SYN cookie mode state change logs bogus virtual server address 17.1.0, 16.1.4, 15.1.4
1001069-5 3-Major BT1001069 VE CPU usage higher after upgrade, given same throughput 17.1.0, 16.1.4, 15.1.9
964533-2 4-Minor BT964533 Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. 17.1.1, 16.1.4, 15.1.10
939757-8 4-Minor BT939757 Deleting a virtual server might not trigger route injection update. 17.1.1, 16.1.4, 15.1.10
904661-4 4-Minor BT904661 Mellanox NIC speeds may be reported incorrectly on Virtual Edition 17.1.0, 16.1.4
889813-3 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second 17.0.0, 16.1.4, 15.1.10, 14.1.4.5
838405-4 4-Minor BT838405 Listener traffic-group may not be updated when spanning is in use 17.1.1, 16.1.4, 15.1.10
760496-4 4-Minor BT760496 Traffic processing interrupted by PF reset 17.1.0, 16.1.4, 15.1.9
674026-6 4-Minor BT674026 iSeries AOM web UI update fails to complete. 17.0.0, 16.1.4, 15.1.9
1256777-3 4-Minor BT1256777 In BGP, as-origination interval not persisting after restart when configured on a peer-group. 17.1.1, 16.1.4
1252537-3 4-Minor BT1252537 Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role 17.1.1, 16.1.4
1185257-4 4-Minor BT1185257 BGP confederations do not support 4-byte ASNs 17.1.1, 16.1.4, 15.1.10
1155733-1 4-Minor BT1155733 NULL bytes are clipped from the end of buffer 17.1.0, 16.1.4, 15.1.9
1117305-6 4-Minor BT1117305 The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials 17.1.1, 16.1.4, 15.1.9
1106353-4 4-Minor BT1106353 [Zebos] Expand zebos/bgp commands in a qkview 17.1.0, 16.1.4, 15.1.9
1090441-1 4-Minor BT1090441 IKEv2: Add algorithm info to SK_ logging 17.1.0, 16.1.4
1076897-4 4-Minor BT1076897 OSPF default-information originate command options not working properly 17.1.0, 16.1.4, 15.1.9
1076253-1 4-Minor BT1076253 IKE library memory leak 17.0.0, 16.1.4, 15.1.9
1062385-4 4-Minor BT1062385 BIG-IP has an incorrect limit on the number of monitored HA-group entries. 17.1.0, 16.1.4, 15.1.9
1057457-3 4-Minor   CVE-2015-9019: libxslt vulnerability: math.random() 17.0.0, 16.1.4, 15.1.8
1057449-3 4-Minor   CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS 17.0.0, 16.1.4, 15.1.8
1057441-3 4-Minor   An out-of-bounds access flawb in the libxslt component 17.0.0, 16.1.4, 15.1.8
1057433-3 4-Minor   Integer overflow in libxslt component 17.0.0, 16.1.4, 15.1.8


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1112349-4 1-Blocking BT1112349 FIPS Card Cannot Initialize 17.1.0, 16.1.4, 15.1.9
937649-4 2-Critical BT937649 Flow fwd broken with statemirror.verify enabled and source-port preserve strict 17.1.0, 16.1.4, 15.1.9
935193-4 2-Critical BT935193 With APM and AFM provisioned, single logout ( SLO ) fails 17.0.0, 16.1.4, 15.1.10
1282357-1 2-Critical BT1282357 Double HTTP::disable can lead to tmm core 17.1.1, 16.1.4, 15.1.10
1205501-2 2-Critical BT1205501 The iRule command SSL::profile can select server SSL profile with outdated configuration 17.1.1, 16.1.4, 15.1.9
1186249-2 2-Critical BT1186249 TMM crashes on reject rule 17.1.0, 16.1.4
1156697-3 2-Critical BT1156697 Translucent VLAN groups may pass some packets without changing the locally administered bit 17.1.0, 16.1.4, 15.1.9
1146377-2 2-Critical BT1146377 FastHTTP profiles do not insert HTTP headers triggered by iRules 17.1.1, 16.1.4, 15.1.9
1132405-4 2-Critical BT1132405 TMM does not process BFD echo pkts with src.addr == dst.addr 17.1.0, 16.1.4, 15.1.9
1126093 2-Critical BT1126093 DNSSEC Key creation failure with internal FIPS card. 17.1.1, 16.1.4
1110813-3 2-Critical BT1110813 Improve MPTCP retransmission handling while aborting 17.1.0, 16.1.4, 15.1.9
1099545-2 2-Critical BT1099545 Tmm may core when PEM virtual with a simple policy and iRule is being used 17.1.0, 16.1.4, 15.1.9
1075073-2 2-Critical BT1075073 TMM Crash observed with Websocket and MQTT profile enabled 17.0.0, 16.1.4, 15.1.9
1067669-1 2-Critical BT1067669 TCP/UDP virtual servers drop all incoming traffic. 17.0.0, 16.1.4, 15.1.9
1030185-5 2-Critical BT1030185 TMM may crash when looking up a persistence record using "persist lookup" iRule commands 17.0.0, 16.1.4, 15.1.9
1024241-1 2-Critical BT1024241 Empty TLS records from client to BIG-IP results in SSL session termination 17.1.1, 16.1.4, 15.1.9
985925-3 3-Major BT985925 Ipv6 Routing Header processing not compatible as per Segments Left value. 17.1.1, 16.1.4, 15.1.10
976525-5 3-Major BT976525 Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled 17.0.0, 16.1.4, 15.1.6.1, 14.1.5
956133-2 3-Major BT956133 MAC address might be displayed as 'none' after upgrading. 17.0.0, 16.1.4, 15.1.4, 14.1.4.4
948065-1 3-Major BT948065 DNS Responses egress with an incorrect source IP address. 17.0.0, 16.1.4, 15.1.9
921541-6 3-Major BT921541 When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. 17.1.1, 16.1.4, 15.1.10
878641-3 3-Major BT878641 TLS1.3 certificate request message does not contain CAs 17.1.1, 16.1.4, 15.1.9
876569-2 3-Major BT876569 QAT compression codec produces gzip stream with CRC error 17.1.1, 16.1.4, 15.1.10
851121-6 3-Major BT851121 Database monitor DBDaemon debug logging not enabled consistently 17.1.1, 16.1.4, 15.1.10
842425-6 3-Major BT842425 Mirrored connections on standby are never removed in certain configurations 17.1.1, 16.1.4, 15.1.10
693473-8 3-Major BT693473 The iRulesLX RPC completion can cause invalid or premature TCL rule resumption 17.1.1, 16.1.4, 15.1.9
574762-4 3-Major BT574762 Forwarding flows leak when a routing update changes the egress vlan 17.0.0, 16.1.4, 15.1.9
1292793-3 3-Major BT1292793 FIX protocol late binding flows that are not PVA accelerated may fail 17.1.1, 16.1.4, 15.1.10
1291565-2 3-Major BT1291565 BIG-IP generates more multicast packets in multicast failover high availability (HA) setup 17.1.1, 16.1.4, 15.1.10
1284993-1 3-Major BT1284993 TLS extensions which are configured after session_ticket are not parsed from Client Hello messages 17.1.1, 16.1.4
1284589-2 3-Major BT1284589 HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command 16.1.4
1281637-1 3-Major BT1281637 When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE 17.1.1, 16.1.4, 15.1.9
1269733-3 3-Major BT1269733 HTTP GET request with headers has incorrect flags causing timeout 17.1.1, 16.1.4, 15.1.10
1250085-3 3-Major BT1250085 BPDU is not processed with STP passthough mode enabled in BIG-IP 17.1.1, 16.1.4
1238413-3 3-Major BT1238413 The BIG-IP might fail to update ARL entry for a host in a VLAN-group 17.1.1, 16.1.4, 15.1.10
1229417-2 3-Major   BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability 17.1.1, 16.1.4, 15.1.9
1229369-3 3-Major BT1229369 The fastl4 TOS mimic setting towards client may not function 17.1.1, 16.1.4, 15.1.10
1210469-3 3-Major BT1210469 TMM can crash when processing AXFR query for DNSX zone 17.1.1, 16.1.4, 15.1.9
1185133-2 3-Major BT1185133 ILX streaming plugins limited to MCP OIDs less than 10 million 17.1.0, 16.1.4, 15.1.9
1184153-2 3-Major BT1184153 TMM crashes when you use the rateshaper with packetfilter enabled 17.1.0, 16.1.4, 15.1.9
1159569-2 3-Major BT1159569 Persistence cache records may accumulate over time 17.1.0, 16.1.4, 15.1.9
1155393-2 3-Major BT1155393 Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression 17.1.0, 16.1.4, 15.1.9
1146241-2 3-Major BT1146241 FastL4 virtual server may egress packets with unexpected and erratic TTL values 17.1.0, 16.1.4, 15.1.9
1146037-1 3-Major BT1146037 Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade 17.1.0, 16.1.4
1144117-3 3-Major BT1144117 "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands 17.1.1, 16.1.4, 15.1.9
1141845-4 3-Major BT1141845 RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. 17.1.0, 16.1.4, 15.1.9
1135313-4 3-Major BT1135313 Pool member current connection counts are incremented and not decremented 17.1.0, 16.1.4, 15.1.9
1133881-2 3-Major BT1133881 Errors in attaching port lists to virtual server when TMC is used with same sources 17.1.0, 16.1.4, 15.1.9
1133625-2 3-Major BT1133625 The HTTP2 protocol is not working when SSL persistence and session ticket are enabled 17.1.0, 16.1.4, 15.1.9
1128721-2 3-Major BT1128721 L2 wire support on vCMP architecture platform 17.1.0, 16.1.4, 15.1.8
1126841-3 3-Major BT1126841 HTTP::enable can rarely cause cores 17.1.1, 16.1.4, 15.1.10
1126329-2 3-Major BT1126329 SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT 17.1.0, 16.1.4, 15.1.9
1123169-1 3-Major BT1123169 Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event 17.1.0, 16.1.4, 15.1.9
1117609-2 3-Major BT1117609 VLAN guest tagging is not implemented for CX4 and CX5 on ESXi 17.1.1, 16.1.4, 15.1.10
1115041-1 3-Major BT1115041 BIG-IP does not forward the response received after GOAWAY, to the client. 17.1.0, 16.1.4, 15.1.9
1113181-2 3-Major BT1113181 Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". 16.1.4, 15.1.9
1112745-2 3-Major BT1112745 System CPU Usage detailed graph is not accessible on Cerebrus+ 17.1.0, 16.1.4, 15.1.7
1111473-4 3-Major BT1111473 The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes 17.1.0, 16.1.4, 15.1.9
1109953-4 3-Major BT1109953 TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry 17.1.0, 16.1.4, 15.1.9
1107565 3-Major BT1107565 SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 17.1.1, 16.1.4
1102429-2 3-Major BT1102429 iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. 17.1.0, 16.1.4, 15.1.9
1101697-2 3-Major BT1101697 TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). 17.1.0, 16.1.4, 15.1.7
1101181-2 3-Major BT1101181 HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server 17.1.0, 16.1.4, 15.1.9
1099229-4 3-Major BT1099229 SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present 17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1096893-1 3-Major BT1096893 TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection 17.1.1, 16.1.4, 15.1.9
1091969-3 3-Major BT1091969 iRule 'virtual' command does not work for connections over virtual-wire. 16.1.4, 15.1.9
1088173-2 3-Major BT1088173 With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile 17.1.0, 16.1.4, 15.1.7
1080569-2 3-Major BT1080569 BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server 17.1.0, 16.1.4, 15.1.9
1079769-1 3-Major BT1079769 Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers 17.0.0, 16.1.4, 15.1.9
1077553-3 3-Major BT1077553 Traffic matches the wrong virtual server after modifying the port matching configuration 17.1.0, 16.1.4, 15.1.9
1076577-3 3-Major BT1076577 iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' 17.1.0, 16.1.4, 15.1.7
1076573-3 3-Major BT1076573 MQTT profile addition is different in GUI and TMSH 17.0.0, 16.1.4, 15.1.9
1074505-1 3-Major BT1074505 Traffic classes are not attached to virtual server at TMM start 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1
1070389-4 3-Major   Tightening HTTP RFC enforcement 17.1.0, 16.1.4, 15.1.9
1068673-3 3-Major BT1068673 SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. 17.1.0, 16.1.4, 15.1.9
1060021-1 3-Major BT1060021 Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. 17.1.0, 16.1.4, 15.1.9
1053741-4 3-Major BT1053741 Bigd may exit and restart abnormally without logging a reason 17.1.0, 16.1.4, 15.1.8
1053173-1 3-Major BT1053173 Support for MQTT functionality over websockets. 17.0.0, 16.1.4
1043009 3-Major BT1043009 TMM dump capture for compression engine hang 17.1.0, 16.1.4, 15.1.9
1040017-5 3-Major BT1040017 Final ACK validation during flow accept might fail with hardware SYN Cookie 17.0.0, 16.1.4, 15.1.7
1012813-1 3-Major BT1012813 Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" 17.1.1, 16.1.4
1000561-5 3-Major BT1000561 HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side 17.1.1, 16.1.4, 15.1.9
1000069-3 3-Major BT1000069 Virtual server does not create the listener 17.1.0, 16.1.4, 15.1.9
962177-6 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1
960677-1 4-Minor BT960677 Improvement in handling accelerated TLS traffic 17.1.1, 16.1.4, 15.1.9
1281709-3 4-Minor BT1281709 Traffic-group ID may not be updated properly on a TMM listener 17.1.1, 16.1.4, 15.1.10
1240937-3 4-Minor BT1240937 The FastL4 TOS specify setting towards server may not function for IPv6 traffic 17.1.1, 16.1.4, 15.1.10
1211189-3 4-Minor BT1211189 Stale connections observed and handshake failures observed with errors 17.1.1, 16.1.4
1156105-2 4-Minor BT1156105 Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition 17.1.0, 16.1.4, 15.1.9
1137717-2 4-Minor BT1137717 There are no dynconfd logs during early initialization 17.1.1, 16.1.4, 15.1.10
1133557-2 4-Minor BT1133557 Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name 17.1.1, 16.1.4, 15.1.10
1132765-4 4-Minor BT1132765 Virtual server matching might fail in rare cases when using virtual server chaining. 17.1.0, 16.1.4, 15.1.9
1128505-2 4-Minor BT1128505 HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy 17.1.1, 16.1.4
1122377-2 4-Minor BT1122377 If-Modified-Since always returns 304 response if there is no last-modified header in the server response 17.1.0, 16.1.4, 15.1.9
1111981-3 4-Minor BT1111981 Decrement in MQTT current connections even if the connection was never active 17.1.0, 16.1.4, 15.1.9
1103617-4 4-Minor BT1103617 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. 17.1.0, 16.1.4, 15.1.9
1101369-1 4-Minor BT1101369 MQTT connection stats are not updated properly 17.1.0, 16.1.4, 15.1.9
1037265-2 4-Minor K11453402, BT1037265 Improper handling of multiple cookies with the same name. 17.1.0, 16.1.4, 15.1.9
1034217-2 4-Minor BT1034217 Quic_update_rtt can leave ack_delay uninitialized. 17.0.0, 16.1.4, 15.1.9
1030533-1 4-Minor BT1030533 The BIG-IP system may reject valid HTTP responses from OCSP servers. 17.0.0, 16.1.4, 15.1.9
1027805-4 4-Minor BT1027805 DHCP flows crossing route-domain boundaries might fail. 17.0.0, 16.1.4, 15.1.9


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
1127445-3 2-Critical BT1127445 Performance degradation after Bug ID 1019853 17.1.0, 16.1.4, 15.1.9


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1211341-4 1-Blocking BT1211341 Failed to delete custom monitor after dissociating from virtual server 17.1.0, 16.1.4, 15.1.10
1137485-2 2-Critical BT1137485 Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly 17.1.0, 16.1.4, 15.1.9
966461-7 3-Major BT966461 Tmm memory leak 17.1.0, 16.1.4, 15.1.9
935945-2 3-Major BT935945 GTM HTTP/HTTPS monitors cannot be modified via GUI 17.1.0, 16.1.4, 15.1.10
1230709-1 3-Major BT1230709 Remove unnecessary logging with nsec3_add_nonexist_proof 16.1.4, 15.1.10
1200929-2 3-Major BT1200929 GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang 17.1.0, 16.1.4, 15.1.10
1182353-3 3-Major BT1182353 DNS cache consumes more memory because of the accumulated mesh_states 17.1.1, 16.1.4, 15.1.9
1162081-6 3-Major   Upgrade the bind package to fix security vulnerabilities 17.1.0, 16.1.4, 15.1.9
1122497-4 3-Major BT1122497 Rapid response not functioning after configuration changes 17.1.0, 16.1.4, 15.1.9
1108237-2 3-Major BT1108237 Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. 17.1.1, 16.1.4
1073677-1 3-Major BT1073677 Add a db variable to enable answering DNS requests before reqInitState Ready 17.1.0, 16.1.4, 15.1.10
1060145-1 3-Major BT1060145 Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. 17.1.0, 16.1.4, 15.1.9
1048077 3-Major BT1048077 SELinux errors with gtmd when using internal FIPS card 17.1.0, 16.1.4
808913-1 4-Minor BT808913 Big3d cannot log the full XML buffer data 17.0.0, 16.1.4, 15.1.9
1025497-1 4-Minor BT1025497 BIG-IP may accept and forward invalid DNS responses 17.1.0, 16.1.4, 15.1.9


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1105341-2 0-Unspecified BT1105341 Decode_application_payload can break exponent notation in JSON 17.1.0, 16.1.4, 15.1.9
923821-1 2-Critical BT923821 Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack 17.1.1, 16.1.4, 15.1.9
884945-1 2-Critical BT884945 Latency reduce in case of empty parameters. 17.0.0, 16.1.4, 15.1.9
850141-2 2-Critical BT850141 Possible tmm core when using Dosl7/Bot Defense profile 17.1.1, 16.1.4, 15.1.9
791669-5 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3
1132697-3 2-Critical BT1132697 Use of proactive bot defense profile can trigger TMM crash 17.1.1, 16.1.4, 15.1.9
1113161-2 2-Critical BT1113161 After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets 17.1.0, 16.1.4, 15.1.9
1095185-2 2-Critical BT1095185 Failed Configuration Load on Secondary Slot After Device Group Sync 17.1.0, 16.1.4, 15.1.9
1040757-1 2-Critical BT1040757 A BD memory leak was fixed 17.0.0, 16.1.4
974985-6 3-Major BT974985 Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable 17.0.0, 16.1.4, 15.1.9
956373-4 3-Major BT956373 ASM sync files not cleaned up immediately after processing 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1
950917-4 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1
929077-4 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4
928997-3 3-Major BT928997 Less XML memory allocated during ASM startup 17.1.1, 16.1.4, 15.1.9
903313-4 3-Major BT903313 OWASP page: File Types score in Broken Access Control category is always 0. 17.0.0, 16.1.4
890169-4 3-Major BT890169 URLs starting with double slashes might not be loaded when using a Bot Defense Profile. 17.1.1, 16.1.4, 15.1.10
1312057-1 3-Major   bd instability when using many remote loggers with Arcsight format 17.1.1, 16.1.4
1297089-3 3-Major BT1297089 Support Dynamic Parameter Extractions in declarative policy 17.1.1, 16.1.4
1296469-2 3-Major   ASM UI hardening 17.1.1, 16.1.4
1286101-1 3-Major BT1286101 JSON Schema validation failure with E notation number 17.1.1, 16.1.4, 15.1.10
1216297-1 3-Major BT1216297 TMM core occurs when using disabling ASM of request_send event 17.1.1, 16.1.4
1196537-1 3-Major BT1196537 BD process crashes when you use SMTP security profile 17.1.1, 16.1.4, 15.1.9
1195125 3-Major BT1195125 "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix 16.1.4
1194173-2 3-Major BT1194173 BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value 17.1.1, 16.1.4, 15.1.9
1190365-3 3-Major BT1190365 OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly 17.1.1, 16.1.4, 15.1.10
1186437-1 3-Major BT1186437 Link to Server Technologies is not working 16.1.4
1186401-2 3-Major BT1186401 Using REST API to change policy signature settings changes all the signatures. 17.1.1, 16.1.4, 15.1.9
1186385-1 3-Major BT1186385 Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page 16.1.4
1184841-2 3-Major BT1184841 Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API 17.1.1, 16.1.4, 15.1.10
1173493-4 3-Major BT1173493 Bot signature staging timestamp corrupted after modifying the profile 17.1.1, 16.1.4, 15.1.10
1156889-3 3-Major BT1156889 TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions 17.1.1, 16.1.4, 15.1.9
1148009-2 3-Major BT1148009 Cannot sync an ASM logging profile on a local-only VIP 17.1.1, 16.1.4, 15.1.9
1144497-2 3-Major BT1144497 Base64 encoded metachars are not detected on HTTP headers 17.1.1, 16.1.4, 15.1.9
1141665-2 3-Major BT1141665 Significant slowness in policy creation following Threat Campaign LU installation 17.1.0, 16.1.4, 15.1.9
1137993-2 3-Major BT1137993 Violation is not triggered on specific configuration 17.1.1, 16.1.4, 15.1.9
1132981-2 3-Major BT1132981 Standby not persisting manually added session tracking records 17.1.1, 16.1.4, 15.1.9
1132741-2 3-Major BT1132741 Tmm core when html parser scans endless html tag of size more then 50MB 17.1.1, 16.1.4, 15.1.9
1128689-2 3-Major BT1128689 Performance improvement in signature engine 16.1.4, 15.1.9
1127809-2 3-Major BT1127809 Due to incorrect URI parsing, the system does not extract the expected domain name 17.1.0, 16.1.4, 15.1.9
1126409-3 3-Major BT1126409 BD process crash 17.1.0, 16.1.4, 15.1.9
1117245-2 3-Major BT1117245 Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file 17.1.1, 16.1.4, 15.1.10
1113881-2 3-Major BT1113881 Headers without a space after the colon, trigger an HTTP RFC violation 17.1.0, 16.1.4, 15.1.9
1112805-4 3-Major BT1112805 ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 17.1.0, 16.1.4, 15.1.9
1110281-2 3-Major BT1110281 Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable 17.1.1, 16.1.4, 15.1.9
1106937-3 3-Major BT1106937 ASM may skip signature matching 17.1.0, 16.1.4, 15.1.9
1102301-2 3-Major BT1102301 Content profiles created for types other than video and image allowing executable 17.1.0, 16.1.4
1100669-3 3-Major BT1100669 Brute force captcha loop 17.1.0, 16.1.4, 15.1.9
1100393-2 3-Major BT1100393 Multiple Referer header raise false positive evasion violation 17.1.0, 16.1.4
1099193-2 3-Major BT1099193 Incorrect configuration for "Auto detect" parameter is shown after switching from other data types 17.1.0, 16.1.4, 15.1.9
1098609-4 3-Major BT1098609 BD crash on specific scenario 17.1.1, 16.1.4, 15.1.9
1095041-2 3-Major BT1095041 ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. 17.1.0, 16.1.4, 15.1.10
1089853-2 3-Major BT1089853 "Virtual Server" or "Bot Defense Profile" links in Request Details are not working 17.1.0, 16.1.4
1089345-1 3-Major BT1089345 BD crash when mcp is down, usually on startups 17.1.0, 16.1.4
1085661-1 3-Major BT1085661 Standby system saves config and changes status after sync from peer 17.1.1, 16.1.4, 15.1.10
1084257-2 3-Major   New HTTP RFC Compliance check in headers 17.1.0, 17.0.0.1, 16.1.4, 15.1.7
1080613-1 3-Major BT1080613 LU configurations revert to default and installations roll back to genesis files 17.1.0, 16.1.4, 15.1.9
1078065-2 3-Major BT1078065 The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. 17.1.1, 16.1.4, 15.1.9
1072165-2 3-Major BT1072165 Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format 17.1.0, 16.1.4, 15.1.9
1069729-3 3-Major BT1069729 TMM might crash after a configuration change. 17.1.1, 16.1.4, 15.1.9
1067589-3 3-Major BT1067589 Memory leak in nsyncd 17.1.0, 16.1.4, 15.1.9
1067557-2 3-Major BT1067557 Value masking under XML and JSON content profiles does not follow policy case sensitivity 17.1.1, 16.1.4, 15.1.9
1059513-1 3-Major BT1059513 Virtual servers may appear as detached from security policy when they are not. 17.1.1, 16.1.4, 15.1.10
1058597-5 3-Major BT1058597 Bd crash on first request after system recovery. 17.0.0, 16.1.4, 15.1.9
1048949-1 3-Major BT1048949 TMM xdata leak on websocket connection with asm policy without websocket profile 17.1.1, 16.1.4, 15.1.9
1029989-6 3-Major BT1029989 CORS : default port of origin header is set 80, even when the protocol in the header is https 16.1.4, 15.1.10
1023889-3 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message 17.1.1, 16.1.4, 15.1.10
1017557-1 3-Major BT1017557 ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN 17.1.0, 16.1.4, 15.1.9
942617-2 4-Minor BT942617 Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable 17.1.1, 16.1.4, 15.1.10
810917-1 4-Minor BT810917 OWASP Compliance score is shown for parent and child policies that are not applicable. 17.0.0, 16.1.4
1213333 4-Minor BT1213333 Check box to select all attack signatures does not work properly 16.1.4
1189865-2 4-Minor BT1189865 "Cookie not RFC-compliant" violation missing the "Description" in the event logs 17.1.1, 16.1.4, 15.1.9
1184929-1 4-Minor BT1184929 GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled 16.1.4
1133997-3 4-Minor BT1133997 Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import 17.1.1, 16.1.4
1132925-3 4-Minor BT1132925 Bot defense does not work with DNS Resolvers configured under non-zero route domains 17.1.0, 16.1.4, 15.1.9
1123153-3 4-Minor BT1123153 "Such URL does not exist in policy" error in the GUI 17.1.1, 16.1.4, 15.1.9
1113753-2 4-Minor BT1113753 Signatures might not be detected when using truncated multipart requests 17.1.1, 16.1.4, 15.1.10
1111793-2 4-Minor BT1111793 New HTTP RFC Compliance check for incorrect newline separators between request line and first header 17.1.0, 16.1.4, 15.1.7
1108657-3 4-Minor BT1108657 No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" 17.1.0, 16.1.4
1099765-3 4-Minor BT1099765 Inconsistent behavior in violation detection with maximum parameter enforcement 17.1.1, 16.1.4, 15.1.10
1092965-2 4-Minor BT1092965 Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value 17.1.0, 16.1.4, 15.1.9
1084857-2 4-Minor BT1084857 ASM::support_id iRule command does not display the 20th digit 17.1.1, 16.1.4, 15.1.10
1083513-1 4-Minor BT1083513 BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd 17.1.1, 16.1.4, 15.1.10
1076825-1 4-Minor BT1076825 "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases. 17.1.1, 16.1.4
1026277-6 4-Minor BT1026277 Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled 17.0.0, 16.1.4
1003765-2 4-Minor BT1003765 Authorization header signature triggered even when explicitly disabled 17.1.0, 16.1.4, 15.1.4.1
1113333-3 5-Cosmetic BT1113333 Change ArcSight Threat Campaign key names to be camelCase 17.1.0, 16.1.4, 15.1.9


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932485-5 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
1111189-2 3-Major BT1111189 Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. 17.1.0, 16.1.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
965837-4 2-Critical BT965837 When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection 17.0.0, 16.1.4, 15.1.9
1283645 2-Critical BT1283645 Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1111149-2 2-Critical BT1111149 Nlad core observed due to ERR_func_error_string can return NULL 17.1.1, 16.1.4, 15.1.9
1110489-3 2-Critical BT1110489 TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event 17.1.1, 16.1.4, 15.1.9
1106757-3 2-Critical BT1106757 Horizon VDI clients are intermittently disconnected 17.1.0, 16.1.4, 15.1.9
1082581-2 2-Critical BT1082581 Apmd sees large memory growth due to CRLDP Cache handling 17.1.0, 16.1.4, 15.1.9, 14.1.5.3
1078829-1 2-Critical BT1078829 Login as current user fails in VMware 17.0.0, 16.1.4, 15.1.10
1065501-2 2-Critical BT1065501 [API Protection]Per request policy is getting timed out 17.0.0, 16.1.4, 15.1.9
1046633-1 2-Critical BT1046633 Rare tmm crash when sending packets to apmd fails 17.0.0, 16.1.4, 15.1.9
957453-1 3-Major BT957453 Javascript parser incompatible with ECMAScript 6/7+ javascript versions 17.1.0, 16.1.4, 15.1.9
956645-4 3-Major BT956645 Per-request policy execution may timeout. 17.0.0, 16.1.4, 15.1.9, 14.1.4.5
819645-1 3-Major BT819645 Reset Horizon View application does not work when accessing through F5 APM 17.1.0, 16.1.4, 15.1.9
796065-2 3-Major BT796065 PingAccess filter can accumulate connections increasing memory use. 16.1.4
752077-4 3-Major BT752077 Kerberos replay cache leaks file descriptors 17.0.0, 16.1.4, 15.1.9
490138-1 3-Major BT490138 Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers 17.1.0, 16.1.4, 15.1.9
1268521 3-Major BT1268521 SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop 17.1.1, 16.1.4, 15.1.10
1232977-3 3-Major BT1232977 TMM leaking memory in OAuth scope identifiers when parsing scope lists 17.1.1, 16.1.4
1208949-1 3-Major BT1208949 TMM cored with SIGSEGV at 'vpn_idle_timer_callback' 17.1.1, 16.1.4, 15.1.10
1205029 3-Major BT1205029 WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application 17.1.1, 16.1.4
1196401-2 3-Major BT1196401 Restarting TMM does not restart APM Daemon 17.1.0, 16.1.4, 15.1.9
1180365-2 3-Major BT1180365 APM Integration with Citrix Cloud Connector 17.1.1, 16.1.4, 15.1.10
1173669-1 3-Major BT1173669 Unable to reach backend server with Per Request policy and Per Session together 17.1.0, 16.1.4, 15.1.9
1167985-2 3-Major BT1167985 Network Access resource settings validation errors 17.1.1, 16.1.4
1166449-2 3-Major BT1166449 APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list 17.1.0, 16.1.4, 15.1.9
1145361 3-Major BT1145361 When JWT is cached the error "JWT Expired and cannot be used" is observed 17.1.1, 16.1.4
1124109-2 3-Major   Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS 17.1.0, 16.1.4, 15.1.10
1113661-1 3-Major BT1113661 When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation 17.1.0, 16.1.4
1111397-4 3-Major BT1111397 [APM][UI] Wizard should also allow same patterns as the direct GUI 17.1.1, 16.1.4, 15.1.9
1108109-4 3-Major BT1108109 APM policy sync fails when access policy contains customization images 17.1.0, 16.1.4, 15.1.9
1104409-1 3-Major BT1104409 Added Rewrite Control Lists builder to Admin UI 17.1.0, 16.1.4, 15.1.9
1101321-3 3-Major BT1101321 APM log files are flooded after a client connection fails. 17.1.0, 16.1.4, 15.1.9
1100549-3 3-Major BT1100549 "Resource Administrator" role cannot change ACL order 17.1.0, 16.1.4, 15.1.9
1099305-2 3-Major BT1099305 Nlad core observed due to ERR_func_error_string can return NULL 17.1.0, 16.1.4, 15.1.9
1089101-2 3-Major BT1089101 Apply Access Policy notification in UI after auto discovery 17.1.0, 16.1.4, 15.1.9
1075849-5 3-Major   APM client hardening 17.1.0, 16.1.4, 15.1.8.2
1070029-1 3-Major BT1070029 GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service 17.1.1, 16.1.4, 15.1.10
1067609-2 3-Major   Static keys were used while generating UUIDs under OAuth module 17.1.0, 16.1.4, 15.1.9
1064001-1 3-Major BT1064001 POST request to a virtual server with stream profile and a access policy is aborted. 17.0.0, 16.1.4, 15.1.9
1060477-1 3-Major BT1060477 iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". 17.1.1, 16.1.4, 15.1.9
1050165 3-Major BT1050165 APM - users end up with SSO disabled for their session, admin intervention required to clear session 17.1.0, 16.1.4, 15.1.9
1046401-2 3-Major BT1046401 APM logs shows truncated OCSP URL path while performing OCSP Authentication. 17.1.1, 16.1.4, 15.1.10
1042505-1 3-Major BT1042505 Session variable "session.user.agent" does not get populated for edge clients 17.0.0, 16.1.4, 15.1.9
1039941-3 3-Major BT1039941 The webtop offers to download F5 VPN when it is already installed 17.1.1, 16.1.4, 15.1.10
1038753-4 3-Major K75431121, BT1038753 OAuth Bearer with SSO does not process headers as expected 17.1.0, 16.1.4, 15.1.9
1037877-3 3-Major BT1037877 OAuth Claim display order incorrect in VPE 17.1.0, 16.1.4, 15.1.9
1018877-2 3-Major BT1018877 Subsession variable values mixing between sessions 17.0.0, 16.1.4, 15.1.9
1013729-2 3-Major BT1013729 Changing User login password using VMware View Horizon client results in “HTTP error 500” 17.0.0, 16.1.4, 15.1.10
1010961-1 3-Major BT1010961 Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow 17.1.0, 16.1.4
1010809-3 3-Major BT1010809 Connection is reset when sending a HTTP HEAD request to APM Virtual Server 17.1.0, 16.1.4, 15.1.9
1002413-2 3-Major BT1002413 Websso puts quotation marks around non-string claim type 'custom' values 17.0.0, 16.1.4
1000669-4 3-Major BT1000669 Tmm memory leak 'string cache' leading to SIGFPE 17.0.0, 16.1.4, 15.1.9
1252005 4-Minor BT1252005 VMware USB redirection does not work with DaaS 17.1.1, 16.1.4, 15.1.10
1224409 4-Minor BT1224409 Unable to set session variables of length >4080 using the -secure flag 17.1.1, 16.1.4, 15.1.10
1195385 4-Minor BT1195385 OAuth Scope Internal Validation fails upon multiple providers with same type 17.1.1, 16.1.4
1088389-2 4-Minor BT1088389 Admin to define the AD Query/LDAP Query page-size globally 17.1.0, 16.1.4, 15.1.9
1079441-2 4-Minor BT1079441 APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries 17.1.0, 16.1.4, 15.1.9
1050009-2 4-Minor BT1050009 Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs 17.1.0, 16.1.4, 15.1.9
1041985-1 4-Minor BT1041985 TMM memory utilization increases after upgrade 17.1.1, 16.1.4, 15.1.9
1040829-4 4-Minor BT1040829 Errno=(Invalid cross-device link) after SCF merge 17.1.1, 16.1.4, 15.1.10
1028081-1 4-Minor BT1028081 [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page 17.1.1, 16.1.4, 15.1.9


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1269889-3 2-Critical BT1269889 LTM crashes are observed while running SIP traffic and pool members are offline 17.1.1, 16.1.4, 15.1.10
1239901-2 2-Critical BT1239901 LTM crashes while running SIP traffic 17.1.1, 16.1.4, 15.1.9
1141853-2 2-Critical BT1141853 SIP MRF ALG can lead to a TMM core 17.1.0, 16.1.4, 15.1.9
1291149-3 3-Major BT1291149 Cores with fail over and message routing 17.1.1, 16.1.4, 15.1.10
1287313-2 3-Major BT1287313 SIP response message with missing Reason-Phrase or with spaces are not accepted 17.1.1, 16.1.4, 15.1.10
1189513-4 3-Major BT1189513 SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header 17.1.1, 16.1.4, 15.1.9
1167941-3 3-Major BT1167941 CGNAT SIP ALG INVITE loops between BIG-IP and Server 17.1.0, 16.1.4, 15.1.9
1038057-4 3-Major BT1038057 Unable to add a serverssl profile into a virtual server containing a FIX profile 17.1.1, 16.1.4, 15.1.9
1213469-1 4-Minor BT1213469 MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped 17.1.1, 16.1.4
1116941-1 4-Minor BT1116941 Need larger Content-Length value supported for SIP 17.1.0, 16.1.4, 15.1.9


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1317705-2 1-Blocking   TMM may restart on certain DNS traffic 17.1.1, 16.1.4
1013353-1 1-Blocking BT1013353 ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on VS 16.1.4
1292093 2-Critical BT1292093 Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x 16.1.4
1287425 2-Critical BT1287425 Observed crash while running sweep flood tests 16.1.4
1136917-1 2-Critical BT1136917 TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server. 17.1.0, 16.1.4
1106273-3 2-Critical BT1106273 "duplicate priming" assert in IPSECALG 17.1.1, 16.1.4, 15.1.9
1069809 2-Critical BT1069809 AFM rules with ipi-category src do not match traffic after failover. 16.1.4, 15.1.9
1048425-4 2-Critical BT1048425 Packet tester crashes TMM when vlan external source-checking is enabled 16.1.4
1040685-4 2-Critical BT1040685 Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) 17.0.0, 16.1.4, 15.1.10
1038549-1 2-Critical BT1038549 TMM core when BDoS is enabled for an extended time 16.1.4
997429-1 3-Major BT997429 When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled 17.1.0, 16.1.4, 15.1.9
993269-3 3-Major BT993269 DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option 17.0.0, 16.1.4, 15.1.9
952521-1 3-Major BT952521 Memory allocation error while creating an address list with a large range of IPv6 addresses 17.0.0, 16.1.4, 15.1.9
929913-3 3-Major BT929913 External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events 17.0.0, 16.1.4, 15.1.9
1287873 3-Major BT1287873 Hardware mitigation is not working for a few SIP vectors 16.1.4
1216573-1 3-Major BT1216573 AFM Learning Domain issue when trying with many valid domains 16.1.4
1209409-3 3-Major BT1209409 Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU 16.1.4
1127117-1 3-Major BT1127117 High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes 17.1.0, 16.1.4, 15.1.9
1124149-2 3-Major BT1124149 Increase the configuration for the PCCD Max Blob size from 4GB to 8GB 17.1.0, 16.1.4, 15.1.9
1121521-2 3-Major BT1121521 Libssh upgrade from v0.7.7 to v0.9.6 17.1.0, 16.1.4, 15.1.8
1112781 3-Major BT1112781 DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. 17.1.1, 16.1.4, 15.1.9
1078625 3-Major BT1078625 TMM crashes during DoS processing 17.1.1, 16.1.4
1070033-2 3-Major BT1070033 Virtual server may not fully enter hardware SYN Cookie mode. 17.0.0, 16.1.4, 14.1.4.6
1020061-3 3-Major BT1020061 Nested address lists can increase configuration load time 17.0.0, 16.1.4, 15.1.9
760355-4 4-Minor BT760355 Firewall rule to block ICMP/DHCP from 'required' to 'default' 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
1215401-1 4-Minor BT1215401 Under Shared Objects, some country names are not available to select in the Address List 16.1.4, 15.1.9
1211021-4 4-Minor BT1211021 Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues 17.1.0, 16.1.4, 15.1.10
1069265-3 4-Minor BT1069265 New connections or packets from the same source IP and source port can cause unnecessary port block allocations. 17.1.1, 16.1.4, 15.1.10
1003377-3 4-Minor BT1003377 Disabling DoS TCP SYN-ACK does not clear suspicious event count option 16.1.4, 15.1.9


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1159397-1 1-Blocking BT1159397 The high utilization of memory when blade turns offline results in core 17.1.0, 16.1.4, 15.1.9
1186925-4 2-Critical BT1186925 When FUA in CCA-i, PEM does not send CCR-u for other rating-groups 17.1.1, 16.1.4, 15.1.9
1095989-1 2-Critical BT1095989 PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface 17.1.0, 16.1.4
829653-1 3-Major BT829653 Memory leak due to session context not freed 17.0.0, 16.1.4
1259489-3 3-Major BT1259489 PEM subsystem memory leak is observed when using PEM::subscriber information 17.1.1, 16.1.4, 15.1.10
1238249-1 3-Major BT1238249 PEM Report Usage Flow log is inaccurate 17.1.1, 16.1.4, 15.1.10
1226121-2 3-Major BT1226121 TMM crashes when using PEM logging enabled on session 17.1.1, 16.1.4, 15.1.9
1207381-3 3-Major BT1207381 PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored 17.1.1, 16.1.4, 15.1.9
1190353-3 3-Major BT1190353 The wr_urldbd BrightCloud database downloading from a proxy server is not working 17.1.1, 16.1.4, 15.1.10
1174085-1 3-Major BT1174085 spmdb_session_hash_entry_delete releases the hash's reference 17.1.1, 16.1.4, 15.1.9
1174033-2 3-Major BT1174033 The UPDATE EVENT is triggered with faulty session_info and resulting in core 17.1.0, 16.1.4, 15.1.9
1108681-4 3-Major BT1108681 PEM queries with filters return error message when a blade is offline 17.1.0, 16.1.4, 15.1.9
1093357-4 3-Major BT1093357 PEM intra-session mirroring can lead to a crash 17.1.1, 16.1.4, 15.1.10
1089829-3 3-Major BT1089829 PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers 17.1.0, 16.1.4, 15.1.9
1020041-3 3-Major BT1020041 "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs 17.1.1, 16.1.4, 15.1.10


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1016045-4 4-Minor BT1016045 OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. 16.1.4, 15.1.9


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1211297-3 2-Critical BT1211297 Handling DoS profiles created dynamically using iRule and L7Policy 17.1.1, 16.1.4, 15.1.9
1060057-2 3-Major BT1060057 Enable or Disable APM dynamically with Bados generates APM error 17.1.0, 16.1.4, 15.1.9


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1161965-3 3-Major BT1161965 File descriptor(fd) and shared memory leak in wr_urldbd 17.1.0, 16.1.4, 15.1.9
974205-5 4-Minor BT974205 Unconstrained wr_urldbd size causing box to OOM 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6
1168137-3 4-Minor BT1168137 PEM Classification Auto-Update for month is working as hourly 17.1.0, 16.1.4, 15.1.9
1167889 4-Minor BT1167889 PEM classification signature scheduled updates do not complete 17.1.0, 16.1.4, 15.1.9
1117297-1 4-Minor BT1117297 Wr_urldbd continuously crashes and restarts 17.1.0, 16.1.4, 15.1.9


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
954001-7 3-Major   REST File Upload hardening 17.1.1, 16.1.4, 15.1.10
1196477-3 3-Major BT1196477 Request timeout in restnoded 17.1.1, 16.1.4, 15.1.9
1049237-1 4-Minor BT1049237 Restjavad may fail to cleanup ucs file handles even with ID767613 fix 17.1.1, 16.1.4, 15.1.10


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
889605-2 3-Major BT889605 iApp with Bot profile is unavailable if application folder includes a subpath 17.1.0, 16.1.4, 15.1.9
1004697-3 3-Major BT1004697 Saving UCS files can fail if /var runs out of space 16.1.4, 15.1.10
1093933-3 4-Minor   CVE-2020-7774 nodejs-y18n prototype pollution vulnerability 17.1.1, 16.1.4, 15.1.9


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1122205-1 3-Major BT1122205 The 'action' value changes when loading protocol-inspection profile config 17.1.1, 16.1.4, 15.1.10
1098837-1 4-Minor BT1098837 Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables 17.1.0, 16.1.4, 15.1.9
1135073-3 5-Cosmetic BT1135073 IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled 17.1.0, 16.1.4, 15.1.9


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
1107549-2 2-Critical BT1107549 In-TMM TCP monitor memory leak 17.1.0, 16.1.4, 15.1.8
1110241-2 3-Major BT1110241 in-tmm http(s) monitor accumulates unchecked memory 17.1.0, 16.1.4, 15.1.9
1046917-4 3-Major BT1046917 In-TMM monitors do not work after TMM crashes 17.1.0, 16.1.4, 15.1.8


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
922737-1 2-Critical BT922737 TMM crashes with a sigsegv while passing traffic 17.1.0, 16.1.4, 15.1.10
1104037-2 2-Critical BT1104037 Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire 17.1.0, 16.1.4, 15.1.10
1289365-1 3-Major BT1289365 The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode 17.1.1, 16.1.4, 15.1.10
1095145-3 4-Minor BT1095145 Virtual server responding with ICMP unreachable after using /Common/service 17.1.0, 16.1.4



Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1285173-3 CVE-2023-38138 K000133474, BT1285173 Improper query string handling on undisclosed pages 17.1.0.2, 16.1.3.5, 15.1.9.1
1265425-2 CVE-2023-38423 K000134535, BT1265425 Improper query string handling on undisclosed pages 17.1.0.2, 16.1.3.5, 15.1.9.1
1185421-4 CVE-2023-38419 K000133472, BT1185421 iControl SOAP uncaught exception when handling certain payloads 17.1.0.2, 16.1.3.5, 15.1.9.1


Functional Change Fixes

None



Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1223369-3 CVE-2024-23982 K000135946 Classification of certain UDP traffic may cause crash 17.1.1, 16.1.3.4, 15.1.10
1213305-3 CVE-2023-27378 K000132726, BT1213305 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1208989-3 CVE-2023-27378 K000132726, BT1208989 Improper value handling in DOS Profile properties page 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1208001-1 CVE-2023-22374 K000130415, BT1208001 iControl SOAP vulnerability CVE-2023-22374 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204961-4 CVE-2023-27378 K000132726, BT1204961 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204793-4 CVE-2023-27378 K000132726, BT1204793 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1196033-2 CVE-2023-27378 K000132726, BT1196033 Improper value handling in DataSafe UI 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1106989-3 CVE-2023-29163 K20145107, BT1106989 Certain configuration settings may lead to memory accumulation 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1086293-4 CVE-2023-22358 K76964818, BT1086293 Untrusted search path vulnerability in APM Windows Client installer processes 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4
1086289-4 CVE-2023-22358 K76964818, BT1086289 BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4
1207661-4 CVE-2023-28406 K000132768, BT1207661 Datasafe UI hardening 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1096373-2 CVE-2023-28742 K000132972, BT1096373 Unexpected parameter handling in BIG3d 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4


Functional Change Fixes

None



Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
982785-2 CVE-2022-25946 K52322100 Guided Configuration hardening 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3
890917-8 CVE-2023-22323 K56412001, BT890917 Performance may be reduced while processing SSL traffic 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1143073-4 CVE-2022-41622 K94221585, BT1143073 iControl SOAP vulnerability CVE-2022-41622 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1107437-3 CVE-2023-22839 K37708118, BT1107437 TMM may crash when enable-rapid-response is enabled on a DNS profile 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1106161-2 CVE-2022-41800 K13325942, BT1106161 Securing iControlRest API for appliance mode 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1105389-4 CVE-2023-23552 K17542533, BT1105389 Incorrect HTTP request handling may lead to resource leak 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
1093821-4 CVE-2023-22422 K43881487, BT1093821 TMM may behave unexpectedly while processing HTTP traffic 17.1.0, 17.0.0.2, 16.1.3.3
1085077-4 CVE-2023-22340 K34525368, BT1085077 TMM may crash while processing SIP-ALG traffic 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3
1083225-2 CVE-2023-22842 K08182564, BT1083225 TMM may crash while processing SIP traffic 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3
1062569-1 CVE-2023-22664 K56676554, BT1062569 HTTP/2 stream bottom filter leaks memory at teardown under certain conditions 17.1.0, 17.0.0.2, 16.1.3.3
1032553-5 CVE-2023-22281 K46048342, BT1032553 Core when virtual server with destination NATing receives multicast 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
1112445-2 CVE-2023-22302 K58550078, BT1112445 Fix to avoid zombie node on the chain 17.1.0, 17.0.0.2, 16.1.3.3
1073005-2 CVE-2023-22326 K83284425, BT1073005 iControl REST use of the dig command does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1065917-2 CVE-2023-22418 K95503300, BT1065917 BIG-IP APM Virtual Server does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1113385-4 3-Major BT1113385 Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1103369-2 3-Major BT1103369 DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1134085-2 2-Critical BT1134085 Intermittent TMM core when iRule is configured with SSL persistence 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1122473-4 2-Critical BT1122473 TMM panic while initializing URL DB 17.1.0, 16.1.3.3, 15.1.9
1174873-3 3-Major BT1174873 Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3



Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
982777-9 CVE-2022-27230 K21317311, BT982777 APM hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982769-12 CVE-2022-27806 K68647001, BT982769 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982753-2 CVE-2022-27806 K68647001, BT982753 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982745-5 CVE-2022-27806 K68647001, BT982745 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
963625-3 CVE-2022-27806 K68647001, BT963625 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
959153-3 CVE-2022-27806 K68647001, BT959153 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
1106289-2 CVE-2022-41624 K43024307, BT1106289 TMM may leak memory when processing sideband connections. 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1
1068821 CVE-2022-41806 K00721320, BT1068821 TMM may crash when processing AFM NAT64 policy 16.1.3.2
1004881-5 CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 K12492858, BT1004881 Update angular, jquery, moment, axios, and lodash libraries in AGC 17.0.0, 16.1.3.2, 15.1.8


Functional Change Fixes

None


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1137037 2-Critical BT1137037 System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x 16.1.3.2



Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
972517-7 CVE-2023-43746 K41072952, BT972517 Appliance mode hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1104493-1 CVE-2022-35272 K90024104, BT1104493 Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy 17.1.0, 17.0.0.1, 16.1.3.1
1093621-2 CVE-2022-41832 K10347453 Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1
1085729-2 CVE-2022-41836 K47204506, BT1085729 bd may crash while processing specific request 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1076397-1 CVE-2022-35735 K13213418, BT1076397 TMSH hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1073841-1 CVE-2022-34862 K66510514, BT1073841 URI normalization does not function as expected 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1073357-2 CVE-2022-34862 K66510514, BT1073357 TMM may crash while processing HTTP traffic 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1067505-4 CVE-2022-34651 K59197053, BT1067505 TMM may crash while processing TLS traffic with HTTP::respond 17.0.0, 16.1.3.1, 15.1.6.1
1066673-1 CVE-2022-35728 K55580033, BT1066673 BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1024029-2 CVE-2022-35245 K58235223, BT1024029 TMM may crash when processing traffic with per-session APM Access Policy 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
919357-8 CVE-2022-41770 K22505850, BT919357 iControl REST hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
881809-8 CVE-2022-41983 K31523465, BT881809 Client SSL and Server SSL profile hardening 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
740321-1 CVE-2022-34851 K50310001, BT740321 iControl SOAP API does not follow current best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084013-4 CVE-2022-36795 K52494562, BT1084013 TMM does not follow TCP best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1081153-2 CVE-2022-41813 K93723284, BT1081153 TMM may crash while processing administrative requests 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1073549-1 CVE-2022-35735 K13213418, BT1073549 TMSH hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1055925-1 CVE-2022-34844 K34511555, BT1055925 TMM may crash while processing traffic on AWS 17.0.0, 16.1.3.1, 15.1.6.1
1043281-6 CVE-2021-3712 K19559038, BT1043281 OpenSSL vulnerability CVE-2021-3712 17.0.0, 16.1.3.1, 15.1.6.1
1006921-1 CVE-2022-33962 K80970653, BT1006921 iRules Hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063641-4 CVE-2022-33968 K23465404, BT1063641 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063637-4 CVE-2022-33968 K23465404, BT1063637 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1036057-1 3-Major BT1036057 Add support for line folding in multipart parser. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1025261-3 3-Major BT1025261 Restjavad uses more resident memory in control plane after software upgrade 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1071621-1 4-Minor BT1071621 Increase the number of supported traffic selectors 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1120433-2 1-Blocking BT1120433 Removed gtmd and big3d daemon from the FIPS-compliant list 17.1.0, 16.1.3.1
989517-3 2-Critical BT989517 Acceleration section of virtual server page not available in DHD 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
957637-1 2-Critical BT957637 The pfmand daemon can crash when it starts. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
936501-1 2-Critical BT936501 Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled 17.1.0, 16.1.3.1, 15.1.9
759928-6 2-Critical BT759928 Engineering Hotfixes might not contain all required packages 17.0.0, 16.1.3.1, 15.1.7
1097193-2 2-Critical K000134769, BT1097193 Unable to SCP files using WinSCP or relative path name 17.1.0, 16.1.3.1, 15.1.9
1076921-1 2-Critical BT1076921 The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1048853-1 2-Critical BT1048853 TMM memory leak of "IKE VBUF" 17.0.0, 16.1.3.1, 15.1.7
1041865-4 2-Critical K16392416, BT1041865 Correctable machine check errors [mce] should be suppressed 17.0.0, 16.1.3.1, 15.1.7
992121-4 3-Major BT992121 REST "/mgmt/tm/services" endpoint is not accessible 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
720610-4 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3
1123149 3-Major BT1123149 Sys-icheck fail for /etc/security/opasswd 17.1.0, 16.1.3.1
1120685 3-Major BT1120685 Unable to update the password in the CLI when password-memory is set to > 0 17.1.0, 16.1.3.1
1091345-2 3-Major BT1091345 The /root/.bash_history file is not carried forward by default during installations. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1087621-1 3-Major BT1087621 IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1048137-2 3-Major BT1048137 IPsec IKEv1 intermittent but consistent tunnel setup failures 17.0.0, 16.1.3.1, 15.1.9
1042737-4 3-Major BT1042737 BGP sending malformed update missing Tot-attr-len of '0. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1024661-3 3-Major BT1024661 SCTP forwarding flows based on VTAG for bigproto 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
756918-4 4-Minor BT756918 Engineering Hotfix ISOs may be nearly as large as full Release ISOs 17.0.0, 16.1.3.1, 15.1.7
1090569-1 4-Minor BT1090569 After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1080317-3 4-Minor BT1080317 Hostname is getting truncated on some logs that are sourced from TMM 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1067105-2 4-Minor BT1067105 Racoon logging shows incorrect SA length. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
944381-2 2-Critical BT944381 Dynamic CRL checking for client certificate is not working when TLS1.3 is used. 17.0.0, 16.1.3.1, 15.1.6.1
780857-4 2-Critical BT780857 HA failover network disruption when cluster management IP is not in the list of unicast addresses 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1113549-3 2-Critical BT1113549 System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License 17.1.0, 16.1.3.1
1110205-2 2-Critical BT1110205 SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown 17.1.0, 16.1.3.1, 15.1.9
1087469-2 2-Critical BT1087469 iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. 17.1.0, 16.1.3.1, 15.1.6.1
1087217-2 2-Critical BT1087217 TMM crash as part of the fix made for ID912209 17.1.0, 16.1.3.1
1086677-4 2-Critical BT1086677 TMM Crashes in xvprintf() because of NULL Flow Key 17.0.0, 16.1.3.1, 15.1.7
1080581-1 2-Critical BT1080581 Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles. 17.0.0, 16.1.3.1, 15.1.5.1
1074517-1 2-Critical BT1074517 Tmm may core while adding/modifying traffic-class attached to a virtual server 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1073609-4 2-Critical BT1073609 Tmm may core while using reject iRule command in LB_SELECTED event. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1020645 2-Critical BT1020645 When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered 17.1.0, 16.1.3.1, 15.1.4.1
999881-6 3-Major BT999881 Tcl command 'string first' not working if payload contains Unicode characters. 17.0.0, 16.1.3.1, 15.1.7
948985-3 3-Major BT948985 Workaround to address Nitrox 3 compression engine hang 17.0.0, 16.1.3.1, 15.1.6.1
922413-8 3-Major BT922413 Excessive memory consumption with ntlmconnpool configured 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
748886-4 3-Major BT748886 Virtual server stops passing traffic after modification 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1109833-1 3-Major BT1109833 HTTP2 monitors not sending request 17.1.0, 16.1.3.1
1091761-1 3-Major BT1091761 Mqtt_message memory leaks when iRules are used 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1082225-4 3-Major BT1082225 Tmm may core while Adding/modifying traffic-class attached to a virtual server. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1070789 3-Major BT1070789 SSL fwd proxy invalidating certificate even through bundle has valid CA 17.1.0, 16.1.3.1
1068445-1 3-Major BT1068445 TCP duplicate acks are observed in speed tests for larger requests 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1060989 3-Major BT1060989 Improper handling of HTTP::collect 17.1.0, 16.1.3.1
1053149-1 3-Major BT1053149 A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1043805-3 3-Major BT1043805 ICMP traffic over NAT does not work properly. 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
1036169-4 3-Major BT1036169 VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1022453-4 3-Major BT1022453 IPv6 fragments are dropped when packet filtering is enabled. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1006157-3 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config' 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
987885-6 4-Minor BT987885 Half-open unclean SSL termination might not close the connection properly 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1104073-2 4-Minor BT1104073 Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1077701-1 2-Critical BT1077701 GTM "require M from N" monitor rules do not report when the number of "up" responses change 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
984749-1 3-Major BT984749 Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." 17.0.0, 16.1.3.1, 15.1.7
1091249-2 3-Major BT1091249 BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1078669-2 3-Major BT1078669 iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. 17.0.0, 16.1.3.1, 15.1.7
1071301-1 3-Major BT1071301 GTM server does not get updated even when the virtual server status changes. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071233-1 3-Major BT1071233 GTM Pool Members may not be updated accurately when multiple identical database monitors are configured 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
950069-1 4-Minor BT950069 Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" 17.0.0, 16.1.3.1, 15.1.6.1
1084673-2 4-Minor BT1084673 GTM Monitor "require M from N" status change log message does not print pool name 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1048685-4 2-Critical BT1048685 Rare TMM crash when using Bot Defense Challenge 17.0.0, 16.1.3.1, 15.1.7
1015881-4 2-Critical BT1015881 TMM might crash after configuration failure 17.1.0, 16.1.3.1, 15.1.7
886533-5 3-Major BT886533 Icap server connection adjustments 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1083913-2 3-Major BT1083913 Missing error check in ICAP handling 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1082461-2 3-Major BT1082461 The enforcer cores during a call to 'ASM::raise' from an active iRule 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1078765-1 3-Major BT1078765 Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1062493-1 3-Major BT1062493 BD crash close to it's startup 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1056957-1 3-Major BT1056957 An attack signature can be bypassed under some scenarios. 17.1.0, 17.0.0.1, 16.1.3.1
1036305-5 3-Major BT1036305 "Mandatory request body is missing" violation in staging but request is unexpectedly blocked 17.0.0, 16.1.3.1, 15.1.6.1
1030133-2 3-Major BT1030133 BD core on XML out of memory 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1014973-5 3-Major BT1014973 ASM changed cookie value. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
948241-4 4-Minor BT948241 Count Stateful anomalies based only on Device ID 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
947333-2 4-Minor BT947333 Irrelevant content profile diffs in Policy Diff 17.1.0, 17.0.0.1, 16.1.3.1
1079721 4-Minor BT1079721 OWASP 2017 A2 Category - Login enforcement link is broken 16.1.3.1
1073625-2 4-Minor BT1073625 Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1058297-2 4-Minor BT1058297 Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1046317-2 4-Minor BT1046317 Violation details are not populated with staged URLs for some violation types 17.0.0, 16.1.3.1, 15.1.6.1
1040513-5 4-Minor BT1040513 The counter for "FTP commands" is always 0. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1014573-1 4-Minor BT1014573 Several large arrays/objects in JSON payload may core the enforcer 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1029689-2 5-Cosmetic BT1029689 Incosnsitent username "SYSTEM" in Audit Log 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
926341-5 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
987341-1 2-Critical BT987341 BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1071485-3 3-Major BT1071485 For IP based bypass, Response Analytics sends RST. 17.0.0, 16.1.3.1, 15.1.10
1063345-5 3-Major BT1063345 Urldbmgrd may crash while downloading the database. 17.0.0, 16.1.3.1, 15.1.9
1043217-1 3-Major BT1043217 NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1039725-1 3-Major BT1039725 Reverse proxy traffic fails when a per-request policy is attached to a virtual server. 17.0.0, 16.1.3.1, 15.1.9
1024437-6 3-Major BT1024437 Urldb index building fails to open index temp file 17.0.0, 16.1.3.1, 15.1.9
1022493-4 3-Major BT1022493 Slow file descriptor leak in urldbmgrd (sockets open over time) 17.0.0, 16.1.3.1, 15.1.10
1010597-1 3-Major BT1010597 Traffic disruption when virtual server is assigned to a non-default route domain 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
921441-4 3-Major BT921441 MR_INGRESS iRules that change diameter messages corrupt diam_msg 17.0.0, 16.1.3.1, 15.1.7
1103233-2 4-Minor BT1103233 Diameter in-tmm monitor is logging disconnect events unnecessarily 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
977153-3 3-Major BT977153 Packet with routing header IPv6 as next header in IP layer fails to be forwarded 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1091565-1 2-Critical BT1091565 Gy CCR AVP:Requested-Service-Unit is misformatted/NULL 17.1.0, 16.1.3.1, 15.1.9
1090649-3 3-Major BT1090649 PEM errors when configuring IPv6 flow filter via GUI 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1084993 3-Major BT1084993 [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
911585-5 4-Minor BT911585 PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
815901-2 4-Minor BT815901 Add rule to the disabled pem policy is not allowed 17.0.0, 16.1.3.1, 15.1.7


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
832133-7 3-Major BT832133 In-TMM monitors fail to match certain binary data in the response from the server 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050273-1 3-Major BT1050273 ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator. 17.0.0, 16.1.3.1, 15.1.5



Cumulative fixes from BIG-IP v16.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
996233-1 CVE-2022-33947 K38893457, BT996233 Tomcat may crash while processing TMUI requests 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
972489-7 CVE-2022-35243 K11010341, BT972489 BIG-IP Appliance Mode iControl hardening 17.0.0, 16.1.3, 15.1.5.1, 14.1.5
1079505-4 CVE-2022-33203 K52534925, BT1079505 TMM may consume excessive resources while processing SSL Orchestrator traffic 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1081201-1 CVE-2022-41694 K64829234, BT1081201 MCPD certification import hardening 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1078821-1 2-Critical BT1078821 Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1036285-1 3-Major BT1036285 Enforce password expiry after local user creation 17.0.0, 16.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
947905-4 1-Blocking BT947905 Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails 16.1.3, 16.0.1
1101705-2 1-Blocking BT1101705 RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification 17.1.0, 17.0.0.1, 16.1.3
1083977-1 1-Blocking BT1083977 MCPD crashes when changing HTTPD configuration, all secondary blades of clustered system remain offline 17.0.0, 16.1.3
943109-4 2-Critical BT943109 Mcpd crash when bulk deleting Bot Defense profiles 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
940225-4 2-Critical BT940225 Not able to add more than 6 NICs on VE running in Azure 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1108181-2 2-Critical BT1108181 iControl REST call with token fails with 401 Unauthorized 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1079817-1 2-Critical BT1079817 Java null pointer exception when saving UCS with iAppsLX installed 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
950149 3-Major BT950149 Add configuration to ccmode for compliance with the Common Criteria STIP PPM. 17.0.0, 16.1.3
896941 3-Major BT896941 Common Criteria ccmode script updated 17.0.0, 16.1.3
886649-5 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
724653-5 3-Major BT724653 In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1106325 3-Major BT1106325 Upgrade from BIG-IP 16.1.3 to BIG-IP 17.0 does not work when FIPS mode is enabled 16.1.3
1089849 3-Major BT1089849 NIST SP800-90B compliance 17.1.0, 17.0.0.1, 16.1.3
1064357-1 3-Major BT1064357 execute_post_install: EPSEC: Installation of EPSEC package failed 17.0.0, 16.1.3, 15.1.7
1061481-1 3-Major BT1061481 Denied strings were found in the /var/log/ folder after an update or reboot 17.1.0, 17.0.0.1, 16.1.3
1004833 3-Major BT1004833 NIST SP800-90B compliance 17.0.0, 16.1.3, 15.1.4, 14.1.4.2
1100609 4-Minor BT1100609 Length Mismatch in DNS/DHCP IPv6 address in logs and pcap 17.1.0, 16.1.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1071689-1 2-Critical BT1071689 SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout 17.0.0, 16.1.3
987077-3 3-Major BT987077 TLS1.3 with client authentication handshake failure 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
945357 3-Major BT945357 BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH. 17.0.0, 16.1.3
934697-5 3-Major BT934697 Route domain is not reachable (strict mode) 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1082505 3-Major BT1082505 TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification 17.1.0, 17.0.0.1, 16.1.3
1063977-3 3-Major BT1063977 Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. 17.1.0, 16.1.3
1071269 4-Minor BT1071269 SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0. 16.1.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1084173-1 3-Major BT1084173 Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). 17.0.0, 16.1.3, 15.1.6.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1070833-2 3-Major BT1070833 False positives on FileUpload parameters due to default signature scanning 17.1.0, 16.1.3, 15.1.6.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
849029-7 3-Major BT849029 No configurable setting for maximum entries in CRLDP cache 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4
1097821-2 3-Major BT1097821 Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1053309-1 3-Major BT1053309 Localdbmgr leaks memory while syncing data to sessiondb and mysql. 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
945853-4 2-Critical BT945853 Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession 16.1.3, 15.1.3
990461-5 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
1079637-1 3-Major BT1079637 Incorrect Neuron rule order 17.0.0, 16.1.3, 15.1.5.1
1012581-1 3-Major BT1012581 Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
1094177-4 1-Blocking BT1094177 Analytics iApp installation fails 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
1023721 3-Major BT1023721 iapp_restricted_key not available on fresh installation and overwrites the peer device's master key during config sync 17.0.0, 16.1.3
1004665 3-Major BT1004665 Secure iAppsLX Restricted Storage issues. 17.0.0, 16.1.3



Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
965853-6 CVE-2022-28695 K08510472, BT965853 IM package file hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
964489-7 CVE-2022-28695 K08510472, BT964489 Protocol Inspection IM package hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1051561-7 CVE-2022-1388 K23605346, BT1051561 BIG-IP iControl REST vulnerability CVE-2022-1388 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
993981-3 CVE-2022-28705 K52340447, BT993981 TMM may crash when ePVA is enabled 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982697-7 CVE-2022-26071 K41440465, BT982697 ICMP hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
951257-5 CVE-2022-26130 K82034427, BT951257 FTP active data channels are not established 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
946325-7 CVE-2022-28716 K25451853, BT946325 PEM subscriber GUI hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
830361-9 CVE-2012-6711 K05122252, BT830361 CVE-2012-6711 Bash Vulnerability 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1087201-6 CVE-2022-0778 K31323265, BT1087201 OpenSSL Vulnerability: CVE-2022-0778 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1078721-1 CVE-2022-27189 K16187341, BT1078721 TMM may consume excessive resources while processing ICAP traffic 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1078053-1 CVE-2022-28701 K99123750, BT1078053 TMM may consume excessive resources while processing STREAM traffic 17.0.0, 16.1.2.2
1071593-4 CVE-2022-32455 K16852653, BT1071593 TMM may crash while processing TLS traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1069629-4 CVE-2022-32455 K16852653, BT1069629 TMM may crash while processing TLS traffic 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1067993-4 CVE-2022-28714 K54460845, BT1067993 APM Windows Client installer hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1059185-1 CVE-2022-26415 K81952114, BT1059185 iControl REST Hardening 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1057801-6 CVE-2022-28707 K70300233, BT1057801 TMUI does not follow current best practices 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056933-3 CVE-2022-26370 K51539421, BT1056933 TMM may crash while processing SIP traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1055737-1 CVE-2022-35236 K79933541, BT1055737 TMM may consume excessive resources while processing HTTP/2 traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1051797 CVE-2018-18281 K36462841, BT1051797 Linux kernel vulnerability: CVE-2018-18281 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1047053-3 CVE-2022-28691 K37155600, BT1047053 TMM may consume excessive resources while processing RTSP traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1032513-3 CVE-2022-35240 K28405643, BT1032513 TMM may consume excessive resources while processing MRF traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1002565-1 CVE-2021-23840 K24624116, BT1002565 OpenSSL vulnerability CVE-2021-23840 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
992073-2 CVE-2022-27181 K93543114, BT992073 APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982757-3 CVE-2022-26835 K53197140 APM Access Guided Configuration hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982341-7 CVE-2022-26835 K53197140, BT982341 iControl REST endpoint hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
915981-4 CVE-2022-26340 K38271531, BT915981 BIG-IP SCP hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
823877-7 CVE-2019-10098
CVE-2020-1927
K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1071365-5 CVE-2022-29474 K59904248, BT1071365 iControl SOAP WSDL hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1066729-1 CVE-2022-28708 K85054496, BT1066729 TMM may crash while processing DNS traffic 17.0.0, 16.1.2.2, 15.1.5.1
1057809-6 CVE-2022-27659 K41877405, BT1057809 Saved dashboard hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047089-2 CVE-2022-29491 K14229426, BT1047089 TMM may terminate while processing TLS/DTLS traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1001937-1 CVE-2022-27634 K57555833, BT1001937 APM configuration hardening 17.0.0, 16.1.2.2, 15.1.5.1
1000021-7 CVE-2022-27182 K31856317, BT1000021 TMM may consume excessive resources while processing packet filters 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1020609-7 CVE-2022-23032 K30525503, BT1020609 BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 16.1.2.2
713754-3 CVE-2017-15715 K27757011 Apache vulnerability: CVE-2017-15715 16.1.2.2, 15.1.5.1, 14.1.4.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
435231 2-Critical K79342815, BT435231 Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters 17.0.0, 16.1.2.2
1050537-1 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
882709-6 3-Major BT882709 Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors 17.0.0, 16.1.2.2, 15.1.6.1
874941-4 3-Major BT874941 HTTP authentication in the access policy times out after 60 seconds 16.1.2.2, 15.1.6.1, 14.1.5
669046-7 3-Major BT669046 Handling large replies to MCP audit_request messages 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1046669-1 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1033837-1 4-Minor K23605346, BT1033837 REST authentication tokens persist on reboot 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1070009 1-Blocking BT1070009 iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform 17.0.0, 16.1.2.2
976669-5 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
935177-3 2-Critical BT935177 IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm 17.0.0, 16.1.2.2, 15.1.6.1
1059165-1 2-Critical BT1059165 Multiple virtual server pages fail to load. 17.0.0, 16.1.2.2
1048141-3 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error' 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047213-1 2-Critical BT1047213 VPN Client to Client communication fails when clients are connected to different TMMs. 17.0.0, 16.1.2.2
1007901-1 2-Critical BT1007901 Support for FIPS 140-3 Module identifier service. 17.0.0, 16.1.2.2
999125-1 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
992865-3 3-Major BT992865 Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances 17.1.0, 16.1.2.2, 15.1.4
988165-3 3-Major BT988165 VMware CPU reservation is now enforced. 17.0.0, 16.1.2.2, 15.1.5.1
984585-3 3-Major BT984585 IP Reputation option not shown in GUI. 17.0.0, 16.1.2.2, 15.1.5.1
963541-1 3-Major BT963541 Net-snmp5.8 crash 17.0.0, 16.1.2.2, 15.1.5.1
959985-3 3-Major BT959985 Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. 17.0.0, 16.1.2.2, 15.1.6.1
943669-4 3-Major BT943669 B4450 blade reboot 16.1.2.2, 15.1.2
943577-1 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
912253-2 3-Major BT912253 Non-admin users cannot run show running-config or list sys 17.0.0, 16.1.2.2, 15.1.5.1
907549-6 3-Major BT907549 Memory leak in BWC::Measure 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5
901669-6 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
755976-9 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1083537 3-Major BT1083537 FIPS 140-3 Certification 17.1.0, 17.0.0.1, 16.1.2.2
1076377-3 3-Major BT1076377 OSPF path calculation for IA and E routes is incorrect. 17.0.0, 16.1.2.2, 15.1.9
1074113-1 3-Major BT1074113 IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer 17.0.0, 16.1.2.2
1071609-2 3-Major BT1071609 IPsec IKEv1: Log Key Exchange payload in racoon.log. 17.0.0, 16.1.2.2, 15.1.6.1
1066285-4 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1065585-1 3-Major BT1065585 System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition 17.0.0, 16.1.2.2
1064461-4 3-Major BT1064461 PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1060625-1 3-Major BT1060625 Wrong INTERNAL_IP6_DNS length. 17.1.0, 17.0.0, 16.1.2.2
1060149-2 3-Major BT1060149 BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. 17.0.0, 16.1.2.2, 15.1.5.1
1059853 3-Major BT1059853 Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2. 17.0.0, 16.1.2.2
1056993-2 3-Major BT1056993 404 error is raised on GUI when clicking "App IQ." 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056741-2 3-Major BT1056741 ECDSA certificates signed by RSA CA are not selected based by SNI. 17.0.0, 16.1.2.2, 15.1.5.1
1052893-4 3-Major BT1052893 Configuration option to delay reboot if dataplane becomes inoperable 17.1.1, 16.1.2.2
1048541-1 3-Major BT1048541 Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. 17.0.0, 16.1.2.2, 15.1.5.1
1047169-1 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1022637-1 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1020789-4 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1019357-2 3-Major BT1019357 Active fails to resend ipsec ikev2_message_id_sync if no response received 17.0.0, 16.1.2.2, 15.1.6.1
1008837-1 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4
1008269-1 3-Major BT1008269 Error: out of stack space 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
976337-2 4-Minor BT976337 i40evf Requested 4 queues, but PF only gave us 16. 16.1.2.2, 15.1.5.1
742753-8 4-Minor BT742753 Accessing the BIG-IP system's WebUI via special proxy solutions may fail 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
528894-5 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1072237-1 4-Minor BT1072237 Retrieval of policy action stats causes memory leak 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1067617-4 4-Minor BT1067617 BGP default route not advertised after mid-session OPEN. 17.0.0, 16.1.2.2, 15.1.6.1
1062333-6 4-Minor   Linux kernel vulnerability: CVE-2019-19523 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1061797-1 4-Minor BT1061797 Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 17.0.0, 16.1.2.2, 15.1.5.1
1058677-2 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1046693-4 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1045549-4 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1040821-4 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034589-1 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034329-1 4-Minor BT1034329 SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1031425-3 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1030645-4 4-Minor BT1030645 BGP session resets during traffic-group failover 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1024621-4 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1011217-5 4-Minor BT1011217 TurboFlex Profile setting reverts to turboflex-base after upgrade 17.0.0, 16.1.2.2, 15.1.6.1
1002809-4 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968929-2 2-Critical BT968929 TMM may crash when resetting a connection on an APM virtual server 17.0.0, 16.1.2.2
910213-7 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1071449-4 2-Critical BT1071449 The statsd memory leak on platforms with license disabled processors. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064617-1 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1059053-2 2-Critical BT1059053 Tmm crash when passing traffic over some configurations with L2 virtual wire 17.0.0, 16.1.2.2, 15.1.5.1
1047581-3 2-Critical BT1047581 Ramcache can crash when serving files from the hot cache 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
999901-1 3-Major K68816502, BT999901 Certain LTM policies may not execute correctly after a system reboot or TMM restart. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
993517-1 3-Major BT993517 Loading an upgraded config can result in a file object error in some cases 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
977761 3-Major BT977761 Connections are dropped if a certificate is revoked. 17.1.0, 16.1.2.2
967101-1 3-Major BT967101 When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
955617-8 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
953601-4 3-Major BT953601 HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
936441-7 3-Major BT936441 Nitrox5 SDK driver logging messages 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
912517-7 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
902377-4 3-Major BT902377 HTML profile forces re-chunk even though HTML::disable 17.0.0, 16.1.2.2, 15.1.5.1
883049-9 3-Major BT883049 Statsd can deadlock with rrdshim if an rrd file is invalid 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
803109-4 3-Major BT803109 Certain configuration may result in zombie forwarding flows 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
794385-6 3-Major BT794385 BGP sessions may be reset after CMP state change 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
672963-1 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1083989-1 3-Major BT1083989 TMM may restart if abort arrives during MBLB iRule execution 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1073973-1 3-Major BT1073973 Gateway HTTP/2, response payload intermittently not forwarded to client. 17.0.0, 16.1.2.2
1072953-2 3-Major BT1072953 Memory leak in traffic management interface. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1071585-1 3-Major BT1071585 BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode 17.0.0, 16.1.2.2
1068561-1 3-Major BT1068561 Can't create key on the second netHSM partition. 17.0.0, 16.1.2.2, 15.1.5.1
1068353-1 3-Major BT1068353 Unexpected event sequence may cause HTTP/2 flow stall during shutdown 16.1.2.2
1064157-1 3-Major BT1064157 Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows 17.0.0, 16.1.2.2, 15.1.6.1
1063453-1 3-Major BT1063453 FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1058469-1 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056401-4 3-Major BT1056401 Valid clients connecting under active syncookie mode might experience latency. 17.0.0, 16.1.2.2, 15.1.5.1
1055097-1 3-Major BT1055097 TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow. 17.0.0, 16.1.2.2
1052929-4 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1043357-4 3-Major BT1043357 SSL handshake may fail when using remote crypto client 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043017-4 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1042913-2 3-Major BT1042913 Pkcs11d CPU utilization jumps to 100% 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1042509-1 3-Major BT1042509 On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request 17.0.0, 16.1.2.2
1029897-1 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1024841-2 3-Major BT1024841 SSL connection mirroring with ocsp connection failure on standby 17.0.0, 16.1.2.2, 15.1.5.1
1024225-3 3-Major BT1024225 BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1020549-1 3-Major BT1020549 Server-side connections stall with zero window with OneConnect profile 17.0.0, 16.1.2.2
1017721-5 3-Major BT1017721 WebSocket does not close cleanly when SSL enabled. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1
1017533-3 3-Major BT1017533 Using TMC might cause virtual server vlans-enabled configuration to be ignored 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1016449-3 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008501-1 3-Major BT1008501 TMM core 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008009-3 3-Major BT1008009 SSL mirroring null hs during session sync state 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1006781-2 3-Major BT1006781 Server SYN is sent on VLAN 0 when destination MAC is multicast 17.0.0, 16.1.2.2, 15.1.4.1
1004897-5 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4
1004689-4 3-Major BT1004689 TMM might crash when pool routes with recursive nexthops and reselect option are used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
838305-9 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
717806-8 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1080341-4 4-Minor BT1080341 Changing an L2-forward virtual to any other virtual type might not update the configuration. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1075205-1 4-Minor BT1075205 Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client. 17.0.0, 16.1.2.2
1064669-1 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1026605-6 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1026005-1 4-Minor BT1026005 BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1016441-4 4-Minor   RFC Enforcement Hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016049-6 4-Minor BT1016049 EDNS query with CSUBNET dropped by protocol inspection 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
968581-4 5-Cosmetic BT968581 TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1062513-4 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1030881-1 2-Critical BT1030881 [GTM] Upgrade failure - 01070022:3: The monitor template min was not found. 17.0.0, 16.1.2.2
1027657-4 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1011433-1 2-Critical BT1011433 TMM may crash under memory pressure when performing DNS resolution 17.0.0, 16.1.2.2, 15.1.6.1
1010617-1 2-Critical BT1010617 String operation against DNS resource records cause tmm memory corruption 17.0.0, 16.1.2.2, 15.1.5.1
876677-2 3-Major BT876677 When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. 17.0.0, 16.1.2.2, 15.1.6.1
1076401-5 3-Major BT1076401 Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064189-1 3-Major BT1064189 DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning 17.0.0, 16.1.2.2
1046785-1 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5
1044425-1 3-Major K85021277, BT1044425 NSEC3 record improvements for NXDOMAIN 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1020337-2 3-Major BT1020337 DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator 17.0.0, 16.1.2.2, 15.1.5.1
1018613-1 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1079909-1 2-Critical K82724554, BT1079909 The bd generates a core file 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1069501-1 2-Critical K22251611, BT1069501 ASM may not match certain signatures 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1069449-1 2-Critical K39002226, BT1069449 ASM attack signatures may not match cookies as expected 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1068237-1 2-Critical BT1068237 Some attack signatures added to policies are not used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1000789-1 2-Critical BT1000789 ASM-related iRule keywords may not work as expected 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
965785-4 3-Major BT965785 Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
961509-5 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
926845-7 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
923221-8 3-Major BT923221 BD does not use all the CPU cores 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
818889-1 3-Major BT818889 False positive malformed json or xml violation. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1077281-2 3-Major BT1077281 Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages 17.1.0, 16.1.2.2, 15.1.6.1
1072197-1 3-Major K94142349, BT1072197 Issue with input normalization in WebSocket. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1070273-1 3-Major BT1070273 OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. 17.0.0, 16.1.2.2, 15.1.6.1
1069133-4 3-Major BT1069133 ASMConfig memory leak 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1067285-1 3-Major BT1067285 Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1066829-1 3-Major BT1066829 Memory leak for xml/json auto-detected parameter with signature patterns. 17.0.0, 16.1.2.2, 15.1.5.1
1061617-4 3-Major BT1061617 Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1060933-1 3-Major K49237345 Issue with input normalization. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1059621-2 3-Major BT1059621 IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs. 17.0.0, 16.1.2.2
1056365-1 3-Major BT1056365 Bot Defense injection does not follow best SOP practice. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1052173-1 3-Major BT1052173 For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation. 17.0.0, 16.1.2.2
1052169 3-Major BT1052169 Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode 16.1.2.2
1051213-1 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1051209-1 3-Major K53593534, BT1051209 BD may not process certain HTTP payloads as expected 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1047389-4 3-Major BT1047389 Bot Defense challenge hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043533-3 3-Major BT1043533 Unable to pick up the properties of the parameters from audit reports. 17.0.0, 16.1.2.2, 15.1.5.1
1043385-4 3-Major BT1043385 No Signature detected If Authorization header is missing padding. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1042605-1 3-Major BT1042605 ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above 17.0.0, 16.1.2.2, 15.1.5.1
1041149-1 3-Major BT1041149 Staging of URL does not affect apply value signatures 17.0.0, 16.1.2.2, 15.1.5.1
1038733-4 3-Major BT1038733 Attack signature not detected for unsupported authorization types. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1037457-1 3-Major BT1037457 High CPU during specific dos mitigation 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1033017-1 3-Major BT1033017 Policy changes learning mode to automatic after upload and sync 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1030853-1 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1028473-1 3-Major BT1028473 URL sent with trailing slash might not be matched in ASM policy 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1023993-4 3-Major BT1023993 Brute Force is not blocking requests, even when auth failure happens multiple times 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1021521-1 3-Major BT1021521 JSON Schema is not enforced if OpenAPI media-type is wild card. 17.0.0, 16.1.2.2
1019721-1 3-Major BT1019721 Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export 17.0.0, 16.1.2.2
1012221-1 3-Major BT1012221 Message: childInheritanceStatus is not compatible with parentInheritanceStatus 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1011069-1 3-Major BT1011069 Group/User R/W permissions should be changed for .pid and .cfg files. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1008849-4 3-Major BT1008849 OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. 17.0.0, 16.1.2.2, 15.1.5.1
844045-4 4-Minor BT844045 ASM Response event logging for "Illegal response" violations. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1066377-1 4-Minor BT1066377 OpenAPI - Content profile is not consistent with wildcard configuration 17.0.0, 16.1.2.2
1050697-4 4-Minor BT1050697 Traffic learning page counts Disabled signatures when they are ready to be enforced 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1048445-1 4-Minor BT1048445 Accept Request button is clickable for unlearnable violation illegal host name 17.1.0, 16.1.2.2, 15.1.6.1
1039245-2 4-Minor BT1039245 Policy Properties screen does not load and display 17.0.0, 16.1.2.2
1038741-4 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1036521-1 4-Minor BT1036521 TMM crash in certain cases 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1035361-4 4-Minor BT1035361 Illegal cross-origin after successful CAPTCHA 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5
1034941-1 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1021637-4 4-Minor BT1021637 In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs 17.1.0, 16.1.2.2, 15.1.6.1
1020717-4 4-Minor BT1020717 Policy versions cleanup process sometimes removes newer versions 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038913-4 3-Major BT1038913 The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
858005-1 3-Major BT858005 When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
423519-5 3-Major K74302282, BT423519 Bypass disabling the redirection controls configuration of APM RDP Resource. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1045229-1 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1044121-3 3-Major BT1044121 APM logon page is not rendered if db variable "ipv6.enabled" is set to false 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1029397-4 2-Critical BT1029397 Tmm may crash with SIP-ALG deployment in a particular race condition 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
957905-1 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1082885-1 3-Major BT1082885 MR::message route virtual asserts when configuration changes during ongoing traffic 17.0.0, 16.1.2.2, 15.1.6, 14.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
964625-5 3-Major BT964625 Improper processing of firewall-rule metadata 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
959609-4 3-Major BT959609 Autodiscd daemon keeps crashing 17.0.0, 16.1.2.2, 15.1.6.1
929909-3 3-Major BT929909 TCP Packets are not dropped in IP Intelligence 17.0.0, 16.1.2.2, 15.1.5.1
1008265-1 3-Major K92306170, BT1008265 DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1072057-1 4-Minor BT1072057 "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1086897-1 2-Critical BT1086897 PEM subcriber lookup can fail for internet side/subscriber side new connections 17.0.0, 16.1.2.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1028269-2 2-Critical BT1028269 Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. 17.0.0, 16.1.2.2, 15.1.5.1
1019613-5 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1064217-1 3-Major BT1064217 Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038445-1 2-Critical BT1038445 During upgrade to 16.1, the previous FPS Engine live update remains active 17.0.0, 16.1.2.2
873617-1 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1071181-2 3-Major BT1071181 Improving Signature Detection Accuracy 16.1.2.2, 15.1.6.1, 14.1.5
1060409-2 4-Minor BT1060409 Behavioral DoS enable checkbox is wrong. 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1033829-3 2-Critical BT1033829 Unable to load Traffic Classification package 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1052153-2 3-Major BT1052153 Signature downloads for traffic classification updates via proxy fail 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1072733-4 2-Critical   Protocol Inspection IM package hardening 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1070677-1 3-Major BT1070677 Learning phase does not take traffic into account - dropping all. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
940261-1 4-Minor BT940261 Support IPS package downloads via HTTP proxy. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-4 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
854129-6 3-Major BT854129 SSL monitor continues to send previously configured server SSL configuration after removal 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050969-1 1-Blocking BT1050969 After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
969297 3-Major BT969297 Virtual IP configured on a system with SelfIP on vwire becomes unresponsive 16.1.2.2
1058401-1 3-Major BT1058401 SSL Bypass does not work for inbound traffic 17.0.0, 16.1.2.2
1048033-1 3-Major BT1048033 Server-speaks-first traffic might not work with SSL Orchestrator 17.0.0, 16.1.2.2
1047377-1 3-Major BT1047377 "Server-speak-first" traffic might not work with SSL Orchestrator 17.0.0, 16.1.2.2
1029869-1 3-Major BT1029869 Use of ha-sync script may cause gossip communications to fail 17.0.0, 16.1.2.2, 15.1.6.1
1029585-1 3-Major BT1029585 Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync 17.0.0, 16.1.2.2, 15.1.6.1



Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1045101-4 CVE-2022-26890 K03442392, BT1045101 Bd may crash while processing ASM traffic 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5
940185-7 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1065789-1 CVE-2023-24594 K000133132, BT1065789 TMM may send duplicated alerts while processing SSL connections 17.0.0, 16.1.2.1, 15.1.5
1063389-6 CVE-2015-5191 K84583382, BT1063389 open-vm-tools vulnerability: CVE-2015-5191 17.0.0, 16.1.2.1, 14.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1015133-5 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
749332-1 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4
996001-5 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
994305-3 3-Major BT994305 The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 17.0.0, 16.1.2.1, 15.1.5.1
968657-1 3-Major BT968657 Added support for IMDSv2 on AWS 17.0.0, 16.1.2.1, 15.1.5.1
1032949-1 3-Major BT1032949 Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. 17.0.0, 16.1.2.1, 15.1.5
1041765-2 4-Minor BT1041765 Racoon may crash in rare cases 17.0.0, 16.1.2.1, 15.1.10


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
999097-1 3-Major BT999097 SSL::profile may select profile with outdated configuration 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
910673-6 3-Major BT910673 Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' 17.0.0, 16.1.2.1, 15.1.5.1
898929-6 3-Major BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1038629-4 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1031609-1 3-Major BT1031609 Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package. 17.0.0, 16.1.2.1, 15.1.5.1
1019609-1 3-Major BT1019609 No Error logging when BIG-IP device's IP address is not added in client list on netHSM. 17.0.0, 16.1.2.1, 15.1.5.1
1017513-5 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
1007749-2 3-Major BT1007749 URI TCL parse functions fail when there are interior segments with periods and semi-colons 17.0.0, 16.1.2.1, 15.1.5
1048433-1 4-Minor BT1048433 Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation. 16.1.2.1, 15.1.5.1
1024761-1 4-Minor BT1024761 HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body 17.0.0, 16.1.2.1, 15.1.5
1005109-4 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
935249-3 3-Major BT935249 GTM virtual servers have the wrong status 17.0.0, 16.1.2.1, 15.1.5
1039553-1 3-Major BT1039553 Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors 17.0.0, 16.1.2.1, 15.1.5
1021061-4 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993613-7 2-Critical BT993613 Device fails to request full sync 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
984593-1 3-Major BT984593 BD crash 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
921697-1 3-Major BT921697 Attack signature updates fail to install with Installation Error. 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6
907025-5 3-Major BT907025 Live update error" 'Try to reload page' 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
885765-1 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
830341-5 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
1043205-1 3-Major BT1043205 SSRF Violation should be shown as a Parameter Entity Reference. 16.1.2.1
1042069-1 3-Major   Some signatures are not matched under specific conditions. 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5
1002385-1 4-Minor K67397230, BT1002385 Fixing issue with input normalization 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1009093-2 2-Critical BT1009093 GUI widgets pages are not functioning correctly 17.0.0, 16.1.2.1, 15.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
969317-4 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
828761-5 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
827393-5 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
738593-3 3-Major BT738593 Vmware Horizon session collaboration (shadow session) feature does not work through APM. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1007677-2 3-Major BT1007677 Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' 17.0.0, 16.1.2.1, 15.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039329-2 3-Major BT1039329 MRF per peer mode is not working in vCMP guest. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1025529-2 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956013-4 3-Major BT956013 System reports{{validation_errors}} 16.1.2.1, 15.1.5, 14.1.4.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1023437-1 3-Major   Buffer overflow during attack with large HTTP Headers 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1055361-1 2-Critical BT1055361 Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. 17.0.0, 16.1.2.1, 15.1.5.1



Cumulative fixes from BIG-IP v16.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
991421-2 CVE-2022-23016 K91013510, BT991421 TMM may crash while processing TLS traffic 17.0.0, 16.1.2, 15.1.4.1
989701-8 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
988549-10 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
968893-3 CVE-2022-23014 K93526903, BT968893 TMM crash when processing APM traffic 17.0.0, 16.1.2, 15.1.4.1
940317-9 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
1037181-1 CVE-2022-23022 K96924184, BT1037181 TMM may crash while processing HTTP traffic 17.0.0, 16.1.2
1032405-1 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1031269 CVE-2022-23020 K17514331, BT1031269 TMM may consume excessive resources when processing logging profiles 17.0.0, 16.1.2
1030689-1 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
1029629-1 CVE-2022-28706 K03755971, BT1029629 TMM may crash while processing DNS lookups 17.0.0, 16.1.2, 15.1.5.1
1028669-7 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1028573-6 CVE-2020-10878 K40508224, BT1028573 Perl vulnerability: CVE-2020-10878 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1028497-7 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1021713-1 CVE-2022-41806 K00721320, BT1021713 TMM may crash when processing AFM NAT64 policy 17.0.0, 16.1.2, 15.1.5.1
1012365-4 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1007489-7 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
974341-6 CVE-2022-23026 K08402414, BT974341 REST API: File upload 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
973409-6 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
941649-8 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
803965-10 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1035729-1 CVE-2022-23021 K57111075, BT1035729 TMM may crash while processing traffic http traffic 17.0.0, 16.1.2
1009725-1 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
985953-6 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039049-2 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
997313-2 2-Critical BT997313 Unable to create APM policies in a sync-only folder 17.0.0, 16.1.2, 15.1.4.1
1031357-2 2-Critical BT1031357 After reboot of standby and terminating peer, some IPsec traffic-selectors are still online 17.0.0, 16.1.2
1029949-2 2-Critical BT1029949 IPsec traffic selector state may show incorrect state on high availability (HA) standby device 17.0.0, 16.1.2
998221-1 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
946185-3 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
922185-3 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
881085-4 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1045421-1 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1032737-2 3-Major BT1032737 IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate 17.0.0, 16.1.2, 15.1.4.1
1032077-1 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1028969-1 3-Major BT1028969 An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working 17.0.0, 16.1.2
1026549-1 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1022757-2 3-Major BT1022757 Tmm core due to corrupt list of ike-sa instances for a connection 17.0.0, 16.1.2, 15.1.9
1021773-1 3-Major BT1021773 Mcpd core. 17.0.0, 16.1.2, 15.1.7
1020377-1 3-Major BT1020377 Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon 17.0.0, 16.1.2
1015645-2 3-Major BT1015645 IPSec SA's missing after reboot 17.0.0, 16.1.2
1009949-4 3-Major BT1009949 High CPU usage when upgrading from previous version 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
1003257-6 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
921365-2 4-Minor BT921365 IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby 17.0.0, 16.1.2, 15.1.4
1034617-1 4-Minor BT1034617 Login/Security Banner text not showing in console login. 17.0.0, 16.1.2
1030845-1 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1022417-1 4-Minor BT1022417 Ike stops with error ikev2_send_request: [WINDOW] full window 17.0.0, 16.1.2, 15.1.9


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039041 1-Blocking BT1039041 Log Message: Clock advanced by <number> ticks 17.0.0, 16.1.2
1040361-1 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. 17.0.0, 16.1.2, 15.1.5, 14.1.4.5
915773-7 3-Major BT915773 Restart of TMM after stale interface reference 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
1023365-2 3-Major BT1023365 SSL server response could be dropped on immediate client shutdown. 17.0.0, 16.1.2, 15.1.4.1
1021481-1 3-Major BT1021481 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden. 17.0.0, 16.1.2
1020957-1 3-Major BT1020957 HTTP response may be truncated by the BIG-IP system 17.0.0, 16.1.2
1018577-4 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1016113-1 3-Major BT1016113 HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. 17.0.0, 16.1.2, 15.1.4
1008017-2 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
895557-5 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2
1031901-2 4-Minor BT1031901 In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked 17.0.0, 16.1.2, 15.1.4.1
1018493-1 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1002945-4 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1035853-1 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1028773-1 2-Critical BT1028773 Support for DNS Over TLS 17.0.0, 16.1.2
1009037-1 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1021417-1 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
912149-7 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1019853-1 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1017153-4 2-Critical BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1011065-1 2-Critical K39002226, BT1011065 Certain attack signatures may not match in multipart content 17.0.0, 16.1.2, 15.1.4.1
1011061-4 2-Critical K39002226, BT1011061 Certain attack signatures may not match in multipart content 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
947341-4 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1
932133-1 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
842013-1 3-Major BT842013 ASM Configuration is Lost on License Reactivation 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1042917-1 3-Major BT1042917 Using 'Full Export' of security policy should result with no diffs after importing it back to device. 17.0.0, 16.1.2
1028109-1 3-Major BT1028109 Detected attack signature is reported with the wrong context. 17.0.0, 16.1.2
1022269-1 3-Major BT1022269 False positive RFC compliant violation 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5
1004069-4 3-Major BT1004069 Brute force attack is detected too soon 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1004537-2 4-Minor BT1004537 Traffic Learning: Accept actions for multiple suggestions not localized 17.0.0, 16.1.2, 15.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-7 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
922105-1 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
1035133-4 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
948113-1 4-Minor BT948113 User-defined report scheduling fails 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1020705-2 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1027217-1 1-Blocking BT1027217 Script errors in Network Access window using browser. 17.0.0, 16.1.2, 15.1.4.1
1006893-4 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993457-1 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1021485-3 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1017233-2 3-Major BT1017233 APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption 17.0.0, 16.1.2, 15.1.4.1
939877-3 4-Minor BT939877 OAuth refresh token not found 17.0.0, 16.1.2, 15.1.4, 14.1.4.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007113-3 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1018285-2 4-Minor BT1018285 MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction 17.0.0, 16.1.2, 15.1.4.1
1003633-1 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1049229-1 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1013629-4 3-Major BT1013629 URLCAT: Scan finds many Group/User Read/Write (666/664/662) files 17.0.0, 16.1.2, 15.1.9
686783-1 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1032689 4-Minor BT1032689 UlrCat Custom db feedlist does not work for some URLs 16.1.2, 15.1.4.1, 14.1.4.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
929213-2 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038669-1 3-Major BT1038669 Antserver keeps restarting. 17.0.0, 16.1.2, 15.1.5
1032797-1 3-Major BT1032797 Tmm continuously cores when parsing custom category URLs 17.0.0, 16.1.2, 15.1.5



Cumulative fixes from BIG-IP v16.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
979877-9 CVE-2020-1971 K42910051, BT979877 CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information 16.1.1, 15.1.4, 14.1.5.1
954425-4 CVE-2022-23031 K61112120, BT954425 Hardening of Live-Update 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
797797-7 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3
1013569-1 CVE-2022-31473 K34893234, BT1013569 Hardening of iApps processing 17.0.0, 16.1.1, 15.1.4
1008561-4 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
911141-1 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
974241-3 2-Critical BT974241 Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades 17.0.0, 16.1.1, 15.1.4
887117-4 3-Major BT887117 Invalid SessionDB messages are sent to Standby 17.0.0, 16.1.1, 15.1.4.1
1019829-2 3-Major BT1019829 Configsync.copyonswitch variable is not functioning on reboot 16.1.1
1018309-5 3-Major BT1018309 Loading config file with imish removes the last character 17.0.0, 16.1.1, 15.1.4.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1023341-1 1-Blocking   HSM hardening 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5
995405-1 2-Critical BT995405 After upgrade, the copied SSL vhf/vht profile prevents traffic from passing 17.0.0, 16.1.3, 16.1.1
1040677 2-Critical BT1040677 BIG-IP D120 platform reports page allocation failures in N3FIPS driver 17.0.0, 16.1.1
980617-1 3-Major BT980617 SNAT iRule is not working with HTTP/2 and HTTP Router profiles 17.0.0, 16.1.1, 15.1.10
912945-3 4-Minor BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 17.0.0, 16.1.1, 15.1.4, 14.1.4.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039069-1 1-Blocking BT1039069 Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049. 17.0.0, 16.1.1, 15.1.4
993489-1 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
996381-1 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
970329-1 2-Critical K70134152, BT970329 ASM hardening 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
965229-5 2-Critical BT965229 ASM Load hangs after upgrade 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
986937-3 3-Major BT986937 Cannot create child policy when the signature staging setting is not equal in template and parent policy 17.0.0, 16.1.1, 16.0.1.2, 15.1.4
981069-3 3-Major BT981069 Reset cause: "Internal error ( requested abort (payload release error))" 17.0.0, 16.1.1, 15.1.4
962589-4 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
951133-4 3-Major BT951133 Live Update does not work properly after upgrade 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4
920149-3 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4
888289-8 3-Major BT888289 Add option to skip percent characters during normalization 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
1005105-3 3-Major BT1005105 Requests are missing on traffic event logging 17.0.0, 16.1.1, 15.1.4, 14.1.4.5
1000741-1 3-Major K67397230, BT1000741 Fixing issue with input normalization 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
941625-3 4-Minor BT941625 BD sometimes encounters errors related to TS cookie building 17.0.0, 16.1.1, 15.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
924945-5 3-Major BT924945 Fail to detach HTTP profile from virtual server 17.0.0, 16.1.1, 16.0.1.2, 15.1.3
913085-6 3-Major BT913085 Avrd core when avrd process is stopped or restarted 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
909161-1 3-Major BT909161 A core file is generated upon avrd process restart or stop 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1024101-1 3-Major BT1024101 SWG as a Service license improvements 17.0.0, 16.1.3, 16.1.1
1022625-2 3-Major BT1022625 Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator 17.0.0, 16.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913-4 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
1012721-4 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5
1007821-3 2-Critical BT1007821 SIP message routing may cause tmm crash 17.0.0, 16.1.1, 15.1.4
996113-2 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
805821-1 3-Major BT805821 GTP log message contains no useful information 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
919301-1 4-Minor BT919301 GTP::ie count does not work with -message option 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913413-1 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913409-1 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913393-1 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
992213-3 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 17.0.0, 16.1.1, 15.1.4, 14.1.4.2
1000405-1 3-Major BT1000405 VLAN/Tunnels not listed when creating a new rule via GUI 17.0.0, 16.1.1, 15.1.4


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1018145 3-Major BT1018145 Firewall Manager user role is not allowed to configure/view protocol inspection profiles 16.1.1, 15.1.4

 

Cumulative fix details for BIG-IP v16.1.4.3 that are included in this release

999901-1 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.

Links to More Info: K68816502, BT999901

Component: Local Traffic Manager

Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.

This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).

Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.

Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.

Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.

Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.

Fix:
TMM now loads LTM policies with external data-groups as expected.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.

Links to More Info: BT999881

Component: Local Traffic Manager

Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.

Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.

Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.

Workaround:
You can use any of the following workarounds:

-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


999097-1 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


998225-6 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.

Links to More Info: BT998225

Component: TMOS

Symptoms:
TMM crashes during the primary blade transition.

Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes on primary blade transition.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


998221-1 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3


997429-1 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled

Links to More Info: BT997429

Component: Advanced Firewall Manager

Symptoms:
Some DoS-related log messages may be missing

Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.

Impact:
Applications dependent on log frequency may be impacted.

Workaround:
Configure the mitigation limit about 10% over the attack limit.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


997313-2 : Unable to create APM policies in a sync-only folder

Links to More Info: BT997313

Component: TMOS

Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:

-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices

Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.

Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.

Workaround:
You can use either of the following strategies to prevent the issue:

--Do not create APM policies in a sync-only folder.

--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
    tmsh modify sys folder /Common/sync-only no-ref-check true
    tmsh save sys config

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1


996381-1 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1


996233-1 : Tomcat may crash while processing TMUI requests

Links to More Info: K38893457, BT996233


996113-2 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


995849-1 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c

Links to More Info: BT995849

Component: TMOS

Symptoms:
Tmm crashes while processing a large number of tunnels.

Conditions:
-- A large number of ipsec tunnels

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Memory allocation failures are handled.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


995405-1 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing

Links to More Info: BT995405

Component: Local Traffic Manager

Symptoms:
After an RPM upgrade, SSL Orchestrator traffic does not pass

Conditions:
Upgrading SSL Orchestrator via RPM

Impact:
Traffic will not pass.

Workaround:
Bigstart restart tmm

Fix:
Fixed an issue that was preventing from passing after an RPM upgrade.

Fixed Versions:
17.0.0, 16.1.3, 16.1.1


995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.

Links to More Info: BT995097

Component: TMOS

Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.

For instance, after reloading the configuration, the following section:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { "example.com" }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { "example.com" }
        }
    }
}

Becomes:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { example.com }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { example.com }
        }
    }
}

This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.

Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.

The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).

Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.

The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.

As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.

Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.

Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.

For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:

# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config

On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:

bigstart restart dhclient dhclient6

Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.

Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.

For instance, you can enter the following command:

tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }

And the system inserts the following instruction in the /etc/dhclient.conf file:

supersede domain-search "one.example.com", "two.example.com" ;

Fixed Versions:
17.0.0, 16.1.4, 15.1.10


994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5

Links to More Info: BT994305

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools are not available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools are not available.

Workaround:
None.

Fix:
The version of open-vm-tools has been updated to 11.1.5.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1


994033-3 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


993981-3 : TMM may crash when ePVA is enabled

Links to More Info: K52340447, BT993981


993913-4 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4


993613-7 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


993517-1 : Loading an upgraded config can result in a file object error in some cases

Links to More Info: BT993517

Component: Local Traffic Manager

Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:

-- 0107134a:3: File object by name (DEFAULT) is missing.

If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.

Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).

Impact:
Other than the error message, there is no impact.

Workaround:
After the initial reboot, save the configuration.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


993489-1 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5


993481-1 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500

Fix:
Skipped initialization of structures.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


993457-1 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option

Links to More Info: BT993269

Component: Advanced Firewall Manager

Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.

DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.

Conditions:
-- DoS timestamp cookies are enabled, and either of the following:

-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.

Impact:
Traffic is dropped due to incorrect timestamps.

Workaround:
Disable timestamp cookies on the affected VLAN.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


992865-3 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None

Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4


992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.

Links to More Info: BT992813

Component: TMOS

Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.

As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.

For example, you may be returned the following error when attempting to supersede the domain-search option:

01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search

Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.

Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.

Impact:
You are unable to instantiate the desired management-dhcp configuration.

Workaround:
None

Fix:
The list of dhcp-options known to mcpd has been updated.

Fixed Versions:
17.0.0, 16.1.4, 15.1.10


992213-3 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2


992121-4 : REST "/mgmt/tm/services" endpoint is not accessible

Links to More Info: BT992121

Component: TMOS

Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.

Conditions:
When accessing /mgmt/tm/services through REST API

Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.

Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


992073-2 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Links to More Info: K93543114, BT992073


991421-2 : TMM may crash while processing TLS traffic

Links to More Info: K91013510, BT991421


990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4


989701-8 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


989517-3 : Acceleration section of virtual server page not available in DHD

Links to More Info: BT989517

Component: TMOS

Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.

You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.

Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.

Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


989501-2 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.

Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


988549-10 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549


988165-3 : VMware CPU reservation is now enforced.

Links to More Info: BT988165

Component: TMOS

Symptoms:
CPU reservation is not enabled which can result in insufficient CPU resource for virtual edition guest.

Conditions:
BIG-IP Virtual Edition running in VMware.

Impact:
Performance may be lower than expected particularly if ESXi is over subscribed and traffic volume is high.

Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.

Fix:
The VMware CPU reservation of 2GHz per core is now automatically enabled in the OVF file. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will see 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


987885-6 : Half-open unclean SSL termination might not close the connection properly

Links to More Info: BT987885

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


987341-1 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.

Links to More Info: BT987341

Component: Access Policy Manager

Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.

Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.

Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5


987301-3 : Software install on vCMP guest via block-device may fail with error 'reason unknown'

Links to More Info: BT987301

Component: TMOS

Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.

-- /var/log/liveinstall may contain an error similar to:

I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty

-- /var/log/kern.log may contain an error similar to:

Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712

Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:

 tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3

Impact:
Sometimes the EHF installation fails on the guest.

Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


987077-3 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.

Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6


986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policy

Links to More Info: BT986937

Component: Application Security Manager

Symptoms:
When trying to create a child policy, you get an error:

FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."

Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.

Impact:
You are unable to create the child policy and the system presents an error.

Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.

Fix:
The error no longer occurs on child policy creation.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4


985953-6 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Links to More Info: BT985925

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None

Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


984749-1 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."

Links to More Info: BT984749

Component: Global Traffic Manager (DNS)

Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".

Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."

Impact:
Client Cache Hit/Miss Statistics ratio affected.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


984593-1 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


984585-3 : IP Reputation option not shown in GUI.

Links to More Info: BT984585

Component: TMOS

Symptoms:
Cannot configure IP Reputation option from the GUI.

Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.

Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.

Workaround:
Use tmsh to configure IP Reputation.

Fix:
The IP Reputation option is now shown in the GUI.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


982785-2 : Guided Configuration hardening

Links to More Info: K52322100


982777-9 : APM hardening

Links to More Info: K21317311, BT982777


982769-12 : Appliance mode hardening

Links to More Info: K68647001, BT982769


982757-3 : APM Access Guided Configuration hardening

Links to More Info: K53197140


982753-2 : Appliance mode hardening

Links to More Info: K68647001, BT982753


982745-5 : Appliance mode hardening

Links to More Info: K68647001, BT982745


982697-7 : ICMP hardening

Links to More Info: K41440465, BT982697


982341-7 : iControl REST endpoint hardening

Links to More Info: K53197140, BT982341


981917-4 : CVE-2020-8286 - cUrl Vulnerability

Links to More Info: K15402727


981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"

Links to More Info: BT981069

Component: Application Security Manager

Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"

Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type

Impact:
Traffic is affected.

Workaround:
Any of the following actions can resolve the issue:

1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Fix:
Fixed an issue that was triggering resets on traffic.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4


980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles

Links to More Info: BT980617

Component: Local Traffic Manager

Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.

Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured

Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.

Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.

Fixed Versions:
17.0.0, 16.1.1, 15.1.10


979877-9 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information

Links to More Info: K42910051, BT979877


977761 : Connections are dropped if a certificate is revoked.

Links to More Info: BT977761

Component: Local Traffic Manager

Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.

Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.

Impact:
Ssl handshake failures due to revoked server certificate

Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.

Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.

Fixed Versions:
17.1.0, 16.1.2.2


977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded

Links to More Info: BT977153

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.

Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.

Workaround:
None.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


976669-5 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

Fix:
Critical files are not deleted during secondary blade reboot.

Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6


976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled

Links to More Info: BT976525

Component: Local Traffic Manager

Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.

Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.

Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.

Workaround:
Use either of the following workarounds:

-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable

-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.

Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.

Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5


976337-2 : i40evf Requested 4 queues, but PF only gave us 16.

Links to More Info: BT976337

Component: TMOS

Symptoms:
During BIG-IP system boot, a message is logged:

i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.

Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)

Impact:
A message is logged but it is benign and can be ignored.

Fixed Versions:
16.1.2.2, 15.1.5.1


974985-6 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable

Links to More Info: BT974985

Component: Application Security Manager

Symptoms:
Non http traffic isn't forwarded to the backend server

Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-http traffic

Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>

Fix:
Fix DOSL7::disable command handler in the tmm code

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


974341-6 : REST API: File upload

Links to More Info: K08402414, BT974341


974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades

Links to More Info: BT974241

Component: TMOS

Symptoms:
Mcpd exists with error similar to:

01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'

Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled

Impact:
Mcpd restarts leading to failover.

Workaround:
Use standard customization and not modern customization.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4


974205-5 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6


973409-6 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


972545-7 : iApps LX does not follow best practices in appliance mode

Links to More Info: K91054692, BT972545


972517-7 : Appliance mode hardening

Links to More Info: K41072952, BT972517


972489-7 : BIG-IP Appliance Mode iControl hardening

Links to More Info: K11010341, BT972489


970329-1 : ASM hardening

Links to More Info: K70134152, BT970329

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDI

Links to More Info: BT969317

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5


969297 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive

Links to More Info: BT969297

Component: SSL Orchestrator

Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.

Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.

Impact:
The virtual server is unreachable.

Workaround:
None

Fix:
ARP forwarding to peer is decided based on whether Virtual IP and self-IP is configured or not.

Fixed Versions:
16.1.2.2


968929-2 : TMM may crash when resetting a connection on an APM virtual server

Links to More Info: BT968929

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- HTTP profile without fallback host.
- iRules.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.

Fixed Versions:
17.0.0, 16.1.2.2


968893-3 : TMM crash when processing APM traffic

Links to More Info: K93526903, BT968893


968657-1 : Added support for IMDSv2 on AWS

Links to More Info: BT968657

Component: TMOS

Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:

get_dossier call on the command line fails with:
        01170003:3: halGetDossier returned error (1): Dossier generation failed.

This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.

Conditions:
AWS instances started with IMDSv2.

Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.

Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
 
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1


968581-4 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description

Links to More Info: BT968581

Component: Local Traffic Manager

Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.

Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.

Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.

Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1


967101-1 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.

Links to More Info: BT967101

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)

Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.

Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Links to More Info: BT966949

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


966541-1 : Improper data logged in plaintext

Links to More Info: K06110200, BT966541


966461-7 : Tmm memory leak

Links to More Info: BT966461

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm leaks memory for DNSSEC requests.

Conditions:
NetHSM is configured but disconnected.

or

Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.

Impact:
Tmm memory utilization increases over time.

Workaround:
None

Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.

You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.

tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


965853-6 : IM package file hardening

Links to More Info: K08510472, BT965853


965837-4 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection

Links to More Info: BT965837

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.

Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
Fixed a TMM crash related to ping access.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Links to More Info: BT965785

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


965229-5 : ASM Load hangs after upgrade

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


964625-5 : Improper processing of firewall-rule metadata

Links to More Info: BT964625

Component: Advanced Firewall Manager

Symptoms:
The 'mcpd' process may suffer a failure and be restarted.

Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.

Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.

Workaround:
Reduce the number of firewall policy rules.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


964533-2 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.

Fix:
Log level has been changed so this issue no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


964489-7 : Protocol Inspection IM package hardening

Links to More Info: K08510472, BT964489


964125-6 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Links to More Info: BT964125

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


963625-3 : Appliance mode hardening

Links to More Info: K68647001, BT963625


963541-1 : Net-snmp5.8 crash

Links to More Info: BT963541

Component: TMOS

Symptoms:
Snmpd crashes.

Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.

Impact:
Snmpd crashes.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Links to More Info: BT962589

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4


962177-6 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1


961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policy

Links to More Info: BT961509

Component: Application Security Manager

Symptoms:
WebSocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
WebSocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No

Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


960677-1 : Improvement in handling accelerated TLS traffic

Links to More Info: BT960677

Component: Local Traffic Manager

Symptoms:
Rare aborted TLS connections.

Conditions:
None

Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.

Workaround:
None

Fix:
The aborted connections will no longer be aborted and will complete normally.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


959985-3 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.

Links to More Info: BT959985

Component: TMOS

Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.

Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.

Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.

Workaround:
None

Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


959609-4 : Autodiscd daemon keeps crashing

Links to More Info: BT959609

Component: Advanced Firewall Manager

Symptoms:
Autodiscd daemon keeps crashing.

Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.

Impact:
Auto discovery feature is not working as expected

Workaround:
None.

Fix:
Auto discovery feature now works as expected.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


959153-3 : Appliance mode hardening

Links to More Info: K68647001, BT959153


957905-1 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.

SIP Responses that don't contain a content_length header are accepted and forwarded to the client.

The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.

Conditions:
SIP request / response without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
N/A

Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.

content_length header is treated as optional for UDP and SCTP.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


957637-1 : The pfmand daemon can crash when it starts.

Links to More Info: BT957637

Component: TMOS

Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.

The crash may happen more than once, until the process finally settles and is able to start correctly.

Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.

Impact:
Network connection lost while pfmand restarts.

Workaround:
None

Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


957453-1 : Javascript parser incompatible with ECMAScript 6/7+ javascript versions

Links to More Info: BT957453

Component: Access Policy Manager

Symptoms:
A web application failed to function on the client side.

Conditions:
-- APM proxying a web application.
-- Web application uses ES6/7 or higher javascript.

Impact:
The web application failed to function.

Workaround:
None

Fix:
The fix is implemented in two steps:

STEP 1:
Initial implementation with bug ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.

With this fix, a custom iRule workaround can be applied to fix a limited set of possible cases.
 
STEP 2:
With bug ID 957453, the implementation of the light rewriter on the server side is also completed.

No iRule workaround is required to support ES6/7+ javascript versions after the implementation of bug ID 957453.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


956645-4 : Per-request policy execution may timeout.

Links to More Info: BT956645

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.

Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9, 14.1.4.5


956373-4 : ASM sync files not cleaned up immediately after processing

Links to More Info: BT956373

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1


956133-2 : MAC address might be displayed as 'none' after upgrading.

Links to More Info: BT956133

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.

Impact:
Traffic disrupted when the MAC address is set to 'none'.

Workaround:
N/A

Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.

Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.4


956013-4 : System reports{{validation_errors}}

Links to More Info: BT956013

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.

Fixed Versions:
16.1.2.1, 15.1.5, 14.1.4.5


955617-8 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
If the monitor is associated with a node or pool, then modifying monitor properties other than the destination address is displaying incorrect error. For example, modifying the receive string results in following error:

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

This error should only be generated if the destination address of an associated monitor is being modified, but this error message is generated when other parameters are modified.

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties cannot be modified if they are in use by a pool.

Workaround:
Remove the monitor, modify it, and then add it again.

Fix:
Monitor properties can be modified even when the monitor is attached to the node or pool, updated values reflect in the node or pool.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


954425-4 : Hardening of Live-Update

Links to More Info: K61112120, BT954425


954001-7 : REST File Upload hardening

Component: Device Management

Symptoms:
REST file upload does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Only upload trusted files to the BIG-IP.

Fix:
REST file uploads now follow best security practices.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


953601-4 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions

Links to More Info: BT953601

Component: Local Traffic Manager

Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.

Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.

Impact:
HTTPS monitor shows pool members or nodes down when they are up.

Workaround:
Restart bigd or remove and add monitors.

Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


952521-1 : Memory allocation error while creating an address list with a large range of IPv6 addresses

Links to More Info: BT952521

Component: Advanced Firewall Manager

Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"

Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.

Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.

Workaround:
Use CIDR notation or multiple, smaller IP ranges.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


951257-5 : FTP active data channels are not established

Links to More Info: K82034427, BT951257


951133-4 : Live Update does not work properly after upgrade

Links to More Info: BT951133

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4


950917-4 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1


950605-6 : Openssh insecure client negotiation CVE-2020-14145

Links to More Info: K48050136, BT950605


950201-3 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.

Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


950149 : Add configuration to ccmode for compliance with the Common Criteria STIP PPM.

Links to More Info: BT950149

Component: TMOS

Symptoms:
To comply with configuration requirements for the Common Criteria STIP PPM, the ccmode script must be updated.

Conditions:
Required compliance with Common Criteria STIP PPM configuration.

Impact:
Without these updates, the BIG-IP will not be compliant with the Common Criteria STIP requirements.

Workaround:
Follow the instructions in the Common Criteria Guidance document.

Fix:
This fix added configuration elements for compliance to Common Criteria STIP PPM requirements.

Fixed Versions:
17.0.0, 16.1.3


950069-1 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"

Links to More Info: BT950069

Component: Global Traffic Manager (DNS)

Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.

Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols

Impact:
Unable to edit the record.

Workaround:
Two workarounds available:

1. Use zonerunner to delete the record and then recreate it with the desired RDATA value

2. Manually edit the bind zone file (see K7032)

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1


949857-7 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync

Links to More Info: K32544615, BT949857


948985-3 : Workaround to address Nitrox 3 compression engine hang

Links to More Info: BT948985

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 compression engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chips: 5xxx, 7xxx, 12250, and B2250.

You can check if your platform has nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable, and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable HTTP compression or use software compression.

Fix:
Added db key compression.nitrox3.dispatchsize to control the request size.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1


948241-4 : Count Stateful anomalies based only on Device ID

Links to More Info: BT948241

Component: Application Security Manager

Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives

Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".

Impact:
False positives may occur in case of a proxy without XFF

Workaround:
None

Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


948113-1 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


948065-1 : DNS Responses egress with an incorrect source IP address.

Links to More Info: BT948065

Component: Local Traffic Manager

Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.

Conditions:
Large responses of ~2460 bytes from local BIND

Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.

Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.

Note: This workaround has limitations, as some records in 'Additional Section' are truncated.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


947905-4 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails

Links to More Info: BT947905

Component: TMOS

Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.

The system posts errors similar to the following:

-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (system-settings.ssh_max_session_limit) : framework/SchemaCmd.cpp, line 825
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Unexpected Error: "Can't load keyword definition (system-settings.ssh_max_session_limit)"
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property

Conditions:
Upgrade from one of the following release:

-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch

to one of the following releases:

-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1

Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.

Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.

You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903

Fixed Versions:
16.1.3, 16.0.1


947341-4 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.

Links to More Info: BT947341

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.

Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

2. To identify the empty partitions, look into:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"

3. For every partition that is empty, manually (or via shell script) execute this sql:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"

   Note: <empty_partition_name> must be substituted with the partition name, for example p100001.


4. Increase 'open_files_limit' to '10000'.
--------------------------------

   In the /etc/my.cnf file:
   1. Change the value of the 'open_files_limit' parameter to 10000.
   2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5. pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases the default 'open_files_limit' to '10000'.

Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1


947333-2 : Irrelevant content profile diffs in Policy Diff

Links to More Info: BT947333

Component: Application Security Manager

Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected

Conditions:
-- Import a policy
-- Perform a policy diff

Impact:
Policy diff showing irrelevant diffs

Workaround:
None

Fix:
Removed grayed out diffs from policy diff content profile section

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1


946325-7 : PEM subscriber GUI hardening

Links to More Info: K25451853, BT946325


946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'

Links to More Info: BT946185

Component: TMOS

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


945853-4 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession

Links to More Info: BT945853

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during a configuration change.

Conditions:
This occurs under the following conditions:

-- Create/modify/delete multiple virtual servers in quick succession.

-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes during a configuration change.

Fixed Versions:
16.1.3, 15.1.3


945357 : BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.

Links to More Info: BT945357

Component: Local Traffic Manager

Symptoms:
A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).

Conditions:
In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.

Impact:
Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.

Workaround:
This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.

Fix:
This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.

Fixed Versions:
17.0.0, 16.1.3


944381-2 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Links to More Info: BT944381

Component: Local Traffic Manager

Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.

Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.

Impact:
The handshake should fail but complete successfully

Fix:
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3.

After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1


944121-4 : Missing SNI information when using non-default domain https monitor running in TMM mode.

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-TMM monitors do not send any packet when TLS1.3 monitor is used.

Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

 - Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


943669-4 : B4450 blade reboot

Links to More Info: BT943669

Component: TMOS

Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.

Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.

Impact:
Traffic disrupted while the blade reboots.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when needed.

Fixed Versions:
16.1.2.2, 15.1.2


943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Links to More Info: BT943577

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.

If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.

1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
    cat /config{/partitions/*,}/bigip{_base,}.conf |
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' ) > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt

3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


943109-4 : Mcpd crash when bulk deleting Bot Defense profiles

Links to More Info: BT943109

Component: TMOS

Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.

Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.

Impact:
Crash of mcpd causing failover.

Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.

Fix:
There is no longer a crash of mcpd when deleting a large number of Bot Defense in a bulk using TMSH.

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5


942617-2 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable

Links to More Info: BT942617

Component: Application Security Manager

Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.

Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables

Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.

Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.

Fix:
Trim() to delete the whitspaces.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


941649-8 : Local File Inclusion Vulnerability

Links to More Info: K63163637, BT941649


941625-3 : BD sometimes encounters errors related to TS cookie building

Links to More Info: BT941625

Component: Application Security Manager

Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:

-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.

-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.

Impact:
The cookie is not built and an error is logged.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4


940317-9 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317


940261-1 : Support IPS package downloads via HTTP proxy.

Links to More Info: BT940261

Component: Protocol Inspection

Symptoms:
IPS package download via HTTP proxy does not work.

2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.

Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered

Impact:
The IPS IM package fails to download.

Workaround:
No workaround.

Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


940225-4 : Not able to add more than 6 NICs on VE running in Azure

Links to More Info: BT940225

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1


940185-7 : icrd_child may consume excessive resources while processing REST requests

Links to More Info: K11742742, BT940185


939877-3 : OAuth refresh token not found

Links to More Info: BT939877

Component: Access Policy Manager

Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:

err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)

Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb

Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.

Workaround:
Clear/reset the Authorization code column value manually:

As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }

Copy the value corresponding to <db_name>.

Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)

mysql> use <db_name>;

mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';

(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)

Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4


939757-8 : Deleting a virtual server might not trigger route injection update.

Links to More Info: BT939757

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Links to More Info: BT937649

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


936501-1 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled

Links to More Info: BT936501

Component: TMOS

Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:

"file not allowed"

Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf

Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9


936441-7 : Nitrox5 SDK driver logging messages

Links to More Info: BT936441

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


936093-5 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


935945-2 : GTM HTTP/HTTPS monitors cannot be modified via GUI

Links to More Info: BT935945

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:

01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.

Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.

Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.

Workaround:
If 'recv-status-code' has never been set, use tmsh instead.

Note: You can set 'recv-status-code' using tmsh, for example:

   tmsh modify gtm monitor http http-default recv-status-code 200

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


935249-3 : GTM virtual servers have the wrong status

Links to More Info: BT935249

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.

Fix:
The HTTP status code is now correctly searched only in the first line of the response.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5


935193-4 : With APM and AFM provisioned, single logout ( SLO ) fails

Links to More Info: BT935193

Component: Local Traffic Manager

Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:

-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message

Conditions:
Failures occur with Redirect SLO.

Impact:
SAML single logout does not work.

Workaround:
Use POST binding SLO requests.

Fixed Versions:
17.0.0, 16.1.4, 15.1.10


935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm

Links to More Info: BT935177

Component: TMOS

Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.

Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.

The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


934697-5 : Route domain is not reachable (strict mode)

Links to More Info: BT934697

Component: Local Traffic Manager

Symptoms:
Network flows are reset and following errors are found in /var/log/ltm:

Route domain not reachable (strict mode).

Conditions:
This might occur in either one of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.

or

Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.

Other
=====
Tunnel scenario's such as IPSec where client and encrypted traffic are in different route domains.

Impact:
Traffic is not sent to the node that is in a route domain.

The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Workaround:
Specify the node along with Route Domain ID.

-- For iRules, change from this:
when HTTP_REQUEST {
 node 10.10.10.10 80
}

To this (assuming route domain 1):
when HTTP_REQUEST {
 node 10.10.10.10%1 80
}


-- For LTM policies, change from this:
actions {
    0 {
        forward
        select
        node 10.2.35.20
    }
}

To this (assuming route domain 1):
actions {
    0 {
        forward
        select
        node 10.2.35.20%1
    }
}

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5


932485-5 : Incorrect sum(hits_count) value in aggregate tables

Links to More Info: BT932485

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Links to More Info: BT932137

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5


932133-1 : Payloads with large number of elements in XML take a lot of time to process

Links to More Info: BT932133

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5


930393-2 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration

Links to More Info: BT930393

Component: TMOS

Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.

Conditions:
-- Using IKEv1 and one of the following:
   + Performing an upgrade.
   + IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.

Impact:
IPsec tunnel is down permanently.

Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.

Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


929913-3 : External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events

Links to More Info: BT929913

Component: Advanced Firewall Manager

Symptoms:
DNS logs on LTM side do not print the all src_IP, per-srcIP, etc.

Conditions:
-- DNS logging is enabled
-- A DNS flood is detected

Impact:
Some information related to DNS attack event is missing such as src_IP, Per-SrcIP and Per-DstIP events.

Fix:
DNS now logs all src_IP, Per-SrcIP and Per-DstIP events.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


929909-3 : TCP Packets are not dropped in IP Intelligence

Links to More Info: BT929909

Component: Advanced Firewall Manager

Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets

Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned

Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.

Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade

Links to More Info: BT929213

Component: Device Management

Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.

1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

-> Performing an upgrade

-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX

Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI

Workaround:
The package needs to be uninstalled and installed again for use.

Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again

Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300

tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.

Note: The maximum db key value of 600 may be needed in some cases.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


929077-4 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Links to More Info: BT929077

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4


928997-3 : Less XML memory allocated during ASM startup

Links to More Info: BT928997

Component: Application Security Manager

Symptoms:
Smaller total_xml_memory is selected during ASM startup.

For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.

Conditions:
Platforms with 16GiB, 32GiB, or more RAM

Impact:
Less XML memory allocated

Workaround:
Use this ASM internal parameter to increase XML memory size.

additional_xml_memory_in_mb

For more details, refer to the https://support.f5.com/csp/article/K10803 article.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


926845-7 : Inactive ASM policies are deleted upon upgrade

Links to More Info: BT926845

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


926341-5 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade

Links to More Info: BT926341

Component: Application Visibility and Reporting

Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.

Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.

Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.

Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.

When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5


925469-2 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo

Links to More Info: BT925469

Component: TMOS

Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.

Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.

-- Configure a new key with Subject Alternative Name (SAN).

Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.

Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


924945-5 : Fail to detach HTTP profile from virtual server

Links to More Info: BT924945

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.3


923821-1 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None

Fix:
Captcha will now be triggered after successful CSI challenge.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


923221-8 : BD does not use all the CPU cores

Links to More Info: BT923221

Component: Application Security Manager

Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP software is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
Run the following commands from bash shell.

1. # mount -o remount,rw /usr

2. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm
   
   Important: Make a backup of the file before editing.

3. Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF',

   To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

4. # mount -o remount,ro /usr

5. Restart the asm process:
   # bigstart restart asm.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


922737-1 : TMM crashes with a sigsegv while passing traffic

Links to More Info: BT922737

Component: SSL Orchestrator

Symptoms:
TMM crashes with a sigsegv while passing traffic.

Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server with service profile applied on the same BIG-IP system.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


922413-8 : Excessive memory consumption with ntlmconnpool configured

Links to More Info: BT922413

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.

Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'

Links to More Info: BT922185

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.

Impact:
The cert-ldap authentication does not work, so login fails.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


922105-1 : Avrd core when connection to BIG-IQ data collection device is not available

Links to More Info: BT922105

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5


921697-1 : Attack signature updates fail to install with Installation Error.

Links to More Info: BT921697

Component: Application Security Manager

Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:

/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)

/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781

Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.

2. Installing a new ASU file

Impact:
The attack signature update fails.

Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.

Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:

1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg

2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800

3. Restart ASM.
# bigstart restart asm

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6


921541-6 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Links to More Info: BT921541

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.

Fix:
The HTTP session hang no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


921441-4 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Links to More Info: BT921441

Component: Service Provider

Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.

There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

-- Traffic arrives containing CER and ULR messages.

Impact:
Using the iRule to change the host origin corrupts the diameter message.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


921365-2 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby

Links to More Info: BT921365

Component: TMOS

Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.

Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs

This is a timing issue and can occur intermittently during a normal failover.

Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.

Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).

Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4


921149-6 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Links to More Info: BT921149

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


920149-3 : Live Update default factory file for Server Technologies cannot be reinstalled

Links to More Info: BT920149

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4


919357-8 : iControl REST hardening

Links to More Info: K22505850, BT919357


919301-1 : GTP::ie count does not work with -message option

Links to More Info: BT919301

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


915981-4 : BIG-IP SCP hardening

Links to More Info: K38271531, BT915981


915773-7 : Restart of TMM after stale interface reference

Links to More Info: BT915773

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


913413-1 : 'GTP::header extension count' iRule command returns 0

Links to More Info: BT913413

Component: Service Provider

Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).

Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.

Impact:
The command returns false information.

Workaround:
None

Fix:
'GTP::header extension count' command now returns number of header extension correctly.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


913409-1 : GTP::header extension command may abort connection due to unreasonable TCL error

Links to More Info: BT913409

Component: Service Provider

Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.

Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message

Impact:
TCL error log is shown and connection is aborted

Workaround:
None

Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


913393-1 : Tmsh help page for GTP iRule contains incorrect and missing information

Links to More Info: BT913393

Component: Service Provider

Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.

Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.

Impact:
User may not be able to use related iRule command properly.

Workaround:
None

Fix:
Tmsh help page for GTP iRule is updated

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


913085-6 : Avrd core when avrd process is stopped or restarted

Links to More Info: BT913085

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed

Links to More Info: BT912945

Component: Local Traffic Manager

Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.

Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.

Impact:
The incorrect client SSL profile is selected.

Workaround:
Configure the 'Server Name' option in the client SSL profile.

Fix:
Fixed an issue with client SSL profile selection.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4


912517-7 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Links to More Info: BT912517

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle, or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

Fix:
For BIG-IP versions prior to 17.0.0, a database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


912253-2 : Non-admin users cannot run show running-config or list sys

Links to More Info: BT912253

Component: TMOS

Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:

Unexpected Error: Can't display all items, can't get object count from mcpd.

The list /sys or list /sys telemd commands trigger the following error:

01070823:3: Read Access Denied: user (oper) type (Telemd configuration).

Conditions:
User account with a role of guest, operator, or any role other than admin.

Impact:
You are unable to show the running config, or use list or list sys commands.

Workaround:
Logon with an account with admin access.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


912149-7 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'

Links to More Info: BT912149

Component: Application Security Manager

Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:

/var/log/:

asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.

ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0

Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.

Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.

Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.

-- Security log profile changes are not propagated to other devices.

-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.

-- Policies with learning enabled do not generate learning suggestions.

Workaround:
Restart asm_config_server on the units in the device group.

# pkill -f asm_config_server

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


911585-5 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Links to More Info: BT911585

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

Fix:
Enhanced application to accept new sessions under problem conditions.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


911141-1 : GTP v1 APN is not decoded/encoded properly

Links to More Info: BT911141

Component: Service Provider

Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.

Conditions:
- GTP version 1.
- APN element.

Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.

Workaround:
Use iRules to convert between octetstring and dotted style domain name values.

Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.

Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


910673-6 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Links to More Info: BT910673

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1


910213-7 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Links to More Info: BT910213

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.

Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.

There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


909161-1 : A core file is generated upon avrd process restart or stop

Links to More Info: BT909161

Component: Application Visibility and Reporting

Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.

Conditions:
Avrd process is stopped or restarted.

Impact:
Avrd creates a core file but there is no other negative impact to the system.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


907549-6 : Memory leak in BWC::Measure

Links to More Info: BT907549

Component: TMOS

Symptoms:
Memory leak in BWC calculator.

Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.

Impact:
A memory leak occurs.

Workaround:
None.

Fix:
Memory is not leaked.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5


907025-5 : Live update error" 'Try to reload page'

Links to More Info: BT907025

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

 CREATE SCHEMA PUBLIC AUTHORIZATION DBA
 CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
 CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
 CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
 CREATE USER SA PASSWORD ""
 GRANT DBA TO SA
 SET WRITE_DELAY 20
 SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


906273-1 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None

Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


905937-8 : TSIG key value logged in plaintext in log

Links to More Info: K98334513, BT905937


904661-4 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition

Links to More Info: BT904661

Component: TMOS

Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.

Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver

Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)

Fixed Versions:
17.1.0, 16.1.4


903313-4 : OWASP page: File Types score in Broken Access Control category is always 0.

Links to More Info: BT903313

Component: Application Security Manager

Symptoms:
Under Broken Access Control category, the contribution of Disallowed File Types seems to be 0 no matter what is the number of Disallowed File Types in policy. As a result, it is not possible to reach full compliance.

Conditions:
Security Policy is configured. Not Applicable for parent or child policy.

Impact:
For any OWASP configurable policy (i.e. not parent or child policy), the policy cannot reach the maximum score for Broken Access Control category

Fixed Versions:
17.0.0, 16.1.4


902377-4 : HTML profile forces re-chunk even though HTML::disable

Links to More Info: BT902377

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


901669-6 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.

Links to More Info: BT901669

Component: TMOS

Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.

-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.

Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.

Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.

The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.

Impact:
The 'tmsh show cm failover-status' command indicates an error.

Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:

tmsh restart sys service sod

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


898929-6 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Links to More Info: BT898929

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


896941 : Common Criteria ccmode script updated

Links to More Info: BT896941

Component: TMOS

Symptoms:
Configuration of SSH must be done to support Common Criteria compliance. This is currently done by following instructions in the Common Criteria Guidance Document.

Conditions:
Common Criteria compliance configuration.

Impact:
This update automates the SSH configuration.

Workaround:
Continue to follow Common Criteria Guidance document instructions for SSH configuration.

Fix:
Added SSH configuration to meet Common Criteria requirements.

Fixed Versions:
17.0.0, 16.1.3


895557-5 : NTLM profile logs error when used with profiles that do redirect

Links to More Info: BT895557

Component: Local Traffic Manager

Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).

When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.

Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).

Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.

For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"

Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2


890917-8 : Performance may be reduced while processing SSL traffic

Links to More Info: K56412001, BT890917


890169-4 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


889813-3 : Show net bwc policy prints bytes-per-second instead of bits-per-second

Links to More Info: BT889813

Component: TMOS

Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.

Conditions:
Running the tmsh command:
tmsh show net bwc policy

Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 15.1.10, 14.1.4.5


889605-2 : iApp with Bot profile is unavailable if application folder includes a subpath

Links to More Info: BT889605

Component: iApp Technology

Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.

Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.

Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.

Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu

Fix:
Open the iApps >> Applications view in TMUI and load the iApp.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


888765-2 : After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files

Links to More Info: BT888765

Component: TMOS

Symptoms:
After upgrading, CGNAT is de-provisioned and tmm is restarted after config load.

Conditions:
- CGNAT provisioned prior to upgrade
- Upgrade from 13.1.0 to 15.1.0.1 and reboot

Impact:
-- CGNAT is de-provisioned
-- Tmm restarts

Workaround:
After upgrading, re-provision CGNAT:

tmsh modify sys provision cgnat level <level>
tmsh save sys config

Fixed Versions:
16.1.4


888289-8 : Add option to skip percent characters during normalization

Links to More Info: BT888289

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


887117-4 : Invalid SessionDB messages are sent to Standby

Links to More Info: BT887117

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1


886649-5 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Links to More Info: BT886649

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1


886533-5 : Icap server connection adjustments

Links to More Info: BT886533

Component: Application Security Manager

Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.

Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.

Impact:
Slow responses to specific requests.

Workaround:
None.

Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


885765-1 : ASMConfig Handler undergoes frequent restarts

Links to More Info: BT885765

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.

Conditions:
When processing a large number of configuration updates.

Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


884945-1 : Latency reduce in case of empty parameters.

Links to More Info: BT884945

Component: Application Security Manager

Symptoms:
Traffic load with many empty parameters may lead to increased latency.

Conditions:
Sending requests with many empty parameters

Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.

Workaround:
None

Fix:
Ignore empty parameters

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


884541-9 : Improper handling of cookies on VIPRION platforms

Links to More Info: K29141800, BT884541


883049-9 : Statsd can deadlock with rrdshim if an rrd file is invalid

Links to More Info: BT883049

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd

Fix:
Now detecting and rectifying truncation of RRD files.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


882709-6 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors

Links to More Info: BT882709

Component: TMOS

Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.

Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.

Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).

Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.

Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:

    net vlan external {
        interfaces {
            1.1 {
                tagged
            }
        }
        tag 4000
    }

-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.

-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.

Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.

-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.

Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.

Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


881809-8 : Client SSL and Server SSL profile hardening

Links to More Info: K31523465, BT881809


881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Links to More Info: BT881085

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittent remote-auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


878641-3 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected

Fix:
Certificate request message now may contain CAs

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


876677-2 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.

Links to More Info: BT876677

Component: Global Traffic Manager (DNS)

Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:

notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.

Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is running slowly or malfunctioning

Impact:
TMM crashes and, in redundant configurations, the unit fails over.

Workaround:
Do not use the debug TMM.

Fix:
The debug assert was removed and replaced by a debug log.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


876569-2 : QAT compression codec produces gzip stream with CRC error

Links to More Info: BT876569

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.

Fix:
The system now handles gzip errors seen with QAT compression.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


874941-4 : HTTP authentication in the access policy times out after 60 seconds

Links to More Info: BT874941

Component: Access Policy Manager

Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.

Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.

Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.

Workaround:
None.

Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.

1. A db key to configure Connection Timeout for HTTP Server configuration:

+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout


2. A db key to configure Request Timeout for HTTP Server configuration:

+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout

Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.

The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.

Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.

Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5


873617-1 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.

Links to More Info: BT873617

Component: Fraud Protection Services

Symptoms:
DataSafe is not available with an AWAF license.

Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart

Impact:
DataSafe is not available.

Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.

Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


858005-1 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"

Links to More Info: BT858005

Component: Access Policy Manager

Symptoms:
APM Access Policy evaluation failed.

Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"

Impact:
APM end user’s session cannot be established.

Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent

Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


854129-6 : SSL monitor continues to send previously configured server SSL configuration after removal

Links to More Info: BT854129

Component: In-tmm monitors

Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.

Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.

Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.

Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').

Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


851121-6 : Database monitor DBDaemon debug logging not enabled consistently

Links to More Info: BT851121

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.

Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
    debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.

Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.

In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.

The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


850141-2 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


849029-7 : No configurable setting for maximum entries in CRLDP cache

Links to More Info: BT849029

Component: Access Policy Manager

Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.

Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.

Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.

Workaround:
None.

Fix:
There is now a setting for configuring maximum entries in CRLDP cache.

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4


844045-4 : ASM Response event logging for "Illegal response" violations.

Links to More Info: BT844045

Component: Application Security Manager

Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.

Conditions:
-- Response logging is enabled
-- An illegal response occurs

Impact:
Response logging does not occur.

Workaround:
N/A

Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.

Added an internal variable:
disable_illegal_response_logging -- default value 0.

If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


842425-6 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


842013-1 : ASM Configuration is Lost on License Reactivation

Links to More Info: BT842013

Component: Application Security Manager

Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.

Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded

Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'

Workaround:
In the case of license re-activation/before upgrade:

   Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.

   In a case of booting the system into the new version:

   Option 1:

      1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
      2. Reload the config from the fixed UCS file using the command in K13132.

   Option 2:

      1. Roll back to the old version.
      2. Fix the issue that was preventing the config to load.
      3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324

   Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


838405-4 : Listener traffic-group may not be updated when spanning is in use

Links to More Info: BT838405

Component: TMOS

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):

> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


838305-9 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Links to More Info: BT838305

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


832133-7 : In-TMM monitors fail to match certain binary data in the response from the server

Links to More Info: BT832133

Component: In-tmm monitors

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.

- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
Either one of the following workarounds can be used:

- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

- Do not monitor the application through a binary response (if the application allows it).

Fix:
The monitor finds the recv string and shows the pool or member as available.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


830361-9 : CVE-2012-6711 Bash Vulnerability

Links to More Info: K05122252, BT830361


830341-5 : False positives Mismatched message key on ASM TS cookie

Links to More Info: BT830341

Component: Application Security Manager

Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact

Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation

Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.

OR

2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm

Once enabled, ASM system does not trigger false positives.

Fixed Versions:
17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


829653-1 : Memory leak due to session context not freed

Links to More Info: BT829653

Component: Policy Enforcement Manager

Symptoms:
Memory increases slowly

Conditions:
A PEM iRule times out

Impact:
Memory could be exhausted depending on the frequency of the command timeouts

Fixed Versions:
17.0.0, 16.1.4


828761-5 : APM OAuth - Auth Server attached iRule works inconsistently

Links to More Info: BT828761

Component: Access Policy Manager

Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.

Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.

Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.

Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.

Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


827393-5 : In rare cases tmm crash is observed when using APM as RDG proxy.

Links to More Info: BT827393

Component: Access Policy Manager

Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.

Conditions:
APM is used as RDG proxy

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm does not crash when APM is configured as RDG proxy.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5


823877-7 : CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability

Links to More Info: K25126370, BT823877


819645-1 : Reset Horizon View application does not work when accessing through F5 APM

Links to More Info: BT819645

Component: Access Policy Manager

Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.

Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android

Impact:
Impaired reset option functionality

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


818889-1 : False positive malformed json or xml violation.

Links to More Info: BT818889

Component: Application Security Manager

Symptoms:
A false positive malformed XML or JSON violation occurs.

Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.

Impact:
A false positive violation.

Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


815901-2 : Add rule to the disabled pem policy is not allowed

Links to More Info: BT815901

Component: Policy Enforcement Manager

Symptoms:
Adding rule to PEM policy is not allowed

Conditions:
A PEM policy is disabled

Impact:
You are unable to add rules to a PEM policy if it is disabled.

Fix:
Allow adding rules to disabled PEM policy

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


810917-1 : OWASP Compliance score is shown for parent and child policies that are not applicable.

Links to More Info: BT810917

Component: Application Security Manager

Symptoms:
OWASP score for a parent policy or child policy is shown as 0.
The more accurate value should be 'N/A' since these policies are not configurable for OWASP.

Conditions:
Create either child policy or parent policy. On Security ›› Application Security : Security Policies : Policies List page you will see in the OWASP Compliance score the value 0, and when going to OWASP page configuration (Security ›› Overview : OWASP Compliance) the user will see a note that the policy is not configurable for OWASP.

Impact:
When looking on the policies list, the user may get the impression that the parent or child policies can be configured to comply with OWASP.

Workaround:
Ignore OWASP Compliance score for child and parent policies.

Fixed Versions:
17.0.0, 16.1.4


808913-1 : Big3d cannot log the full XML buffer data

Links to More Info: BT808913

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d cannot log the full XML buffer data:

-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.

Conditions:
The gtm.debugprobelogging variable is enabled.

Impact:
Not able to debug big3d monitoring issues efficiently.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


805821-1 : GTP log message contains no useful information

Links to More Info: BT805821

Component: Service Provider

Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.

Conditions:
GTP profile or iRules fails to process message

Impact:
User lacks of information for troubleshooting

Workaround:
N/A

Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


804529-1 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools

Links to More Info: BT804529

Component: TMOS

Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.

Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.

For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"

- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
         
In the above example, the word 'members' is displayed in selflink.

Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.

Workaround:
The following workarounds are available:

1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.

2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:

/mgmt/tm/ltm/pool/<pool>/members/<member>/stats

Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


803965-10 : Expat Vulnerability: CVE-2018-20843

Links to More Info: K51011533, BT803965


803109-4 : Certain configuration may result in zombie forwarding flows

Links to More Info: BT803109

Component: Local Traffic Manager

Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.

On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.

Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.

Conditions:
-- OneConnect configured.

And one of the following:

-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.

Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.

The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs

Workaround:
You can use any of the following workarounds:

-- Remove the OneConnect profile from the Virtual Server.

-- Do not use 'source-port preserve-strict' setting on the Virtual Server.

-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.

Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


797797-7 : CVE-2019-11811 kernel: use-after-free in drivers

Links to More Info: K01512680, BT797797


796065-2 : PingAccess filter can accumulate connections increasing memory use.

Links to More Info: BT796065

Component: Access Policy Manager

Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.

Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.

Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.

Workaround:
None

Fix:
Fixed an issue with the ping access filter.

Fixed Versions:
16.1.4


794385-6 : BGP sessions may be reset after CMP state change

Links to More Info: BT794385

Component: Local Traffic Manager

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection

Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.

Fix:
BGP session is no longer reset during CMP state change.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


791669-5 : TMM might crash when Bot Defense is configured for multiple domains

Links to More Info: BT791669

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,

Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3


785197-5 : binutils vulnerability CVE-2019-9075

Links to More Info: K42059040, BT785197


780857-4 : HA failover network disruption when cluster management IP is not in the list of unicast addresses

Links to More Info: BT780857

Component: Local Traffic Manager

Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.

Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.

Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:

[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--

Workaround:
You can add an explicit management IP firewall rule to allow this traffic:

tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }

This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


760496-4 : Traffic processing interrupted by PF reset

Links to More Info: BT760496

Component: TMOS

Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.

Conditions:
-- E710 NICs are used.
-- Reset PF.

Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.

Workaround:
Restart the BIG-IP device.

Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


760355-4 : Firewall rule to block ICMP/DHCP from 'required' to 'default'

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.

Fixed Versions:
16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1


759928-6 : Engineering Hotfixes might not contain all required packages

Links to More Info: BT759928

Component: TMOS

Symptoms:
An Engineering Hotfix might be missing certain required packages.

Conditions:
This can occur with certain Engineering Hotfixes.

Impact:
Some of the required packages may be missing.

Workaround:
None

Fix:
Engineering Hotfix ISOs now automatically include packages for targets that may be affected by code change in a specific target.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


756918-4 : Engineering Hotfix ISOs may be nearly as large as full Release ISOs

Links to More Info: BT756918

Component: TMOS

Symptoms:
Engineering Hotfix ISO images might be unexpectedly large.

Conditions:
This might occur with certain Engineering Hotfix builds.

Impact:
Engineering Hotfixes are unnecessarily large.

Workaround:
None

Fix:
Engineering Hotfix ISO images are no longer created with a size that may occasionally exceed 2 GB, and no longer contain a complete set of packages replacing all packages installed by the original BIG-IP release upon which the Engineering Hotfix is based.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


755976-9 : ZebOS might miss kernel routes after mcpd deamon restart

Links to More Info: BT755976

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.

Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


752077-4 : Kerberos replay cache leaks file descriptors

Links to More Info: BT752077

Component: Access Policy Manager

Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:

-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept

There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:

-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write

Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.

Impact:
APM end users experience intermittent log on issues.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation

Links to More Info: BT749332

Component: TMOS

Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.

Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.

Impact:
REST PUT operation cannot be used to update/modify the description.

Workaround:
You can use either of the following:

-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.

-- You can also use PATCH operation and send only the required field which need modification.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4


748886-4 : Virtual server stops passing traffic after modification

Links to More Info: BT748886

Component: Local Traffic Manager

Symptoms:
A virtual server stops passing traffic after changes are made to it.

Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server

Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Links to More Info: BT742753

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.

Fix:
CSRF checks based on HTTP headers pre-logon have been improved.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


740321-1 : iControl SOAP API does not follow current best practices

Links to More Info: K50310001, BT740321


738593-3 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.

Links to More Info: BT738593

Component: Access Policy Manager

Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.

Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client only.
-- Launch resources and VMware Horizon Client will use Blast protocol to display VMware sessions.
-- Shadow session is enabled in desktop.

Impact:
Desktop's Shadow session resource icon is not showed on webtop of native client.

Workaround:
None

Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop of native client.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


724653-5 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.

Links to More Info: BT724653

Component: TMOS

Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).

Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.

For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:

root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan

And reloading the config will return the following error (as the partition has been deleted, including its flat config files):

root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/ipfix_ie_base.conf
  /defaults/ipfix_ie_f5base.conf
  /defaults/low_profile_base.conf
  /defaults/low_security_base.conf
  /defaults/policy_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /var/libdata/dpi/conf/classification_update.conf
  /defaults/urlcat_base.conf
  /defaults/daemon.conf
  /defaults/pem_base.conf
  /defaults/profile_base.conf
  /defaults/sandbox_base.conf
  /defaults/security_base.conf
  /defaults/urldb_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.

These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.

Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.

Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.

Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.

Fix:
Validation has been added that will make a config-sync receiver reject the operation if this includes the deletion of a non-empty partition. In this case, the config-sync will fail and report an error message similar to the following example:

0107082a:3: All objects from local device and all HA peer devices must be removed from a partition (test) before the partition may be removed, type ID (467), text ID (60706)

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5


723109-2 : FIPS HSM: SO login failing when trying to update firmware

Links to More Info: BT723109

Component: TMOS

Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.

Conditions:
When trying to update FIPS firmware.

Impact:
This will not be able to upgrade the FIPS firmware.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


720610-4 : Automatic Update Check logs false 'Update Server unavailable' message on every run

Links to More Info: BT720610

Component: TMOS

Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.

Workaround:
None.

Fix:
The Automatic Update Check operation no longer logs false messages.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3


717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured

Links to More Info: BT717806

Component: Local Traffic Manager

Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.

Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.

Impact:
No performance impact

Workaround:
None

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


713754-3 : Apache vulnerability: CVE-2017-15715

Links to More Info: K27757011


693473-8 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None

Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


686783-1 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.

Links to More Info: BT686783

Component: Traffic Classification Engine

Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.

Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,

Impact:
Improper classification

Workaround:
Using an iRule can help classify the URL.

Fix:
Normalized the URL before putting in the custom database.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


674026-6 : iSeries AOM web UI update fails to complete.

Links to More Info: BT674026

Component: TMOS

Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.

Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.

Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:

err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2

Workaround:
At the bash prompt run:

/etc/lcdui/bmcuiupdate

This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.

Fix:
AOM web UI update failures are now automatically corrected.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


672963-1 : MSSQL monitor fails against databases using non-native charset

Links to More Info: BT672963

Component: Local Traffic Manager

Symptoms:
MSSQL monitor is fails against databases using non-native charset.

Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).

Impact:
MSSQL monitoring always marks node / member down.

Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:

1. Log in to the BIG-IP console into a bash prompt.

2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr

3. Restart bigd:
bigstart restart bigd

Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


669046-7 : Handling large replies to MCP audit_request messages

Links to More Info: BT669046

Component: TMOS

Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.

In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.

Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).

Memory usage is already high.

Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.

Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.

Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.

Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.

You can use tmsh/bash to view audit logs larger than 10,000 lines.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


662301-8 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Links to More Info: BT662301

Component: TMOS

Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
On an appliance, restart mcpd by running the following command:

    bigstart restart mcpd

On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:

    clsh bigstart restart mcpd

Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


651029-12 : Sensitive information exposed during incremental sync

Links to More Info: K20307245, BT651029


574762-4 : Forwarding flows leak when a routing update changes the egress vlan

Links to More Info: BT574762

Component: Local Traffic Manager

Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.

Conditions:
Conditions to hit this are a route change on forwarded flows.

Impact:
Memory leak.

Workaround:
None

Fix:
Fixed a memory leak with forwarding flows.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition

Links to More Info: BT528894

Component: TMOS

Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.

Conditions:
-- The system includes partitions other than Common.

-- Configuration in a partition other than Common is modified.

-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").

Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).

/config/bigip_base.conf will no longer contain config stanzas that belong there.

Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.

However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.

Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.

Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".

Note that neither workaround is permanent and the issue will reoccur.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5


490138-1 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers

Links to More Info: BT490138

Component: Access Policy Manager

Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently

Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm

Impact:
Kerberos authentication fails, user cannot log in

Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers

Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


435231 : Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters

Links to More Info: K79342815, BT435231

Component: Local Traffic Manager

Symptoms:
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) parameters are not supported.

Conditions:
This affects ciphersuites that use Diffie–Hellman Ephemeral (DHE) key exchange.

Impact:
Support for larger FFDHE groups will be chosen if offered by the client.

Note: You might notice an impact to performance as compared with the previously chosen DHE 1024.

Workaround:
None

Fix:
With the support for the FFDHE groups defined in RFC7919, the system now supports DHE2048, DHE3072, DHE4096 keys. The default DHE key size is 2048 bits. (In previous BIG-IP versions, the default was 1024 bits.)

You can configure this default value by enabling or disabling the DB variable tmm.ssl.dh1024. To do so, use the following TMSH command syntax:

 modify sys db tmm.ssl.dh1024 value enable/disable

To use FFDHE2048, FFDHE3072, FFDHE4096 keys, you define them in a cipher rule, and then use this rule in a cipher group before associating it with an SSL profile.

Note: If you use a cipher rule that does not define any of the FFDHE2048, FFDHE3072, or FFDHE4096 groups (e.g., f5-default), this feature is not enabled.

For more information, and for steps to define these rules, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.

Behavior Change:
RFC7919 Negotiated FFDHE parameters are now supported.

The FFDHE2048, FFDHE3072, FFDHE4096 keys are supported in this release. The default is DHE 2048 bits.

In previous versions, the default DHE key size was 1024 bits. If you want to continue to use DHE 1024 you can enable db var tmm.ssl.dh1024, by default it is disabled.

For more information, and for steps to use this feature, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.

Fixed Versions:
17.0.0, 16.1.2.2


423519-5 : Bypass disabling the redirection controls configuration of APM RDP Resource.

Links to More Info: K74302282, BT423519

Component: Access Policy Manager

Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.

Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.

Impact:
User can bypass RDP resource restrictions.

Workaround:
NA

Fix:
User is not allowed to perform any redirection controls of the RDP resource.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


1495217-3 : TMUI hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
No workaround

Fix:
Best security practices are now applied.

Fixed Versions:
16.1.4.3, 15.1.10.4


1492361-2 : TMUI Security Hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best practices when processing URLs.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
TMUI now behaves as expected.

Fixed Versions:
16.1.4.3, 15.1.10.4


1391357-1 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address

Links to More Info: K000136909, BT1391357


1381357-2 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability

Links to More Info: K000137365, BT1381357


1366025-2 : A particular HTTP/2 sequence may cause high CPU utilization.

Links to More Info: K000137106, BT1366025


1361169-2 : Connections may persist after processing HTTP/2 requests

Links to More Info: K000133467, BT1361169


1360917-4 : TMUI hardening

Component: TMOS

Symptoms:
In certain situations, TMUI does not follow best security practices.

Conditions:
When a domain or subdomain of the BIG-IP system is shared with another host.

Impact:
N/A

Workaround:
Avoid having the BIG-IP share upper-level domain names with untrusted hosts.

Fix:
Best security practices are now followed.

Fixed Versions:
16.1.4.3, 15.1.10.4


1354253-2 : HTTP Request smuggling with redirect iRule

Links to More Info: K000137322, BT1354253

Component: Local Traffic Manager

Symptoms:
See: https://my.f5.com/manage/s/article/K000137322

Conditions:
See: https://my.f5.com/manage/s/article/K000137322

Impact:
See: https://my.f5.com/manage/s/article/K000137322

Workaround:
See: https://my.f5.com/manage/s/article/K000137322

Fix:
See: https://my.f5.com/manage/s/article/K000137322

Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.

Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3


1324745-2 : An undisclosed TMUI endpoint may allow unexpected behavior

Links to More Info: K000135689, BT1324745


1317705-2 : TMM may restart on certain DNS traffic

Component: Advanced Firewall Manager

Symptoms:
The TMM may restart and leave a core while processing certain DNS traffic when AFM is licensed and enabled.

Conditions:
The BIG-IP is licensed and provisioned for AFM.
There is a listener processing DNS traffic.

Impact:
The TMM crashes and leaves a core file.

Workaround:
NA

Fix:
DNS traffic is handled as expected.

Fixed Versions:
17.1.1, 16.1.4


1316277-2 : Large CRL files may only be partially uploaded

Links to More Info: K000137796, BT1316277

Component: TMOS

Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.

Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.

Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load

Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.

Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.

Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.

The log received will look like:

01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.

Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3


1315193-1 : TMM Crash in certain condition when processing IPSec traffic

Component: TMOS

Symptoms:
Under certain conditions the TMM may crash and leave a core when processing IPSec traffic.

Conditions:
The Big-IP is processing IPSec traffic.

Impact:
The TMM restarts

Workaround:
N/A

Fix:
IPSec traffic is handled as expected.

Fixed Versions:
17.1.1, 16.1.4


1314301-2 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled

Links to More Info: K000137334, BT1314301


1312057-1 : bd instability when using many remote loggers with Arcsight format

Component: Application Security Manager

Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.

Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.

Impact:
bd will restart and leave a core file.

Workaround:
None.

Fix:
bd processes traffic as expected.

Fixed Versions:
17.1.1, 16.1.4


1297089-3 : Support Dynamic Parameter Extractions in declarative policy

Links to More Info: BT1297089

Component: Application Security Manager

Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.

Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.

Impact:
Dynamic extraction configuration is lost.

Workaround:
Export the policy in xml or binary format.

Fix:
Added support in JSON policy also to dynamic parameter extractions.

Fixed Versions:
17.1.1, 16.1.4


1296489-3 : ASM UI hardening

Links to More Info: K000138047, BT1296489


1296469-2 : ASM UI hardening

Component: Application Security Manager

Symptoms:
The ASM UI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
NA

Fix:
The ASM UI now follows best security practices.

Fixed Versions:
17.1.1, 16.1.4


1295661-2 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418

Links to More Info: K000134746, BT1295661


1292793-3 : FIX protocol late binding flows that are not PVA accelerated may fail

Links to More Info: BT1292793

Component: Local Traffic Manager

Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.

Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.

Impact:
Connection may stall.

Workaround:
Disable late binding. If late binding cannot be disabled, then
 disable pva-flow-aging and pva-flow-evict to avoid the issue.

Fix:
FIX protocol flow works as expected.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1292093 : Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x

Links to More Info: BT1292093

Component: Advanced Firewall Manager

Symptoms:
In 16.1.x, Neuron based HW SYN cookie is broken.

Conditions:
-- Neuron-equipped hardware (BIG-IP iSeries)
-- Configure TCP Half Open at profile level.
-- Send Traffic.
-- Check HW SYN Cookies.

Impact:
This breaks the HW SYN cookie functionality

Workaround:
None

Fix:
Updates are implemented to return the correct parameters and HW SYN Cookie is working fine

Fixed Versions:
16.1.4


1291565-2 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup

Links to More Info: BT1291565

Component: Local Traffic Manager

Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.

Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info

Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.

Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.

Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod

Fix:
Cleanup the multicast entries populated on old device name when the name is updated.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1291149-3 : Cores with fail over and message routing

Links to More Info: BT1291149

Component: Service Provider

Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.

Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.

Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.

Workaround:
None

Fix:
The MR message store iteration is fixed, no corruption or cores observed.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1290889-4 : TMM disconnects from processes such as mcpd causing TMM to restart

Links to More Info: K000134792, BT1290889

Component: TMOS

Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:

crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting

When this occurs, in a default configuration, no core file is generated.

TMM may also disconnect unexpectedly from other services (i.e. tmrouted).

TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.

Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.

Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance

Workaround:
Do not use tunnels.

Fix:
TMM will not unexpectedly reset connections when tunnels are in use.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1289365-1 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode

Links to More Info: BT1289365

Component: SSL Orchestrator

Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.

Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.

Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1289189-3 : In certain traffic patterns, TMM crash

Links to More Info: K000137333, BT1289189


1287873 : Hardware mitigation is not working for a few SIP vectors

Links to More Info: BT1287873

Component: Advanced Firewall Manager

Symptoms:
Hardware mitigation not happening as int_drops are not incrementing
bd_stats are incrementing but SPVA stat bd_hit is not incrementing

Conditions:
Configure SIP vectors with the threshold levels in any Hardware platform and send the related traffic

Impact:
Hardware mitigation will not happen for SIP Vectors

Workaround:
NA

Fix:
Neuron rules had been written in the neuron chip for these vectors so that stats were counting correctly

Fixed Versions:
16.1.4


1287425 : Observed crash while running sweep flood tests

Links to More Info: BT1287425

Component: Advanced Firewall Manager

Symptoms:
While testing sweep flood tests, the TMM crashes.

Conditions:
The sweep flood test case was failing.

Impact:
TMM crash

Workaround:
None

Fix:
Fixed the issue where no crash is observed while testing the sweep flood tests.

Fixed Versions:
16.1.4


1287313-2 : SIP response message with missing Reason-Phrase or with spaces are not accepted

Links to More Info: BT1287313

Component: Service Provider

Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.

Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
 Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped

Impact:
Connectivity issue.

Workaround:
None

Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1286101-1 : JSON Schema validation failure with E notation number

Links to More Info: BT1286101

Component: Application Security Manager

Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.

Conditions:
The E notation is without a dot.

For example, the following trigger this issue:

- 0E-8
- 0e-8

But, the following do not trigger this issue:

- 0.0E-8
- 0.0e-8

The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.

Impact:
False positive.

Workaround:
Use E notation with a dot or disable schema validation violation.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1285173-3 : Improper query string handling on undisclosed pages

Links to More Info: K000133474, BT1285173


1284993-1 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages

Links to More Info: BT1284993

Component: Local Traffic Manager

Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.

Conditions:
Configure SSL extensions along with session_ticket extension.

Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.

Workaround:
Configure all the required extensions before the session_ticket extension.

Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.

Fixed Versions:
17.1.1, 16.1.4


1284969-1 : Adding ssh-rsa key for passwordless authentication

Links to More Info: BT1284969

Component: TMOS

Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.

Conditions:
The system must be in FIPS 140-3 mode.

Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.

Workaround:
None

Fix:
SSHD should support the ssh-rsa key for passwordless authentication.

Fixed Versions:
17.1.0.1, 16.1.4


1284589-2 : HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command

Links to More Info: BT1284589

Component: Local Traffic Manager

Symptoms:
When you use HTTP::disable discard command, proxy connect/ connection to server is not established.

Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}

Impact:
HTTP CONNECT requests from clients hangs.

Workaround:
Use HTTP::disable command

Fixed Versions:
16.1.4


1283645 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued

Links to More Info: BT1283645

Component: Access Policy Manager

Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.

Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.

Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.

Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.

The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.

Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.

For more details on the deployment of the fix, refer to the K000133476 article.

For more details regarding the issue, refer to the K000132932 article.

Fixed Versions:
17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6


1282357-1 : Double HTTP::disable can lead to tmm core

Links to More Info: BT1282357

Component: Local Traffic Manager

Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.

Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
    set collects 0
    TCP::collect
}
when CLIENT_DATA {
    if { $collects eq 1 } {
        HTTP::disable
        HTTP::disable
    }
    TCP::release
    TCP::collect
    incr collects
}
when HTTP_REQUEST {
    log local0. "Request"
    }
when HTTP_DISABLED {
    log local0. "Disabled"
}

Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.

Workaround:
Avoid calling HTTP::disable more than once per connflow

Fix:
Treat disable via iRule as a NOP when a disable is in progress

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1282181-1 : High CPU or increased translation errors following upgrade or restart when DAG distribution changes

Component: TMOS

Symptoms:
Dagv2 tables are randomized and may change when a tmm is restarted. This can result in a change of traffic distribution, which in some cases may lead to traffic disruption.

The specific condition when this option was introduced is using a CGNAT pool that is not large enough.

Other ways of encountering include increased translation failed errors following an upgrade or restart or blade replacement.

Conditions:
- tmm is restarted (or chassis rebooted)

Impact:
- dag distribution changes which may cause a traffic disruption.

Workaround:
You can restart tmm until the distribution is good, which can be checked using tools like cmp_dest.

Fix:
Added a DB variable to control dagv2 behavior.
A tmm restart is required after locking the new dag tables.

Behavior Change:
A new DB variable is available that allows you to lock the current dagv2 tables:

tmsh modify sys db dag.dagv2.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_pgs -s table)
tmsh modify sys db dag.dagv2.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_hsbs -s table)
tmsh modify sys db dag.dagv2.mirror.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_pgs -s table)
tmsh modify sys db dag.dagv2.mirror.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_hsbs -s table)

It's important to store both normal and mirroring tables because of internal dag workings.
The change also requires cmp state to be the same as defined in tables - this is important in case a blade is lost etc.

This also works on SP DAG in LSN NAPT deployments

Fixed Versions:
16.1.4


1281709-3 : Traffic-group ID may not be updated properly on a TMM listener

Links to More Info: BT1281709

Component: Local Traffic Manager

Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.

Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.

OR

An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.

Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.

Workaround:
Use an incremental sync. Do not use MCP transactions.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1281637-1 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE

Links to More Info: BT1281637

Component: Local Traffic Manager

Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.

Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.

Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.

Workaround:
None

Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1271349-3 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

Links to More Info: K000133098, BT1271349


1269889-3 : LTM crashes are observed while running SIP traffic and pool members are offline

Links to More Info: BT1269889

Component: Service Provider

Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Conditions:
- When all pool members are offline or there are no pool members in the pool.

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1269733-3 : HTTP GET request with headers has incorrect flags causing timeout

Links to More Info: BT1269733

Component: Local Traffic Manager

Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.

The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.

Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.

Impact:
The HTTP GET request causing timeout.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1268521 : SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop

Links to More Info: BT1268521

Component: Access Policy Manager

Symptoms:
User fails to authenticate when VMware VDI with SAML authentication is used with multiple RD resources assigned to Webtop.

Conditions:
1. Webtop is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration.

Impact:
Remote desktop is not opened.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1265425-2 : Improper query string handling on undisclosed pages

Links to More Info: K000134535, BT1265425


1259489-3 : PEM subsystem memory leak is observed when using PEM::subscriber information

Links to More Info: BT1259489

Component: Policy Enforcement Manager

Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.

Conditions:
- PEM is provisioned.

- PEM iRules are used that access PEM::session or PEM::subscriber information.

Impact:
TMM can have excessive memory consumption.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1256841-1 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script

Links to More Info: BT1256841

Component: TMOS

Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.

Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.

Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable

Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.

Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1256777-3 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.

Links to More Info: BT1256777

Component: TMOS

Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.

Conditions:
- When as-origination interval is configured on a peer-group.

Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4


1252537-3 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role

Links to More Info: BT1252537

Component: TMOS

Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.

Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.

Impact:
Limited availability, forces Resource Admin to use GUI.

Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.

Fix:
Resource Administrator can now initiate a reboot and shutdown using both the GUI or TMSH.

Fixed Versions:
17.1.1, 16.1.4


1252005 : VMware USB redirection does not work with DaaS

Links to More Info: BT1252005

Component: Access Policy Manager

Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.

Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop

Impact:
USB device is not available.

Workaround:
None.

Fix:
USB device should be available

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1250085-3 : BPDU is not processed with STP passthough mode enabled in BIG-IP

Links to More Info: BT1250085

Component: Local Traffic Manager

Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
  tshark -nnr < .pcap >

Conditions:
- Platforms C117, C115, C112, and C113

Impact:
BPDU packets will not pass through other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.

Workaround:
None

Fix:
STP passthrough mode now works as expected on C117, C115, C112, and C113 platforms

Fixed Versions:
17.1.1, 16.1.4


1240937-3 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic

Links to More Info: BT1240937

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.

The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.

The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.

Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.

Impact:
The IPv6 serverside egress TOS is not set to the expected value.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1240121-1 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp

Links to More Info: K000132643, BT1240121


1239901-2 : LTM crashes while running SIP traffic

Links to More Info: BT1239901

Component: Service Provider

Symptoms:
LTM crashes are observed while running SIP traffic.

Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer

Impact:
TMM is inoperative while reloading after crash.

Workaround:
Avoid use of the following pick_host, particularly the use of carp:

MR::message pick_host peer <peer-object-name> [carp <carp-key>]

Fix:
TMM does not crash while running SIP traffic.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1238693-2 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519

Links to More Info: BT1238693

Component: TMOS

Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Conditions:
System must be in FIPS 140-3 mode.

Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.

Workaround:
None

Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.

Fixed Versions:
17.1.0.1, 16.1.4


1238629-1 : TMM core when processing certain DNS traffic with bad actor (BA) enabled

Links to More Info: K000137521, BT1238629


1238413-3 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group

Links to More Info: BT1238413

Component: Local Traffic Manager

Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.

The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.

Conditions:
- A transparent or translucent VLAN-group is configured.

- ARP requests passing through the VLAN-group.

- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.

Impact:
ARP resolution failure.

Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1238321-4 : OpenSSL Vulnerability CVE-2022-4304

Links to More Info: K000132943


1238249-1 : PEM Report Usage Flow log is inaccurate

Links to More Info: BT1238249

Component: Policy Enforcement Manager

Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.

Conditions:
- HSL logging is configured.

Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.

Workaround:
None

Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1235813-9 : OpenSSL vulnerability CVE-2023-0215

Links to More Info: K000132946, BT1235813


1235801-4 : OpenSSL vulnerability CVE-2023-0286

Links to More Info: K000132941, BT1235801


1232997-1 : IPSEC: The tmm process may exit with 'Invalid policy remote index'

Links to More Info: BT1232997

Component: TMOS

Symptoms:
The tmm process restarts after logging the following message to /var/log/tmm*:

notice panic: iked/isakmp.c:2338: Assertion "Invalid policy remote index" failed.

Conditions:
May occur during an SA deletion or an update of IPsec configuration.

Impact:
Unexpected high availability (HA) failover, or interruption to traffic processing on a standalone unit, while the tmm process restarts.

Workaround:
None

Fix:
When the remote index is null, the system gracefully fails the init packet creation. Continuous traffic to the BIG-IP system retriggers the tunnel, and the IPsec config will be updated by then.

Fixed Versions:
16.1.4, 15.1.10


1232977-3 : TMM leaking memory in OAuth scope identifiers when parsing scope lists

Links to More Info: BT1232977

Component: Access Policy Manager

Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.

Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.

Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.

Workaround:
None

Fix:
Increment the index so that all scope identifiers are stored and parsed without any leaks.

Fixed Versions:
17.1.1, 16.1.4


1232521-2 : SCTP connection sticking on BIG-IP even after connection terminated

Component: TMOS

Symptoms:
After an SCTP client has terminated, the BIG-IP still shows the connection when issuing "show sys conn protocol sctp"

Conditions:
Under certain conditions, an SCTP client connection may still exist even if the client has sent a SHUTDOWN request.

Impact:
Memory resources will be consumed as these type of lingering connections accumulate

Fix:
SCTP connections are properly internally closed when required.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1230709-1 : Remove unnecessary logging with nsec3_add_nonexist_proof

Links to More Info: BT1230709

Component: Global Traffic Manager (DNS)

Symptoms:
For few DNSSEC queries to non-existent domains, NSEC3 records will be missing.
Following log message is included:

nsec3_add_nonexist_proof: to_prove returns NULL with qname

Conditions:
Receives DNSSEC request to a non-existent query.

Impact:
Missing NSEC3 records.

Workaround:
None

Fixed Versions:
16.1.4, 15.1.10


1229417-2 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability

Component: Local Traffic Manager

Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.

Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality

Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.

Workaround:
NA

Fix:
The library has been patched to address the issue.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1229369-3 : The fastl4 TOS mimic setting towards client may not function

Links to More Info: BT1229369

Component: Local Traffic Manager

Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.

The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.

In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)

Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)

Impact:
The clientside egress TOS is not set to the expected value

Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1226121-2 : TMM crashes when using PEM logging enabled on session

Links to More Info: BT1226121

Component: Policy Enforcement Manager

Symptoms:
TMM may crash when using PEM logging.

Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log

Impact:
TMM crashes and restarts, losing all prior connection.

Workaround:
Disabling PEM logging on sessions will avoid the issue.

Fix:
PEM session logging can be used as expected.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1225789-2 : The iHealth API is transitioning from SSODB to OKTA

Links to More Info: BT1225789

Component: TMOS

Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.

Conditions:
- Authentication

Impact:
Qkview file will not be uploaded to iHealth automatically.

Workaround:
Qkview file must be uploaded manually to iHealth.

Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1224409 : Unable to set session variables of length >4080 using the -secure flag

Links to More Info: BT1224409

Component: Access Policy Manager

Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.

Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.

Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1224125-1 : When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used.

Links to More Info: BT1224125

Component: TMOS

Symptoms:
As part of the upgrade from older versions to 16.1.3.2 and 17.1, the use of non-approved keys as per FIPS 140-3 standards is permitted for RSA keys with a length of 1024 and 512 bits, as well as for EC521, DSA, and SM2 keys.
It should be noted that the creation of new keys is not permitted.

Conditions:
The FIPS 140-3 non-approved ciphers, that is, RSA keys with a length of 1024 and 512 bits, EC521, DSA and SM2 keys are only permitted in the following cases:
1) When upgrading from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
2) Importing UCS from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)

Impact:
Non-Approved keys could exist in the configuration after the BigIP version upgrade and UCS installation on a FIPS 140-3 approved system.

Workaround:
When upgrading or installing UCS, ensure that you do not use any non-approved ciphers (as per FIPS 140-3) in the configuration.

Fix:
Added a warning message in /var/log/ltm when non-approved keys are imported during upgrade or UCS installation

Sample log:
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_2.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_23.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA2.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50052:4: /Common/TEST_KEY_curve3.key: FIPS 140-3 mode does not support EC curve secp521r1.

Fixed Versions:
17.1.0, 16.1.4


1223369-3 : Classification of certain UDP traffic may cause crash

Links to More Info: K000135946


1220629-3 : TMM may crash on response from certain backend traffic

Links to More Info: K000137675, BT1220629


1216573-1 : AFM Learning Domain issue when trying with many valid domains

Links to More Info: BT1216573

Component: Advanced Firewall Manager

Symptoms:
Trying with too many valid domains and not all these domains have entries created in the NXDOMAIN table when they are trying to do learning.

Conditions:
The NXDOMAIN vector is enabled be it at the device level, virtual server level, or at both levels.

Impact:
We will not be able to honor the legitimate DNS A query when we have an NXDOMAIN attack detected.

Workaround:
None

Fixed Versions:
16.1.4


1216297-1 : TMM core occurs when using disabling ASM of request_send event

Links to More Info: BT1216297

Component: Application Security Manager

Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.

Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.

Impact:
TMM cores, system is down.

Workaround:
Remove the iRule, or disable ASM for all events of the URL.

Fixed Versions:
17.1.1, 16.1.4


1215401-1 : Under Shared Objects, some country names are not available to select in the Address List

Links to More Info: BT1215401

Component: Advanced Firewall Manager

Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.

There is a limit of only 8 entries in the drop-down menu to choose from.

Some countries are not shown in this list due to the ordering of entries returned from the database.

Conditions:
DOS is enabled

Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.

Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.

Fix:
The database query is modified such that the list of countries is ordered first followed by a list of countries with regions.

Fixed Versions:
16.1.4, 15.1.9


1213469-1 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped

Links to More Info: BT1213469

Component: Service Provider

Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.

Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.

Impact:
Media pinholes are not created for INVITE.

Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,

when SIP_REQUEST {
    set pd_route_hdr_count [SIP::header count Route]
    set pd_route_unset 0
    set pd_route [SIP::header Route]

    if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
    }
}

when SIP_REQUEST_SEND {

if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
    }
}

Fix:
In SIP ALG, if the Route header is FQDN in INVITE, then it should allow it to pass without any modification.

Fixed Versions:
17.1.1, 16.1.4


1213333 : Check box to select all attack signatures does not work properly

Links to More Info: BT1213333

Component: Application Security Manager

Symptoms:
The check box to select all attack signatures does not select all attack signatures correctly

Conditions:
After creating ASM policy navigate to attack-signatures section :
Security ›› Application Security : Security Policies : Policies List ›› phpauction
Click on the check box

Impact:
Attack signatures are not selected properly

Workaround:
None

Fix:
Check box selects all attack signatures correctly

Fixed Versions:
16.1.4


1213305-3 : Improper query string handling on undisclosed pages

Links to More Info: K000132726, BT1213305


1211513-2 : HSB loopback validation feature

Links to More Info: BT1211513

Component: TMOS

Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.

Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.

Impact:
There is no impact. This is a new diagnostic feature.

Workaround:
None

Fix:
Loopback validation now occurs on hardware platforms equipped with HSB.

Behavior Change:
A new diagnostic feature + failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms that have this hardware component. This feature adds 2 new db variables that can be altered with tmsh modify sys db:

tmm.hsb.loopbackValidation:
This is enabled by default. Setting to disabled will cause loopback validation packets to stop being sent.

tmm.hsb.loopbackvalidationErrthreshold:
Set to 0 by default. If this value is set to 0, BIG-IP will only log corruption detection without taking any action. If set to a value greater than 0, an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches this value. (An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system).

If a validation loopback packet is found to be corrupted, one or more messages like the following will appear in /var/log/tmm:

notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043

These logs are rate-limited to 129 logs per 24-hour period. If tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:

notice Reached threshold count for corrupted HSB loopback packets

This log message will then be typically followed by a reboot.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1211341-4 : Failed to delete custom monitor after dissociating from virtual server

Links to More Info: BT1211341

Component: Global Traffic Manager (DNS)

Symptoms:
When dissociated from virtual server, unable to delete custom monitor.

Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor

Impact:
Unable to delete custom monitor.

Workaround:
None

Fix:
The custom monitor can be deleted after dissociating from virtual server.

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


1211297-3 : Handling DoS profiles created dynamically using iRule and L7Policy

Links to More Info: BT1211297

Component: Anomaly Detection Services

Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.

Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.

Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.

Workaround:
None

Fix:
No TMM crash due to persistent connections.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1211189-3 : Stale connections observed and handshake failures observed with errors

Links to More Info: BT1211189

Component: Local Traffic Manager

Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.

Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.

Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.

Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).

Fix:
None

Fixed Versions:
17.1.1, 16.1.4


1211021-4 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues

Links to More Info: BT1211021

Component: Advanced Firewall Manager

Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.

Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.

Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.

Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.

Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.

Fix:
The function "set_curl_state" was returning without unlocking mutex in a condition.
The mutex is now unlocked appropriately and prevents locking up of DWBLD threads.

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


1210469-3 : TMM can crash when processing AXFR query for DNSX zone

Links to More Info: BT1210469

Component: Local Traffic Manager

Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.

Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.

Impact:
TMM cores and runs slow with "Clock advanced by" messages.

Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1209709-4 : Memory leak in icrd_child when license is applied through BIG-IQ

Links to More Info: BT1209709

Component: TMOS

Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.

Conditions:
License applied through BIG-IQ.

Impact:
Higher than normal control-plane memory usage, possible OOM related crash.

Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1209409-3 : Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU

Links to More Info: BT1209409

Component: Advanced Firewall Manager

Symptoms:
If there are thousands of addresses in an address list, validation of the addresses can take extended time. While MCPD is validating the addresses it will use nearly 100% of the CPU. Also, during this time, other daemon might timeout their connection with MCPD and/or restart.

Conditions:
- Thousands of addresses in an address list.

Impact:
- Longer load /sys configuration time including on upgrade.

- Longer configuration sync time, where full configuration sync is more prone to cause this issue.

- Modifications using the webUI consume longer time and might timeout.

Depending on how long MCPD spends validating the addresses, other daemons, including TMM, might timeout their connection to MCPD and/or restart.

Workaround:
None

Fix:
The time it takes mcpd to validate an addresses list that contains nested address lists is greatly reduced.

Fixed Versions:
16.1.4


1208989-3 : Improper value handling in DOS Profile properties page

Links to More Info: K000132726, BT1208989


1208949-1 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'

Links to More Info: BT1208949

Component: Access Policy Manager

Symptoms:
TMM cores.

Conditions:
Network Access is in use.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1208529-4 : TMM crash when handling IPSEC traffic

Links to More Info: K000132420, BT1208529


1208001-1 : iControl SOAP vulnerability CVE-2023-22374

Links to More Info: K000130415, BT1208001


1207661-4 : Datasafe UI hardening

Links to More Info: K000132768, BT1207661


1207381-3 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored

Links to More Info: BT1207381

Component: Policy Enforcement Manager

Symptoms:
From the following example, a PEM policy rule flow filter
 matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                81

When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:

Source Address    Source Port     VLAN     Destination Address      Destination Port
0.0.0.0/0         0               ANY      0.0.0.0/0                0

The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.

The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).

Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').

Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.

Workaround:
- Restart TMM to make the updated flow filter effective.

or

- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.

or

- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
    - For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
    - Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1205501-2 : The iRule command SSL::profile can select server SSL profile with outdated configuration

Links to More Info: BT1205501

Component: Local Traffic Manager

Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.

Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.

Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.

Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.

or

Do not make changes to a profile that is actively being used by the iRule command.

Fix:
The server SSL profiles will now reloaded successfully after changes are made.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1205029 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Links to More Info: BT1205029

Component: Access Policy Manager

Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.

Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application

Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.

Fix:
When sessions are different we are clearing the cache tokens so that new tokens are generated for different sessions.

Fixed Versions:
17.1.1, 16.1.4


1204961-4 : Improper query string handling on undisclosed pages

Links to More Info: K000132726, BT1204961


1204793-4 : Improper query string handling on undisclosed pages

Links to More Info: K000132726, BT1204793


1200929-2 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang

Links to More Info: BT1200929

Component: Global Traffic Manager (DNS)

Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.

Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".

For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.

Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.

Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.

Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.

Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.

Fix:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


1196537-1 : BD process crashes when you use SMTP security profile

Links to More Info: BT1196537

Component: Application Security Manager

Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.

Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS

Impact:
Intermittent BD crash

Workaround:
N/A

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1196477-3 : Request timeout in restnoded

Links to More Info: BT1196477

Component: Device Management

Symptoms:
The below exception can be observed in restnoded log

Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)

Conditions:
When BIG-IP is loaded with a heavy configuration.

Impact:
SSL Orchestrator deployment will not be successful.

Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js

replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1196401-2 : Restarting TMM does not restart APM Daemon

Links to More Info: BT1196401

Component: Access Policy Manager

Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.

Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).

Impact:
Might observe APMD core.

Workaround:
Restart APM, when TMM is restarted.

Fix:
Updated TMM bigstart scripts to restart APMD and related tm_plugin services.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1196033-2 : Improper value handling in DataSafe UI

Links to More Info: K000132726, BT1196033


1195489-2 : iControl REST input sanitization

Links to More Info: K000137522, BT1195489


1195385 : OAuth Scope Internal Validation fails upon multiple providers with same type

Links to More Info: BT1195385

Component: Access Policy Manager

Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.

Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.

There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.

In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.

Impact:
The policy rule displays the deny page.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4


1195377 : Getting Service Indicator log for disallowed RSA-1024 crypto algorithm

Links to More Info: BT1195377

Component: TMOS

Symptoms:
Displaying disallowed algorithm as approved. It must not display approved log for disallowed algorithms when FIPS license is installed on the platform.

Conditions:
- FIPS license is installed on the platform.
- Creating a bit key.

Impact:
Creating keys for approved algorithms only

Workaround:
Change log statements or do not create a key for disallowed algorithms.

Fix:
Approved log for disallowed algorithms is not displayed.

Fixed Versions:
17.1.0, 16.1.4


1195125 : "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix

Links to More Info: BT1195125

Component: Application Security Manager

Symptoms:
A GraphQL query without variables in its query will cause the error message to be reported in BD logs, even though it's not an error.

Conditions:
A request with GraphQL query without variables.

Impact:
Error prints in the enforcer logs.

Fix:
No error reports are detected in the BD logs.

Fixed Versions:
16.1.4


1194173-2 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value

Links to More Info: BT1194173

Component: Application Security Manager

Symptoms:
Attack signature check is not run on normalised parameter value.

Conditions:
- A parameter with location configured as a cookie is present
  in the parameters list.
- Request contains the explicit parameter with URL encoded
  base64 padding value.

Impact:
- Attack signature not detected.

Workaround:
None

Fix:
The attack signature check runs on normalised parameter value.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1190365-3 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly

Links to More Info: BT1190365

Component: Application Security Manager

Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.

Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.

Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.

Workaround:
None

Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1190353-3 : The wr_urldbd BrightCloud database downloading from a proxy server is not working

Links to More Info: BT1190353

Component: Policy Enforcement Manager

Symptoms:
Downloading BrightCloud database is not working with the proxy.

Conditions:
BrightCloud database download through Proxy management.

Impact:
URL categorization disruption as database not getting downloaded.

Workaround:
None

Fix:
Added the proxy settings in wr_urldbd BrightCloud database.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1189865-2 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs

Links to More Info: BT1189865

Component: Application Security Manager

Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").

Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.

Impact:
The description is empty and we can't know what is the problem with the request.

Fix:
After the fix, the description is shown in the request log details in the description field

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1189513-4 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header

Links to More Info: BT1189513

Component: Service Provider

Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.

Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.

Impact:
Media flow pinholes are not created.

Workaround:
None

Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1189465-3 : Edge Client allows connections to untrusted APM Virtual Servers

Links to More Info: K000132539, BT1189465


1189461-3 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858

Links to More Info: K000132563, BT1189461


1189457-3 : Hardening of client connection handling from Edge client.

Links to More Info: K000132522, BT1189457


1186925-4 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups

Links to More Info: BT1186925

Component: Policy Enforcement Manager

Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.

Conditions:
When FUA received in in CCA-i.

Impact:
PEM receives FUA redirect first and ignores further requests.

Workaround:
Use iRule to remove FUA in CCA-i.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1186437-1 : Link to Server Technologies is not working

Links to More Info: BT1186437

Component: Application Security Manager

Symptoms:
Link to configure Server technologies under category ' A6 Security Misconfiguration' of OWASP Top 10 dashboard says "The requested URL was not found on this server."

Conditions:
Click on category A6 - Server Technologies link

Impact:
Configuring Server technologies is not linking to the expected page

Workaround:
None

Fix:
Linked the correct page to Server Technologies; the policy configuration page

Fixed Versions:
16.1.4


1186401-2 : Using REST API to change policy signature settings changes all the signatures.

Links to More Info: BT1186401

Component: Application Security Manager

Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.

Conditions:
-- Create a policy named 'test'

-- Associate a signature set like "SQL Injection Signatures" to the policy
  For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set

-- Look at the low-risk signatures associated with the policy
 Commmand:
     curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head


-- Turn off staging for these signatures:
  Commands:
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head

-- The "totalItems" shows that 187 signatures were changed

Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.

Workaround:
Add 'inPolicy eq true' to the filter
  Command :
      curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1186385-1 : Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page

Links to More Info: BT1186385

Component: Application Security Manager

Symptoms:
The wrong page is linked to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement'.

Conditions:
Clicking on Enforced Cookies or SameSite Cookie Attribute Enforcement

Impact:
You are taken to the Policies List page.

Workaround:
None

Fix:
Updated the correct links for both the entities

Fixed Versions:
16.1.4


1186249-2 : TMM crashes on reject rule

Links to More Info: BT1186249

Component: Local Traffic Manager

Symptoms:
The TMM crashes when the configuration has a rule that contains a reject in an HTTP_RESPONSE.

Conditions:
The crash happens when this rule is processed after a client has disconnected.

Impact:
TMM crashes every time this condition occurs.

Workaround:
If possible, avoid the use of reject or use HTTP::disable before the reject.

Fix:
Reject can be used without a crash.

Fixed Versions:
17.1.0, 16.1.4


1185421-4 : iControl SOAP uncaught exception when handling certain payloads

Links to More Info: K000133472, BT1185421


1185257-4 : BGP confederations do not support 4-byte ASNs

Links to More Info: BT1185257

Component: TMOS

Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.

Conditions:
Using BGP confederations.

Impact:
Unable to configure 4-byte AS number under BGP confederation.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1185133-2 : ILX streaming plugins limited to MCP OIDs less than 10 million

Links to More Info: BT1185133

Component: Local Traffic Manager

Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"

Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.

Impact:
Unable to run iRules LX streaming plugins.

Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.

bigstart stop
rm -f /var/db/mcpdb*
bigstart start

Fix:
The TMSTAT segment names are limited to 31 characters (not including terminating NUL). With 23 characters used by the constant portion, 8 characters are left for both OID and CPU. The CPU will be 1 or 2 characters, leaving 6 or 7 characters for the OID. When exceeded, the tmstat_create fails.
tmplugin_nodejsplugin_1000000_0 err 0
tmplugin_nodejsplugin_10000000_0 err -1

Change the plugin class from "nodejsplugin" to "nodejs" or similar, to allow 6 more digits of OID space (allowing to 10 trillion).

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1184929-1 : GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled

Links to More Info: BT1184929

Component: Application Security Manager

Symptoms:
Mismatch of configuration seen on OWASP dashboard. GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled

Conditions:
Entity details in OWASP compliance dashboard.

Impact:
GUI link displays inconsistent values for entity details.

Workaround:
None

Fix:
Values are updated to FULFILLED and NOT FULFILLED to maintain consitency.

Fixed Versions:
16.1.4


1184841-2 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API

Links to More Info: BT1184841

Component: Application Security Manager

Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.

Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API

Impact:
Configuration will be de-synced.

Workaround:
Use TMUI to update configuration.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1184153-2 : TMM crashes when you use the rateshaper with packetfilter enabled

Links to More Info: BT1184153

Component: Local Traffic Manager

Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.

Conditions:
- packet-filter with packetfilter.established option enabled.
  AND
- rate-class is applied via packet-filter rule.

Impact:
TMM crash/failover.

Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1183453-1 : Local privilege escalation vulnerability (CVE-2022-31676)

Links to More Info: K87046687


1182353-3 : DNS cache consumes more memory because of the accumulated mesh_states

Links to More Info: BT1182353

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.

Conditions:
Mixed queries with rd flag set and cd flag set/unset.

Impact:
TMM runs out of memory.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1181613-1 : IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete

Links to More Info: BT1181613

Component: TMOS

Symptoms:
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.

Conditions:
-- IKEv2 IPsec tunnels
-- Tunnels use Route Domains.
-- An IPsec SA is deleted.

Impact:
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.

Fix:
IPsec SAs are now deleted after the related IKE SA is deleted.

Fixed Versions:
17.1.0, 16.1.4


1180365-2 : APM Integration with Citrix Cloud Connector

Links to More Info: BT1180365

Component: Access Policy Manager

Symptoms:
* Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
* Apps/Desktop will not be published.

Conditions:
* When Citrix cloud connector is used to publish apps instead of Citrix Delivery controller, once the user clicks on the App/Desktop, the cloud connector sends an empty response.
* Hence user will not be able to publish any apps/ Desktop.

Impact:
Users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.

Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1178221-3 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT

Links to More Info: BT1178221

Component: TMOS

Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".

Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.

Impact:
Wrong information logged.
DPD response packet corruption.

Workaround:
None

Fix:
Logs will display correct message.
Packet will not corrupt.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1174873-3 : Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F"

Links to More Info: BT1174873

Component: Access Policy Manager

Symptoms:
In muti-domain Single Sign-On (SSO) or SAML Auth, the location header query string separator is converted from "?" to "%3F" or / to "%2F"

Conditions:
- Create an access policy with a redirect to login page.

Impact:
MultiDomain Auth or SAML Auth will fail

Workaround:
None

Fix:
A function that was used to normalize URLs was corrected.

Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3


1174085-1 : spmdb_session_hash_entry_delete releases the hash's reference

Links to More Info: BT1174085

Component: Policy Enforcement Manager

Symptoms:
multiple references accessing and trying to modify the same entry

Conditions:
when failover from active to stand by while stalling the connection

Impact:
Illegal access of the memory.

Workaround:
NA

Fix:
delete the entry for every reference

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1174033-2 : The UPDATE EVENT is triggered with faulty session_info and resulting in core

Links to More Info: BT1174033

Component: Policy Enforcement Manager

Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.

Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.

Impact:
Results in a core.

Workaround:
None

Fix:
Triggering UPDATE EVENT is not causing any core.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1173669-1 : Unable to reach backend server with Per Request policy and Per Session together

Links to More Info: BT1173669

Component: Access Policy Manager

Symptoms:
It is observed that backend pool is not reachable.

Conditions:
The OAuth case with Per Request policy and Per Session together.

Impact:
Backend Pool is not reachable.

Workaround:
None

Fix:
Variables pushed with server configuration into per request flow are accessed with last rather than the server configuration.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1173493-4 : Bot signature staging timestamp corrupted after modifying the profile

Links to More Info: BT1173493

Component: Application Security Manager

Symptoms:
Bot signature timestamp is not accurate.

Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.

Impact:
Can not verify from when the signature was in staging.

Workaround:
Use TMSH, instead of webUI, to update the profile.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1173441-3 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired

Links to More Info: BT1173441

Component: TMOS

Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.

Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.

Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.

Workaround:
None

Fix:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired without triggering the 'tmsh save sys config' call as the call is unnecessary.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1168137-3 : PEM Classification Auto-Update for month is working as hourly

Links to More Info: BT1168137

Component: Traffic Classification Engine

Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.

If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.

Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.

Impact:
Classification update is not working on monthly basis.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1167985-2 : Network Access resource settings validation errors

Links to More Info: BT1167985

Component: Access Policy Manager

Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
 
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name

Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore

Impact:
Administrators could not correctly configure some network access resource settings.

Fixed Versions:
17.1.1, 16.1.4


1167941-3 : CGNAT SIP ALG INVITE loops between BIG-IP and Server

Links to More Info: BT1167941

Component: Service Provider

Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.

Conditions:
It occurs with inbound calls.

Impact:
It could lead to performance issue if the loop continues.

Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.

ltm rule sip_in_rule {

    when SIP_REQUEST_SEND {
        if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
            SIP::discard
        }
    }

    when SIP_REQUEST {
        set localAddr [IP::local_addr]
        set from [substr [SIP::header from] 0 ";"]
        set to [substr [SIP::header to] 0 ";"]
        if {[SIP::method] == "INVITE" && $from equals $to} {
            SIP::respond 400 "Bad Request"
        }
}

(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }


2)below Irule would drop all inbound calls.

ltm rule sip_drop_rule {
   when MR_INGRESS {
        if { [MR::transport] contains "_$" } {
            MR::message drop
        }
    }
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }

Fix:
BIG-IP will drop the messages in the following cases.
a)If From and To headers are the same in the sip INVITE message.
b)If the SIP INVITE message To header is not registered and From is registered.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1167929-4 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c

Links to More Info: K44454157, BT1167929


1167897-6 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c

Links to More Info: K44454157, BT1167897


1167889 : PEM classification signature scheduled updates do not complete

Links to More Info: BT1167889

Component: Traffic Classification Engine

Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.

Via tmsh:

   ltm classification auto-update settings { }

via GUI:

   Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings


In the /var/log/ltm log, the following message may be seen

mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.

Conditions:
Automatic updates for classification signatures is configured and enabled.

Impact:
The classification updates do not occur.

Workaround:
Run the classification update manually.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1166449-2 : APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list

Links to More Info: BT1166449

Component: Access Policy Manager

Symptoms:
NTLM authentication will stop working.

Conditions:
If any of the DC FQDN is not resolvable in the configured NTLM Auth Config DC list during below scenarios:
- Create/Modify NTLM Auth Configuration
- Restart ECA/NTLM service
- Restart, Power cycle or after upgrade
- Active/Stand by switch over.

Impact:
NTLM authentications targeted towards this NTLM Auth Config will start to fail.

Workaround:
User need to remove the non-resolvable DC FQDN from the NTLM Auth configuration's DC list.

Fix:
Fix will be provided to try FQDN resolution for all entries in the NTLM Auth configuration's DC list, NTLM Auth will proceed if at least one of the DC is resolvable and reachable.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1166329-2 : The mcpd process fails on secondary blades, if the predefined classification applications are updated.

Links to More Info: BT1166329

Component: TMOS

Symptoms:
If a user installs and deploys a classification update (classification-update-*.im) the predefined classification applications are changed to "user modified".

This change causes the mcpd process to fail and restart on secondary blades during startup.

Conditions:
- Multi-slot VIPRION or vcmp guest
- PEM provisioned
- Classification applications updated either with tmsh load sys config merge or by using the Signature Update option in the Traffic Intelligence tab from the GUI or tmsh

Impact:
No impact

Workaround:
None

Fixed Versions:
17.1.0, 16.1.4


1162081-6 : Upgrade the bind package to fix security vulnerabilities

Component: Global Traffic Manager (DNS)

Symptoms:
Upgrade the bind package to fix the following security vulnerabilities:

- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178

Conditions:
Upgrade the bind package to fix the following security vulnerabilities:

- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178

Impact:
Upgrade the bind package to fix the following security vulnerabilities:

- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178

Workaround:
None

Fix:
Upgraded the bind package to 9.16.33.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1161965-3 : File descriptor(fd) and shared memory leak in wr_urldbd

Links to More Info: BT1161965

Component: Traffic Classification Engine

Symptoms:
When updating the customdb, fd and shared memory leaks were observed in wr_urldbd.

Conditions:
The issue happens when a urldb feed list is modified multiple times in a loop.

Impact:
Updating customdb will not work.

Workaround:
No

Fix:
Handled the updating of the customdb more efficiently to prevent any fd or shared memory leaks.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1161913-1 : Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE

Links to More Info: BT1161913

Component: TMOS

Symptoms:
The loading configuration process fails after an upgrade from 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to any 16.x (prior to 16.1.4), or to any 17.0.x release. Upgrades to 16.1.4 or 17.1.x are not affected.

The system posts errors similar to the following:

-- crit tmsh[16188]: 01420001:2: Can't load keyword definition (vlan.dag_adjustment) : framework/SchemaCmd.cpp, line 825
-- crit tmsh[25644]: 01420001:2: Can't load keyword definition (vlan.nti) : framework/SchemaCmd.cpp, line 825
-- Can't find matched schema tag for association's attribute fw_zone_log_profile.pzname during loading cli version syntax: 15.1.8
-- Can't find matched schema tag for association's attribute fw_protected_zone.pzname during loading cli version syntax: 15.1.8
-- Unexpected Error: "Can't load keyword definition (vlan.dag_adjustment)"
-- fatal: (Can't load keyword definition (vlan.nti)) (framework/SchemaCmd.cpp, line 825), exiting...
-- emerg load_config_files[16186]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.8
-- err mcpd[10702]: 01070422:3: Base configuration load failed.

Conditions:
The issue occurs when an upgrade happens from one of the following releases:
-- BIG-IP version 15.1.8 or later in the v15.1.x branch.

to any of the following releases:

-- BIG-IP version 16.0 through v16.1.3.4
-- BIG-IP version 17.0 through v17.0.0.2

Impact:
After the upgrade, the configuration does not load. The system hangs at the base configuration load failure status and leaves the system inoperative.

Workaround:
It is not possible to avoid running into a config load failure when attempting the upgrade or restoring a UCS archive from v15.1.8 or v15.1.8.1 or v15.1.8.2 or v15.1.9 on one of the listed versions. However, as long as the system is not using the zone-based DDoS AFM functionality, it is possible to load the configuration after the upgrade via the manual workaround shown below. If upgrading to 16.1.4 or a later version there is no need to use this workaround, and it should not be used.

1. While the system is inoperative, log into the system as root or an administrative user and launch bash.

2. Copy and paste the following series of commands and run them in bash

### BEGIN COMMANDS
(shopt -s nullglob; sed -E -i.workaround.bak -e '/dag-adjustment /d' /config/bigip_base.conf /config/partitions/*/bigip_base.conf)
(shopt -s nullglob; sed -E -i -e '/^KEYWORD dag-adjustment/d' -e '/^KEYWORD nti/d' /var/libdata/tmsh/syntax/15.1.{8,9,10}*/auto_schema_data_net_cli.dat)

for dir in /var/libdata/tmsh/syntax/15.1.{8,9,10}*; do
    [ -d "$dir" ] || continue
    /bin/mv "$dir"/auto_schema_data_security_cli.dat{,.workaround.bak}
    awk '
        /^<REF_CMD fw-protected-zone / { refcmd=1; depth=1; next }
        /^<CMD fw-protected-zone/ { cmd=1; depth=1; next }
        /^<ASSOCIATION.*fw-protected-zone/ { depth=depth+1; next }
        /^>/ {
            if (refcmd || cmd) {
                if (!--depth) {
                    refcmd = 0;
                    cmd = 0;
                }
                next;
            }
        }
        /.?/ {
            if (refcmd || cmd) next
            print
        }' < "$dir"/auto_schema_data_security_cli.dat.workaround.bak > "$dir"/auto_schema_data_security_cli.dat
    /bin/rm "$dir"/auto_schema_data_security_cli.dat.workaround.bak
done
### END COMMANDS

3. Load the configuration again:

   tmsh load sys config

4. If the config loads successfully, save it once:

   tmsh save sys config

Fix:
None

Fixed Versions:
16.1.4


1161733-4 : Enabling client-side TCP Verified Accept can cause excessive memory consumption

Links to More Info: K000134652, BT1161733


1160805-2 : The scp-checkfp fail to cat scp.whitelist for remote admin

Links to More Info: BT1160805

Component: TMOS

Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
sinkhole3:~$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed

Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.

Impact:
SCP command is not working for the remote admin users.

Workaround:
None

Fix:
Issue is with the Internal Field Separation (IFS) environment variable from /bin/scp-checkfp file. Following is an example for IFS:

IFS=$"\n" -->
This means, it expects a string character.

It should expect a character value to read the paths from the SCP files.

IFS=$'\n' -->
This means, it expects a character.

Fixed Versions:
16.1.4, 15.1.9


1159569-2 : Persistence cache records may accumulate over time

Links to More Info: BT1159569

Component: Local Traffic Manager

Symptoms:
The persistence cache records accumulate over time if the expiration process does not work reliably. The 'persist' memory type grows over time when multiple TMMs are sharing the records.

Conditions:
- Non-cookie, persistence configured.
- Multi TMM box
- Traffic that activates persistence is occurring.

Impact:
Memory pressure eventually impacts servicing of traffic in multiple ways. Aggressive mode sweeper runs and terminates active connections. TMM may restart. Traffic is disrupted while TMM restarts.

Workaround:
None

Fix:
Persistence records are now reliably expired at the appropriate time.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1159397-1 : The high utilization of memory when blade turns offline results in core

Links to More Info: BT1159397

Component: Policy Enforcement Manager

Symptoms:
The TMM memory utilization continue to increase after a blade turns offline.

Conditions:
Blade turns offline.

Impact:
The TMM memory utilization will finally cause out-of-memory errors or cores and TMM processes will restart. The service will be interrupted.

Workaround:
None

Fix:
Error code ERR_MEM will be handled successfully.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1156889-3 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions

Links to More Info: BT1156889

Component: Application Security Manager

Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.

Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.

Impact:
Degraded performance, potential eventual out-of-memory.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1156697-3 : Translucent VLAN groups may pass some packets without changing the locally administered bit

Links to More Info: BT1156697

Component: Local Traffic Manager

Symptoms:
Translucent VLAN groups may pass some packets without changing the locally administered bit.

Conditions:
The destination mac address of the ingress packet does not match the nexthop.

Impact:
Connections may fail, packet captures show the packets being egressed the VLAN group with the locally administered bit set.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1156105-2 : Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition

Links to More Info: BT1156105

Component: Local Traffic Manager

Symptoms:
Unable to add IP apart from /Common to Proxy Exclusion List.

Conditions:
- Route-Domain is created with default-route-domain in same partition.

#tmsh create auth partition part5
#tmsh create net route-domain /part5/rd5 id 5
#tmsh modify auth partition part5 default-route-domain 5

Impact:
The following command fails:
tmsh modify net vlan-group /part5/RD5-VLAN-GRP proxy-excludes add { 10.10.20.196 }

Workaround:
- The following command is used to create route-domain in /Commom:
   #tmsh create net route-domain /part5/rd5 id 5
   Modify this command as following:
   #tmsh create net route-domain rd5 id 5

- Manually edit the bigip.conf file in partitions and add IP address manually, and then reload the config.

Fix:
IP can be added to Proxy Exclusion List.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1155733-1 : NULL bytes are clipped from the end of buffer

Links to More Info: BT1155733

Component: TMOS

Symptoms:
In logs the key length is less then the actual key length.

Conditions:
- Establish IPSec tunnel.
- Check the logs.

Impact:
Incomplete information in the logs.

Workaround:
None

Fix:
Printing all bytes in the buffer irrespective of NULL bytes.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1155393-2 : Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression

Links to More Info: BT1155393

Component: Local Traffic Manager

Symptoms:
The BIG-IP fails to remove chunk headers when compressing a chunked response from a pool member.

The chunk headers are compressed and delivered to the client as part of the payload.

Conditions:
-- Version with the fix for ID902377
-- Rewrite/HTML profile
-- Compression profile
-- Chunked response from pool member (With "Transfer-Encoding: Chunked" header)
-- HTTP response eligible for compression

Impact:
Chunk header and terminating 0 length chunk are compressed and delivered to the client as part of the payload, resulting in broken application functionality.

Workaround:
One of the following:

- Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
- Remove the compression profile.
- Modify the compression profile to ensure the response in question is no longer eligible for compression.

Fix:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1154933-4 : Improper permissions handling in REST SNMP endpoint

Component: TMOS

Symptoms:
Certain requests to the REST SNMP endpoint improperly handle user permissions.

Conditions:
Not specified

Impact:
Security best practices are not followed

Workaround:
Only allow trusted users to have access to the REST interface.

Fix:
User permissions work as expected.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1153969-2 : Excessive resource consumption when processing LDAP and CRLDP auth traffic

Links to More Info: K000134516, BT1153969


1153865-4 : Restjavad OutOfMemoryError errors and restarts after upgrade

Links to More Info: BT1153865

Component: TMOS

Symptoms:
After upgrade to an affected version, restjavad restarts intermittently or frequently, and/or may use high CPU.

The restjavad logs, /var/log/restjavad.X.log, may report the following errors:
 java.lang.OutOfMemoryError: Java heap space

restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current

Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-15.1.8.2, 16.1.3.1-16.1.3.5, 17.0.0.1-17.0.0.2
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API, such as SSL Orchestrator, may be very affected.

Impact:
May have problems in the GUI with certain pages or tabs, such as network map with very large config or SSL Orchestrator or iLX related tabs.

Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability

Workaround:
Before upgrade to an affected version - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.

  tmsh modify sys db restjavad.useextramb value false

If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.

If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.

After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.

Run the following command:

  tmsh modify sys db provision.restjavad.extramb value X
  bigstart restart restjavad

Iterate as necessary.

The value of X is derived by using one of the following formulae:

- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
  192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
  192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSL Orchestrator systems would typically need the maximum.

- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
  384MB + 80% of MIN(provision.extramb|2500)

- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
  384MB + 90% of MIN(provision.extramb|4000)

Fix:
After upgrade, the system now sets the default value for provision.restjavad.extramb variable to 384MB. This sets the maximum heap size to 384MB. For values of provision.restjavad.extramb of 384 and lower the starting heap size is set at 96MB. For values above 384MB the starting heap size is set to the same value as maximum heap size.

When upgrading from a version that has provision.restjavad.extramb and it is explicitly set to a value*, rather than just takes default value, that value will be preserved and take affect in the new version. This will happen even if restjavad.useextramb had been set to false.


Where sys db restjavad.useextramb was set to value true in the previously used version, and provision.restjavad.extramb doesn't already exist, the value for provision.restjavad.extramb is based on a calculation of the maximum restjavad heap size that could have been used.

Usually this maintains the same or very similar restjavad heap size as used previously with more ability to fine tune it. The default size works in a wider range of settings.

When upgrading from a version that had a smaller starting heap size than maximum heap size, so before 14.1.4 or 15.1.3, and restjavad.useextramb set to true, it's possible that restjavad will use more memory than required. That's because for values above the default size of 384MB for provision.restjavad.extramb starting heap size is set the same as maximum heap size to lower performance issues when large memory sizes are required. You can lower restjavad memory use by lowering the value of provision.restjavad.extramb and restarting it if needed.


Note: This fix also removes the db variable restjavad.useextramb as it is no longer needed.

*Note: The command 'tmsh list sys db X' will return the value for DB key where set, or the default value for X otherwise. printdb can be used to display both value and default.

eg
   printdb -n provision.restjavad.extramb
Name: Provision.Restjavad.extraMB

    Realm: common
    Type: integer
    Default: 384
    Value: 600
    SCF_Config: true
    Min: 192
    Max: 8192

shows a default of 384 and an explicitly set value of 600 that would override the default. Where the value hadn't been set the 'Value:' line will not be present.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1148009-2 : Cannot sync an ASM logging profile on a local-only VIP

Links to More Info: BT1148009

Component: Application Security Manager

Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.

Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.

Impact:
The state changes to "Changes Pending" but configuration sync breaks.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1146377-2 : FastHTTP profiles do not insert HTTP headers triggered by iRules

Links to More Info: BT1146377

Component: Local Traffic Manager

Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.

Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.

Impact:
The expected headers will not be inserted on packets sent to servers.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1146241-2 : FastL4 virtual server may egress packets with unexpected and erratic TTL values

Links to More Info: BT1146241

Component: Local Traffic Manager

Symptoms:
A FastL4 virtual server may egress (either towards the client or the server) IP packets with unexpected and erratic TTL values. The same also applies to IPv6, where the TTL field is known as Hop Limit.

Conditions:
- The BIG-IP system is a Virtual Edition (VE).

- The Large Receive Offload (LRO) is enabled on the system (which it is by default), and is operating in software mode. You can determine whether LRO is enabled on the system by inspecting the tm.tcplargereceiveoffload DB key, and you can determine whether LRO is operating in software mode by trying to query the tcp_lro tmstat table (tmctl -d blade tcp_lro). If the table exists, LRO will be operating in software mode.

- The FastL4 profile is configured to decrement the TTL (this is the default mode).

- The virtual server uses mismatched IP versions on each side of the proxy (for example, an IPv6 client and an IPv4 server).

Impact:
Depending on the actual TTL values that will be sent out on the wire (which can be random and anything within the allowed range for the field) traffic can be dropped by routers on the way to the packet's destination.

This will happen if there are more routers (hops) on the way to the packet's destination than the value specified in the TTL field.

Ultimately, this will lead to retransmissions and possibly application failures.

Workaround:
You can work around this issue by doing either of the following things:

- Disable LRO on the BIG-IP system by setting DB key tm.tcplargereceiveoffload to disable.

- Use a TTL mode for the FastL4 profile other than decrement (for example, use proxy or set).

Fix:
The TTL decrement mode now works as expected under the conditions specified above.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1146037-1 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade

Links to More Info: BT1146037

Component: Local Traffic Manager

Symptoms:
In this release, FIPS HSM SDK and Driver version upgraded to 1.1-6.

Conditions:
This applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.

Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.

Workaround:
None

Fix:
The FIPS device firmware need to be manually upgraded to version 1.1-5. For more information, refer to the article https://support.f5.com/csp/article/K26061560.

Fixed Versions:
17.1.0, 16.1.4


1146017-1 : WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile

Links to More Info: BT1146017

Component: TMOS

Symptoms:
WebUI does not show error when parent profile is empty.

Conditions:
1) Navigate to Access > Connectivity/VPN > Portal Access > Rewrite.
2) Enter the details, do not assign any parent rewrite profile.
3) Click Create.

Impact:
No webUI error is seen as parent profile is not assigned to user defined rewrite profile.

Workaround:
Enter details in the parent profile field and click Create.

Fix:
WebUI error is displayed when the parent profile filed is empty and clicked on Create button.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1145361 : When JWT is cached the error "JWT Expired and cannot be used" is observed

Links to More Info: BT1145361

Component: Access Policy Manager

Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.

Conditions:
WebSSO is used with bearer option to generate JWT tokens.

Impact:
No impact.

Workaround:
None

Fix:
Removed the lee way default configured static value internally.
Proper fix would be to provide a leeway configuration option.

Fixed Versions:
17.1.1, 16.1.4


1144497-2 : Base64 encoded metachars are not detected on HTTP headers

Links to More Info: BT1144497

Component: Application Security Manager

Symptoms:
Base64 encoded illegal metachars are not detected.

Conditions:
No specific condition.

Impact:
False negative, illegal characters are not detected and request not blocked.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1144477-1 : IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted

Links to More Info: BT1144477

Component: TMOS

Symptoms:
The new IPsec tunnel IKE INIT exchange source port is 500, and the destination port is 4500, but the destination port should be 500.

Conditions:
This issue is observed after deleting IKE SA from tmsh.

Impact:
Interoperability issue, tunnel will not get established with other devices.

Workaround:
None

Fix:
Default configuration was overwritten after tunnel establishment, added valid conditions before overwriting the configuration.

Fixed Versions:
17.1.0, 16.1.4


1144373-4 : BIG-IP SFTP hardening

Links to More Info: BT1144373

Component: TMOS

Symptoms:
Under certain conditions SFTP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SFTP file transfer

Impact:
BIG-IP does not follow current best practices for filesystem protection.

Workaround:
None

Fix:
All filesystem protections now follow best practices.

Behavior Change:
When you are using SFTP to transfer the files from BIG-IP to remote-machine and vice versa,
1. filename should have absolute file paths.
2. un-encrypted files cannot be transferred when fips/cc-mode is enabled.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1144117-3 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands

Links to More Info: BT1144117

Component: Local Traffic Manager

Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.

Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.

Impact:
Some HTTP transactions might fail.

Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1143073-4 : iControl SOAP vulnerability CVE-2022-41622

Links to More Info: K94221585, BT1143073


1141853-2 : SIP MRF ALG can lead to a TMM core

Links to More Info: BT1141853

Component: Service Provider

Symptoms:
SIP MRF ALG can lead to a TMM core

Conditions:
SIP MRF ALG in use

Impact:
TMM core

Workaround:
None

Fix:
TMM does not core anymore when SIP MRF ALG is in use.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1141845-4 : RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP.

Links to More Info: BT1141845

Component: Local Traffic Manager

Symptoms:
If a RULE_INIT contains an extra colon character (:)
when RULE_INIT {
    catch { call sv::hsl:open "/Common/publisher-syslog_server_pool" }
}
It will crash instead of reporting the error.
In this example, the extra : before 'open' is an error. Instead of logging the error, it crashes the process.

Conditions:
RULE_INIT contains more than 2 colon characters (:) on a rule.

Impact:
The tmm process crashes.

Workaround:
Avoid creating a RULE_INIT containing a third colon character(:).

Fix:
Correctly log an error instead of trying to process it.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1141665-2 : Significant slowness in policy creation following Threat Campaign LU installation

Links to More Info: BT1141665

Component: Application Security Manager

Symptoms:
Significant and consistent slowness in policy creation in Layered Policies suites in BVT (asmdp).

Conditions:
Slowness was triggered by installing a Threat Campaign LU.

Impact:
Slow policy creation when we have Threat Campaign LU.

Workaround:
None

Fix:
Optimized policy creation following Threat Campaign LU installation.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1137993-2 : Violation is not triggered on specific configuration

Links to More Info: BT1137993

Component: Application Security Manager

Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.

Conditions:
A microservice is configured in the security policy.

Impact:
Specific violation is not triggered. A possible false negative.

Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1137717-2 : There are no dynconfd logs during early initialization

Links to More Info: BT1137717

Component: Local Traffic Manager

Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.

Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.

Impact:
Missing some informational logging from dynconfd during startup.

Workaround:
None

Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1137485-2 : Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly

Links to More Info: BT1137485

Component: Global Traffic Manager (DNS)

Symptoms:
1. --An excessive number log lines are seen in /var/log/gtm, which indicate a state change even though a state change has not occurred (eg, blue --> blue, green --> green), for example:

/var/log/gtm:

   alert gtmd[13612]: 011a6006:1: SNMP_TRAP: virtual server ltm1 (ip:port=192.168.0.1:0) (Server /Common/vs1) state change blue --> blue ()

2. If, on affected version, the GTM configuration contains virtual servers with a depends-on clause, the gtmd process can exit abnormally ("crash") and produce a gtmd core file. The process restarts immediately automatically, but may then exit and restart again every few seconds or minutes, and continues to do this indefinitely.

In /var/log/user.log, many messages similar to the following may be seen

   notice logger[26789]: Started writing core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
   notice logger[26800]: Finished writing 35032053 bytes for core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739

Conditions:
- For the excessive logging issue: A GTM server object exists with one or more virtual servers configured under it

 - For the gtmd crashing issue: One or more GTM server object's virtual-servers has a depends-on clause referring to another virtual-server.

Impact:
- Flood of SNMP trap logs are seen
- gtmd process exits abnormally, bringing down iquery connection and potentially impacting GTM monitoring

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1137037 : System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x

Links to More Info: BT1137037

Component: Local Traffic Manager

Symptoms:
The BIG-IP persistently starts in an inoperative state after installing an engineering hotfix with a console error similar to the following:

- FIPS or Common Criteria power-up self-test failure.
- This system has been placed in an error state.
- To recover return to the grub menu and select another volume or reinstall the system.
- On many devices pressing the escape key followed by the key will bring up a menu which allows the system to be restarted.

Power-up self-test failures: <number>

Unmounting file systems
System halting.

Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS 140-3 license.
- Running BIG-IP version 16.1.x releases or later, for example 16.1.3.1.

Impact:
Unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and required to boot to a known good volume. For more information about FIPS mode preventing system boot, see https://support.f5.com/csp/article/K52534643

Workaround:
None

Fix:
The BIG-IP system successfully boots after installing an Engineering hotfix on a system with a FIPS 140-2 or FIPS 140-3 license.

Fixed Versions:
16.1.3.2


1136921-4 : BGP might delay route updates after failover

Links to More Info: BT1136921

Component: TMOS

Symptoms:
The BGP might delay route updates after failover.

Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.

Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1136917-1 : TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server.

Links to More Info: BT1136917

Component: Advanced Firewall Manager

Symptoms:
This happens only if the specific sequence of events occur. The reason for TMM crash is accessing a Dangling Pointer memory.

Conditions:
This issue only happens if the following sequence of events occur:
1) Attach dos-profile to a Virtual Server (VS) (The dos-profile should be enabled with White-list and BDOS).
2) There should be active connections on the VS.
3) Disable BDOS from the dos-profile while it is still attached to the VS.
4) Detach the dos-profile from the VS.
5) While processing the incoming traffic, TMM will crash.

Impact:
TMM Cores.

Workaround:
This only happens if the sequence mentioned in Conditions are followed.

Modify the profile and add to the virtual server to avoid TMM crash.

Fix:
The Dangling pointer will not be available when the actual memory is freed.

Fixed Versions:
17.1.0, 16.1.4


1136429-4 : Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group

Links to More Info: BT1136429

Component: TMOS

Symptoms:
MCPD can send an unexpected (another request group) result response message to a current processing request group in the middle of a transaction

Conditions:
While MCPD processing multiple request groups.

Impact:
MCPD closes the connection of the current request group and
subscriber of that particular request group never get requested data.

Workaround:
Restart the subscriber daemon.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1135313-4 : Pool member current connection counts are incremented and not decremented

Links to More Info: BT1135313

Component: Local Traffic Manager

Symptoms:
With a certain configuration the connection counts on a gateway pool may increment and not be decremented.

Conditions:
- A gateway pool with more than one member.
- Autolasthop disabled.
- A pool monitor with a TCP monitor where the pool member responds to the TCP handshake with data. Common services that do this are SSH, SMTP, and FTP.

Impact:
The connection counts are inflated.

Workaround:
- Configure autolasthop.
- Configure a receive string on the TCP monitor.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1135073-3 : IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled

Links to More Info: BT1135073

Component: Protocol Inspection

Symptoms:
Following warning message is displayed on BIG-IP webUI in Security ›› Protocol Security: Inspection Updates:

"An active subscription is required to access certain inspections"

Conditions:
If the BIG-IP has AFM and IPS subscription license, then this warning message on webUI should not be displayed.

Impact:
There is no impact if AFM and IPS subscription license are installed on BIG-IP. All the IPS signatures and compliances will work as usual.

Workaround:
None

Fix:
Based on the IPS full subscription flag in the license the warning message is displayed. Earlier, it was verified on the wrong feature flag.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1134301-3 : IPsec interface mode may stop sending packets over tunnel after configuration update

Links to More Info: BT1134301

Component: TMOS

Symptoms:
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.

Conditions:
- IPsec tunnel with ipsec-policy in interface mode.
- The sys db ipsec.if.checkpolicy is disabled (by default it is enabled).
- Static routes pointing to the IPsec interface.
- Tunnel configuration updated.

Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.

Impact:
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.

Workaround:
There are two similar workaround options for when the issue is observed:

Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again.

Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.

Fix:
Traffic can pass over the IPsec tunnel after a configuration update.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1134085-2 : Intermittent TMM core when iRule is configured with SSL persistence

Links to More Info: BT1134085

Component: Local Traffic Manager

Symptoms:
The TMM core file is observed.

Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.

Impact:
TMM core file is observed.

Workaround:
Perform either of the following tasks:

- Disable SSL persistence
- Disable iRule

Fix:
Added fix to handle cases which can lead to the TMM core file generation.

Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1


1133997-3 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import

Links to More Info: BT1133997

Component: Application Security Manager

Symptoms:
A duplicate user-defined Signature Set is created upon policy import or cloning when the Set has a filter using untagged signatures.

Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.

Impact:
A duplicate user-defined Signature Set is created upon policy import or cloning.

Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.

Fixed Versions:
17.1.1, 16.1.4


1133881-2 : Errors in attaching port lists to virtual server when TMC is used with same sources

Links to More Info: BT1133881

Component: Local Traffic Manager

Symptoms:
When creating a virtual server that has identical traffic matching criteria with another virtual server, but uses a source address defined same as configured in TMC object, and when we try to attach the port-list it fails, with an error similar to the following:

01b90011:3: Virtual Server /Common/vs2-443's Traffic Matching Criteria /Common/vs2-443_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1-443 destination address, source address, service port.

Conditions:
- Port lists are used.
- The first virtual server uses a wildcard source, for example, 0.0.0.0/0.
- The second virtual server uses an identical destination, protocol, and port, with the same source address configured in TMC object.

Impact:
Inability to utilize 'port lists' to configure the virtual server.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1133625-2 : The HTTP2 protocol is not working when SSL persistence and session ticket are enabled

Links to More Info: BT1133625

Component: Local Traffic Manager

Symptoms:
Connection gets dropped when SSL persistence is enabled with session ticket and HTTP2 protocol.

Conditions:
When SSL persistence is enabled with session ticket and HTTP2 protocol.

Impact:
Connection will get dropped.

Workaround:
-- Disable SSL persistence OR
-- Disable session ticket.

Fix:
Provided fix to handle this defect.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1133557-2 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name

Links to More Info: BT1133557

Component: Local Traffic Manager

Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.

Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.

Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.

Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).

Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1133013-3 : Appliance mode hardening

Links to More Info: K41072952, BT1133013


1132981-2 : Standby not persisting manually added session tracking records

Links to More Info: BT1132981

Component: Application Security Manager

Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.

Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added

Impact:
Infinite Session Tracking records being removed from standby ASMs.

Workaround:
Use auto-sync DG (instead of manual sync).

After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.

You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1132925-3 : Bot defense does not work with DNS Resolvers configured under non-zero route domains

Links to More Info: BT1132925

Component: Application Security Manager

Symptoms:
When a DNS Resolver is configured under a non-zero route domain, the bot defense does not use the DNS resolver to perform DNS queries, resulting in some bots not being detected.

Conditions:
DNS Resolver is configured under non-zero route domain.

Impact:
Some bots are not detected by bot defense mechanism.

Workaround:
Configure DNS Resolver under route domain 0.

Fix:
Enhanced bot defense to use resolvers from any corresponding route domain. However, bot defense does not support route domain modification of DNS resolvers. Resolvers must be deleted and created again in the correct route domain.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1132765-4 : Virtual server matching might fail in rare cases when using virtual server chaining.

Links to More Info: BT1132765

Component: Local Traffic Manager

Symptoms:
When using virtual server chaining (for example iRule 'virtual' command sending traffic to another virtual server explicitly), a small percentage of packets might be dropped.

Conditions:
- Virtual server chaining.
- virtual servers have the vlan_enabled feature configured.
- DatagramLB or idle-timeout = 0 configured on protocol profile.
- High packet rate of incoming traffic.

Impact:
Some packets fail to match a virtual server and get dropped.

Workaround:
- Remove vlan_enabled feature
- OR remove datagramLB/set idle-timoeut > 0 on protocol profile.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1132741-2 : Tmm core when html parser scans endless html tag of size more then 50MB

Links to More Info: BT1132741

Component: Application Security Manager

Symptoms:
Tmm core, clock advanced by X ticks printed

Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>

Fix:
Break from html parser early stage for long html tags

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1132697-3 : Use of proactive bot defense profile can trigger TMM crash

Links to More Info: BT1132697

Component: Application Security Manager

Symptoms:
TMM crash is triggered.

Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.

Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.

Workaround:
Remove all proactive bot defense profiles from virtuals.

Fix:
TMM no longer crashes in the scenario.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1132405-4 : TMM does not process BFD echo pkts with src.addr == dst.addr

Links to More Info: BT1132405

Component: Local Traffic Manager

Symptoms:
TMM does not process BFD echo pkts with src.addr == dst.addr.

Conditions:
- TMM does not process BFD echo pkts with src.addr == dst.addr.

Impact:
TMM does not process BFD echo pkts with src.addr == dst.addr.

Workaround:
None

Fix:
TMM now processes BFD echo pkts with src.addr == dst.addr.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1128721-2 : L2 wire support on vCMP architecture platform

Links to More Info: BT1128721

Component: Local Traffic Manager

Symptoms:
L2 wire works on BIG-IP, virtual-wire on vCMP architecture platform will be based on Network Tenant Interface (NTI) objects.
Tenant related data path and control plane changes.

Conditions:
- vCMP architecture based on NTI.
- F5OS is completely responsible to create/modify/delete NTI objects and synchronizing it to the tenants.

Impact:
The virtual-wire is one of the most important features used under operating in L2 domain. This mode of operation involves very little changes to topology and configuration and thereby can easily plug in a BIG-IP device with virtual-wire configuration.

Workaround:
None

Fix:
Tenant (data/control) plane changes for virtual-wire support on vCMP architecture.

Fixed Versions:
17.1.0, 16.1.4, 15.1.8


1128689-2 : Performance improvement in signature engine

Links to More Info: BT1128689

Component: Application Security Manager

Symptoms:
The signature engine in BD uses more CPU cycles than it actually needs to complete the task.

Conditions:
ASM provisioned and in use

Impact:
Slower system performance
High CPU utilization with BD

Workaround:
For header-based signatures that appear on the top in ACY_PERF, the header exclusions can be added only on explicit headers. This should decrease the CPU usage.

Fix:
Some modifications are done to the signature engine to improve performance.

Fixed Versions:
16.1.4, 15.1.9


1128629 : Neurond crash observed during live install through test script

Links to More Info: BT1128629

Component: TMOS

Symptoms:
Neurond core is observed during live install followed by FPGA firmware upgrade through the test script.

Conditions:
Live install through the test script

Impact:
No functional impact

Workaround:
None

Fix:
N/A

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1128505-2 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy

Links to More Info: BT1128505

Component: Local Traffic Manager

Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.

When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.

Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE

Impact:
Connection is reset with "Address in use" reset cause.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.1.1, 16.1.4


1128169-1 : TMM core when IPsec tunnel object is reconfigured

Links to More Info: BT1128169

Component: TMOS

Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.

For example, a command that changes the IP address of the object may lead to a core:

# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4

Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.

For example:

  # tmsh modify net ipsec ike-peer <Name> state disabled
  # tmsh delete net ipsec ike-sa peer-ip <IP>
  # tmsh delete net ipsec ipsec-sa dst-addr <IP>

"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.

Then make the desired changes and enable the IKE-Peer.

  # tmsh modify net ipsec ike-peer <name> state enabled

Fixed Versions:
17.1.0, 16.1.4


1127809-2 : Due to incorrect URI parsing, the system does not extract the expected domain name

Links to More Info: BT1127809

Component: Application Security Manager

Symptoms:
The system will fail to send webhook requests to the server.

Conditions:
Add webhook to the policy and execute Apply policy on BIG-IP.

Impact:
Webhook requests will fail

Fix:
After the fix, BIG-IP will send webhook requests to the server.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1127445-3 : Performance degradation after Bug ID 1019853

Links to More Info: BT1127445

Component: Performance

Symptoms:
Performance degradation is observed with BD in TPS in the versions that have the fix for Bug ID 1019853.

Conditions:
Versions that have the fix for Bug ID 1019853.

Impact:
Lower TPS performance with BD.

Workaround:
None

Fix:
The part of the change for Bug ID 1019853 has been reverted while still addressing the problem reported in ID1019853.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1127169 : The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG

Links to More Info: BT1127169

Component: TMOS

Symptoms:
There is a possibility that BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG.

Conditions:
- BIG-IP versions 16.1.3 and above.
- FIPS 140-3 license is installed on BIG-IP or it is a FullBoxFIPS device.
- Establish multiple SSL/TLS connections.

Impact:
The BIG-IP device reboots randomly.

Workaround:
None

Fix:
Updated serialization to use RDTSC instruction to read CPU time stamp in jitterentropy-lib to generate random numbers.

Fixed Versions:
17.1.0, 16.1.4


1127117-1 : High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes

Links to More Info: BT1127117

Component: Advanced Firewall Manager

Symptoms:
Memory consumption increases with the number of connections.

Conditions:
1. Configure LSN Pool in CGNAT with Persistence mode with Address and Port.

OR

1. Configure AFM NAT source Translations with DPAT and PBA with End Point Independent Mode

Impact:
Memory keeps increasing and eventually might reach 100% utilization.

Sample Comparison table below:

Connection_Count: 30M
Memory_Usage_on_14.x_Version: ~3GB
Memory_usage_on_15+_Version: ~30GB

Workaround:
-- Increase the available RAM if possible
OR
-- Reduce the connection timeout interval
OR
-- Try using other options like Address Pooling Paired Mode in PBA

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1126841-3 : HTTP::enable can rarely cause cores

Links to More Info: BT1126841

Component: Local Traffic Manager

Symptoms:
The TMM crashes with seg fault.

Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.

Impact:
The TMM restarts causing traffic interruption.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1126805-3 : TMM CPU usage statistics may show a lower than expected value on Virtual Edition

Links to More Info: BT1126805

Component: TMOS

Symptoms:
The self-reported CPU statistics of TMM may show a usage value that is lower than the expected number. Some TMM threads may show lower CPU usage than others even if the threads are processing the same amount of traffic. When this issue occurs, a high number of idle polls are observed in the tmm_stat table for the affected TMM.

Conditions:
Virtual Edition

Impact:
TMM CPU stats may not be accurate.

Fix:
The cpu stats are now accurate.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1126409-3 : BD process crash

Links to More Info: BT1126409

Component: Application Security Manager

Symptoms:
BD process restarts with a core file.

Conditions:
Unknown

Impact:
The unit goes offline for a short period of time.

Workaround:
None

Fix:
A sanity check has been added in order to avoid possible crash.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1126329-2 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT

Links to More Info: BT1126329

Component: Local Traffic Manager

Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.

Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled

Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1126285-1 : TMM might crash with certain HTTP traffic

Links to More Info: K000135873, BT1126285


1126093 : DNSSEC Key creation failure with internal FIPS card.

Links to More Info: BT1126093

Component: Local Traffic Manager

Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.

When this issue happens the following error messages appear in /var/log/gtm

Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.

Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.

Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.

Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips

Fixed Versions:
17.1.1, 16.1.4


1124209-3 : Duplicate key objects when renewing certificate using pkcs12 bundle

Links to More Info: BT1124209

Component: TMOS

Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.

Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.

Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.

2) Duplicate key objects are getting created.

Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.

Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1124149-2 : Increase the configuration for the PCCD Max Blob size from 4GB to 8GB

Links to More Info: BT1124149

Component: Advanced Firewall Manager

Symptoms:
There was a limit of 4GB for the firewall rules prior to this change being checked in. The user could configure a blob size of 4GB only.

Conditions:
PCCD rules provisioning with an AFM license.

Impact:
Provisioning firewall rules. The PCCD blob size was restricted to 4GB.

Workaround:
None

Fix:
With these changes, the user will now be able to provision FW rules with a blob size of 8G.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1124109-2 : Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS

Component: Access Policy Manager

Symptoms:
The "typ":"JWT" is missing in the JWT header.

Conditions:
The JWT token is generated from OAuth Authorization Server (AS).

Impact:
The "typ":"JWT" is missing.

Workaround:
None

Fix:
The "typ":"JWT" is added in the header, it is available whenever JWT token is generated from OAuth AS.

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


1123885-2 : A specific type of software installation may fail to carry forward the management port's default gateway.

Links to More Info: BT1123885

Component: TMOS

Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.

Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).

-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).

-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).

Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.

On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.

Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.

Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.

If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.

Fix:
The issue has been corrected; this specific type of software installation now correctly carries forward the management port's default gateway.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1123537-9 : CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match()

Links to More Info: K40582331, BT1123537


1123169-1 : Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event

Links to More Info: BT1123169

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from HTML_TAG_MATCHED event, an error occurs.

Conditions:
-- configure an iRule with event HTML_TAG_MATCHED
-- The event calls a procedure

Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(CLIENTSIDE)": no such element in array

Workaround:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1123153-3 : "Such URL does not exist in policy" error in the GUI

Links to More Info: BT1123153

Component: Application Security Manager

Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters

Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".

Impact:
User is unable to create a Parameter with a URL.

Workaround:
N/A

Fix:
Resolved non-existent URL error during Parameter creation.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1123149 : Sys-icheck fail for /etc/security/opasswd

Links to More Info: BT1123149

Component: TMOS

Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed

An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"

Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck

Impact:
System integrity check failure when common criteria mode is enabled

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1


1122497-4 : Rapid response not functioning after configuration changes

Links to More Info: BT1122497

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Rapid Response is not functioning and stats are not present and/or not changing as requests are being sent to the virtual server.

Conditions:
- DNS Rapid Response is set on the virtual.
- Rapid response is toggled off and back on in the DNS profile.

Impact:
DNS rapid response remains disabled.

Workaround:
Restarting services will allow rapid-response to begin functioning again.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1122473-4 : TMM panic while initializing URL DB

Links to More Info: BT1122473

Component: Access Policy Manager

Symptoms:
TMM panic because of a race condition which prevents the TMM from accessing files related to the URL database.

Conditions:
While the BIG-IP system is rebooting, if an infrequent timing delay occurs, one or more files related to the URL database may be created in the wrong order of sequence.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None. Repeated attempts at rebooting may eventually succeed.

Fixed Versions:
17.1.0, 16.1.3.3, 15.1.9


1122441-5 : Upgrading the libexpat library

Links to More Info: K19473898, BT1122441


1122377-2 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response

Links to More Info: BT1122377

Component: Local Traffic Manager

Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response

Conditions:
The Last Modified header is not included in the origin server response headers.

Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.

Workaround:
Add the Last-Modified header to the response headers using iRule

when HTTP_RESPONSE priority 1 {
  set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
  HTTP::header insert Last-Modified $time
  log local0.debug "Inserting Last-Modified header as $time"
}

Fix:
Use date header value when Last-Modified is not present in Response headers

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1122205-1 : The 'action' value changes when loading protocol-inspection profile config

Links to More Info: BT1122205

Component: Protocol Inspection

Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.

Conditions:
Use case 1:

a) Create a protocol-inspection profile.
  GUI: Security  ›› Protocol Security : Inspection Profiles
  -> Click "Add" >> "New"
    1. Fill in the Profile Name field (pi_diameter in my example).
    2. Services: pick "DIAMETER".
    3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
    4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
    5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
    6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
    7. Click "Commit Changes to System".

b) Check the current config via tmsh. Confirm there is no line with "action".
  # tmsh list security protocol-inspection profile pi_diameter

c) Copy the result of the command in step b.

d). Delete the profile.
  # tmsh delete security protocol-inspection profile pi_diameter

e). Load the config.
  # tmsh
  (tmos) # load sys config from-terminal merge
  (tmos) # save sys config
  Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.

f) Check the config via tmsh. The action value has changed.
  (tmos) # list security protocol-inspection profile pi_diameter

Use case 2:

a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.

Use case 3: Restore configuration by loading UCS/SCF after RMA.

Use case 4: Perform mcpd forceload for some purpose.

Use case 5: Change VM memory size or number of core on hypervisor.

Use case 6: System upgrade

Impact:
Some of the signatures and compliance action values are changed

Following commands output lists affected signatures and compliances.

## Signatures ##

tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'

## Compliances ##

tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'

Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
 
a) Create a protocol-inspection profile.
  GUI: Security ›› Protocol Security: Inspection Profiles
  -> Click "Add" >> "New" >> ips_testing

b) Check the current config via tmsh.
  # tmsh list security protocol-inspection profile ips_testing all-properties
 
c) Copy the result of the command in step b.
 
d) Delete the profile.
  # tmsh delete security protocol-inspection profile ips_testing
 
e) Load the config.
  # tmsh
  (tmos) # load sys config from-terminal merge
  (tmos) # save sys config
 
  Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
 
f) Check the config via tmsh using all-properties
  (tmos) # list security protocol-inspection profile ips_testing all-properties
 
Workaround for use case 2:
 
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Workaround for use case 3:

a) Load the ucs/scf config file twice.
   tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Workaround for use case 4, 5, 6:
 
a) Before performing any of the operations of Use case 4, 5, 6, save the config.
   tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
 
b) Once the operation in use cases are done then perform the load operation.
   tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf

Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1121965-2 : CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite()

Links to More Info: K58003591, BT1121965


1121661-2 : TMM may core while processing HTTP/2 requests

Links to More Info: K000133467, BT1121661


1121521-2 : Libssh upgrade from v0.7.7 to v0.9.6

Links to More Info: BT1121521

Component: Advanced Firewall Manager

Symptoms:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Conditions:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Impact:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Workaround:
NA

Fix:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/

Fixed Versions:
17.1.0, 16.1.4, 15.1.8


1121517-2 : Interrupts on Hyper-V are pinned on CPU 0

Links to More Info: BT1121517

Component: TMOS

Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.

Conditions:
BIG-IP is deployed on a Hyper-V platform.

Impact:
Performance is degraded.

Fix:
Interrupts are balanced across all CPUs.

Fixed Versions:
16.1.4, 15.1.10


1120685 : Unable to update the password in the CLI when password-memory is set to > 0

Links to More Info: BT1120685

Component: TMOS

Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI

Conditions:
Password-memory set to > 0 in password-policy configuration

Impact:
Not able to update the user password in the first login using the CLI.

Workaround:
Create the user using the GUI and log in from the GUI.

Fixed Versions:
17.1.0, 16.1.3.1


1120433-2 : Removed gtmd and big3d daemon from the FIPS-compliant list

Links to More Info: BT1120433

Component: TMOS

Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.

Conditions:
-- BIG-IP versions 16.1.2.2 and above
-- FIPS 140-3 license is installed on the BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.

Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.

Workaround:
None

Fix:
Gtmd and big3d can now communicate when FIPS mode is enabled.

Fixed Versions:
17.1.0, 16.1.3.1


1117609-2 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi

Links to More Info: BT1117609

Component: Local Traffic Manager

Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).

Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.

Impact:
Host-side tagging is required.

Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.

If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.

echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl

CPU utilization may increase as a result of switching to the sock driver.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1117305-6 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials

Links to More Info: BT1117305

Component: TMOS

Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.

Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.

Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.

Workaround:
None

Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


1117297-1 : Wr_urldbd continuously crashes and restarts

Links to More Info: BT1117297

Component: Traffic Classification Engine

Symptoms:
Malloc failed while wr_urldb is started

Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd

Impact:
Wr_urldbd crashes.

Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)

Fix:
After the fix, malloc is properly done and no crash

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


1117245-2 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file

Links to More Info: BT1117245

Component: Application Security Manager

Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.

liveupdate.script file is corrupted, live update repository initialized with default schema


This error is emitted during tomcat startup.

/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)

Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html

Impact:
Losing troubleshooting capability with LiveUpdate

Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


1117229-1 : CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp

Links to More Info: K26314875, BT1117229


1116941-1 : Need larger Content-Length value supported for SIP

Links to More Info: