Applies To:
Show VersionsBIG-IP APM
- 16.1.4
BIG-IP Analytics
- 16.1.4
BIG-IP Link Controller
- 16.1.4
BIG-IP LTM
- 16.1.4
BIG-IP PEM
- 16.1.4
BIG-IP AFM
- 16.1.4
BIG-IP FPS
- 16.1.4
BIG-IP DNS
- 16.1.4
BIG-IP ASM
- 16.1.4
BIG-IP Release Information
Version: 16.1.4.3
Build: 3.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Known Issues in BIG-IP v16.1.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1366025-2 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 16.1.4.3, 15.1.10.4 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1495217-3 | 3-Major | TMUI hardening | 16.1.4.3, 15.1.10.4 | |
1492361-2 | 3-Major | TMUI Security Hardening | 16.1.4.3, 15.1.10.4 | |
1360917-4 | 4-Minor | TMUI hardening | 16.1.4.3, 15.1.10.4 |
Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1361169-2 | CVE-2023-40534 | K000133467, BT1361169 | Connections may persist after processing HTTP/2 requests | 17.1.1.1, 16.1.4.2 |
1117229-1 | CVE-2022-26377 | K26314875, BT1117229 | CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1391357-1 | CVE-2023-43125 | K000136909, BT1391357 | Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1381357-2 | CVE-2023-46748 | K000137365, BT1381357 | CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1240121-1 | CVE-2022-36760 | K000132643, BT1240121 | CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1354253-2 | 3-Major | K000137322, BT1354253 | HTTP Request smuggling with redirect iRule | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1316277-2 | 3-Major | K000137796, BT1316277 | Large CRL files may only be partially uploaded | 17.1.1, 16.1.4.2, 15.1.10.3 |
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1324745-2 | CVE-2023-41373 | K000135689, BT1324745 | An undisclosed TMUI endpoint may allow unexpected behavior | 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1167897-6 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1121661-2 | CVE-2023-40534 | K000133467, BT1121661 | TMM may core while processing HTTP/2 requests | 17.1.0, 16.1.4 |
981917-4 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 17.1.1, 16.1.4, 15.1.10 |
949857-7 | CVE-2024-22389 | K32544615, BT949857 | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 17.1.1, 16.1.4, 15.1.9 |
884541-9 | CVE-2023-40537 | K29141800, BT884541 | Improper handling of cookies on VIPRION platforms | 17.1.0, 16.1.4, 15.1.9 |
1314301-2 | CVE-2024-23805 | K000137334, BT1314301 | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 17.1.1, 16.1.4, 15.1.10 |
1295661-2 | CVE-2023-38418 | K000134746, BT1295661 | BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 | 17.1.1, 16.1.4 |
1289189-3 | CVE-2024-24775 | K000137333, BT1289189 | In certain traffic patterns, TMM crash | 17.1.1, 16.1.4, 15.1.10 |
1271349-3 | CVE-2023-25690 | K000133098, BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 17.1.1, 16.1.4, 15.1.9 |
1238629-1 | CVE-2024-21763 | K000137521, BT1238629 | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 17.1.1, 16.1.4, 15.1.10 |
1220629-3 | CVE-2024-23314 | K000137675, BT1220629 | TMM may crash on response from certain backend traffic | 17.1.1, 16.1.4, 15.1.9 |
1208529-4 | CVE-2023-41085 | K000132420, BT1208529 | TMM crash when handling IPSEC traffic | 17.1.0, 16.1.4, 15.1.9 |
1195489-2 | CVE-2024-22093 | K000137522, BT1195489 | iControl REST input sanitization | 17.1.1, 16.1.4, 15.1.9 |
1189465-3 | CVE-2023-24461 | K000132539, BT1189465 | Edge Client allows connections to untrusted APM Virtual Servers | 17.1.0.3, 16.1.4, 15.1.9 |
1189461-3 | CVE-2023-36858 | K000132563, BT1189461 | BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 | 17.1.1, 16.1.4 |
1183453-1 | CVE-2022-31676 | K87046687 | Local privilege escalation vulnerability (CVE-2022-31676) | 17.1.0, 16.1.4, 15.1.9 |
1167929-4 | CVE-2022-40674 | K44454157, BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1161733-4 | CVE-2023-40542 | K000134652, BT1161733 | Enabling client-side TCP Verified Accept can cause excessive memory consumption | 17.1.0, 16.1.4, 15.1.9 |
1153969-2 | CVE-2024-23979 | K000134516, BT1153969 | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 17.1.1, 16.1.4, 15.1.9 |
1133013-3 | CVE-2023-43746 | K41072952, BT1133013 | Appliance mode hardening | 17.1.0, 16.1.4, 15.1.9 |
1126285-1 | CVE-2024-21849 | K000135873, BT1126285 | TMM might crash with certain HTTP traffic | 17.1.0, 16.1.4 |
1122441-5 | CVE-2015-1283, CVE-2021-45960,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143 | K19473898, BT1122441 | Upgrading the libexpat library | 17.1.0, 16.1.4, 15.1.9 |
1111097-6 | CVE-2022-1271 | K000130546, BT1111097 | gzip arbitrary-file-write vulnerability CVE-2022-1271 | 17.1.0, 16.1.4, 15.1.9 |
1107293-7 | CVE-2021-22555 | K06524534, BT1107293 | CVE-2021-22555: Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.8 |
1102881-4 | CVE-2021-25217 | K08832573, BT1102881 | dhclient/dhcpd vulnerability CVE-2021-25217 | 17.1.0, 16.1.4, 15.1.9 |
1098829-6 | CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 | K19473898, BT1098829 | Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 | 17.1.0, 16.1.4, 15.1.9 |
1093813-2 | CVE-2002-20001, CVE-2022-40735 | K83120834, BT1093813 | DH Key Agreement vulnerability in APM server side components | 17.1.0, 16.1.4 |
1093253-8 | CVE-2021-3999 | K24207649 | CVE-2021-3999 Glibc Vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1091601-9 | CVE-2022-23218, CVE-2022-23219 | K52308021, BT1091601 | Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 | 17.1.0, 16.1.4, 15.1.9 |
1091453-6 | CVE-2022-23308 | K32760744, BT1091453 | libxml2 vulnerability CVE-2022-23308 | 17.1.0, 16.1.4, 15.1.8 |
1089225-4 | CVE-2021-4034 | K46015513, BT1089225 | Polkit pkexec vulnerability CVE-2021-4034 | 17.1.0, 16.1.4, 15.1.8 |
1077301-4 | CVE-2021-23133 | K67416037, BT1077301 | CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del | 17.1.0, 16.1.4, 15.1.8 |
1075733-3 | CVE-2018-14348 | K26890535, BT1075733 | Updated libcgroup library to fix CVE-2018-14348 | 17.1.0, 16.1.4, 15.1.9 |
1075689-3 | CVE-2020-25692,CVE-2020-25709,CVE-2020-12243,CVE-2019-13565,CVE-2020-25710,CVE-2020-36222,CVE-2020-36226,CVE-2020-36228,CVE-2020-36227,CVE-2021-27212,CVE-2020-36223,CVE-2020-36221,CVE-2020-36225,CVE-2020-36224,CVE-2019-13057 | K56241216, BT1075689 | Multiple CVE fixes for OpenLDAP library | 17.1.0, 16.1.4, 15.1.8 |
1075657-3 | CVE-2020-12825 | K01074825, BT1075657 | CVE-2020-12825 - libcroco vulnerability | 17.1.1, 16.1.4, 15.1.10 |
1070753-4 | CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065, BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 17.1.1, 16.1.4, 15.1.9 |
1061977-3 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390, BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 17.1.1, 16.1.4, 15.1.10 |
1057393-3 | CVE-2019-18197 | K10812540, BT1057393 | CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText | 17.0.0, 16.1.4, 15.1.8 |
1051305-4 | CVE-2021-34798 | K72382141, BT1051305 | CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests | 17.0.0, 16.1.4, 15.1.7 |
1043821-1 | CVE-2023-42768 | K26910459, BT1043821 | Inconsistent user role handling across configuration UIs | 17.1.0, 16.1.4, 15.1.9 |
972545-7 | CVE-2024-23976 | K91054692, BT972545 | iApps LX does not follow best practices in appliance mode | 17.1.1, 16.1.4, 15.1.9 |
966541-1 | CVE-2023-43485 | K06110200, BT966541 | Improper data logged in plaintext | 17.1.0, 16.1.4, 15.1.9 |
950605-6 | CVE-2020-14145 | K48050136, BT950605 | Openssh insecure client negotiation CVE-2020-14145 | 17.1.0, 16.1.4, 15.1.9 |
905937-8 | CVE-2023-41253 | K98334513, BT905937 | TSIG key value logged in plaintext in log | 17.1.0, 16.1.4, 15.1.9 |
785197-5 | CVE-2019-9075 | K42059040, BT785197 | binutils vulnerability CVE-2019-9075 | 17.1.0, 16.1.4, 15.1.9 |
651029-12 | CVE-2023-45219 | K20307245, BT651029 | Sensitive information exposed during incremental sync | 17.1.0, 16.1.4, 15.1.9 |
1238321-4 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1, 16.1.4, 15.1.10 |
1235813-9 | CVE-2023-0215 | K000132946, BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 17.1.0.1, 16.1.4, 15.1.10 |
1235801-4 | CVE-2023-0286 | K000132941, BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 17.1.1, 16.1.4, 15.1.10 |
1189457-3 | CVE-2023-22372 | K000132522, BT1189457 | Hardening of client connection handling from Edge client. | 16.1.4, 15.1.9 |
1123537-9 | CVE-2022-28615 | K40582331, BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 17.1.1, 16.1.4, 15.1.9 |
1121965-2 | CVE-2022-28614 | K58003591, BT1121965 | CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() | 17.1.0, 16.1.4, 15.1.9 |
1099341-4 | CVE-2018-25032 | K21548854, BT1099341 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 17.1.1, 16.1.4, 15.1.9 |
1089921-6 | CVE-2022-0359 | K08827426, BT1089921 | Vim vulnerability CVE-2022-0359 | 17.1.0, 16.1.4, 15.1.9 |
1089233-4 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1088445-7 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 17.1.1, 16.1.4, 15.1.9 |
1070905-4 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 17.1.1, 16.1.4, 15.1.9 |
1041577-4 | CVE-2024-21782 | K98606833, BT1041577 | SCP file transfer system, completing fix for 994801 | 17.1.1, 16.1.4, 15.1.9 |
1021245-3 | CVE-2019-20907 | K78284681, BT1021245 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | 17.1.0, 16.1.4, 15.1.9 |
1018997-1 | CVE-2023-41964 | K20850144, BT1018997 | Improper logging of sensitive DB variables | 17.1.0, 16.1.4, 15.1.9 |
1009157-1 | CVE-2023-39447 | K47756555, BT1009157 | AGC hardening | 16.1.4, 15.1.8 |
1296489-3 | CVE-2024-23603 | K000138047, BT1296489 | ASM UI hardening | 17.1.1, 16.1.4, 15.1.10 |
1057445-3 | CVE-2019-13118 | K96300145, BT1057445 | CVE-2019-13118 libxslt vulnerability: uninitialized stack data | 17.0.0, 16.1.4, 15.1.8 |
1057437-3 | CVE-2019-13117 | K96300145, BT1057437 | CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers | 17.0.0, 16.1.4, 15.1.8 |
1057149-3 | CVE-2019-11068 | K30444545, BT1057149 | CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite | 17.0.0, 16.1.4, 15.1.8 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1088037-3 | 1-Blocking | BT1088037 | VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers | 17.1.0, 16.1.4, 15.1.8 |
1053589-1 | 1-Blocking | BT1053589 | DDoS functionality cannot be configured at a Zone level | 16.1.4, 15.1.8 |
1282181-1 | 3-Major | High CPU or increased translation errors following upgrade or restart when DAG distribution changes | 16.1.4 | |
1211513-2 | 3-Major | BT1211513 | HSB loopback validation feature | 17.1.1, 16.1.4, 15.1.10 |
1144373-4 | 3-Major | BT1144373 | BIG-IP SFTP hardening | 17.1.0, 16.1.4, 15.1.9 |
1040609-1 | 3-Major | K21800102, BT1040609 | RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. | 17.1.0, 16.1.4, 15.1.9 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1315193-1 | 1-Blocking | TMM Crash in certain condition when processing IPSec traffic | 17.1.1, 16.1.4 | |
1284969-1 | 1-Blocking | BT1284969 | Adding ssh-rsa key for passwordless authentication | 17.1.0.1, 16.1.4 |
1224125-1 | 1-Blocking | BT1224125 | When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used. | 17.1.0, 16.1.4 |
1173441-3 | 1-Blocking | BT1173441 | The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired | 17.1.0, 16.1.4, 15.1.9 |
1161913-1 | 1-Blocking | BT1161913 | Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE★ | 16.1.4 |
1116845-4 | 1-Blocking | BT1116845 | Interfaces using the xnet driver are not assigned a MAC address | 17.1.0, 16.1.4, 15.1.9 |
995849-1 | 2-Critical | BT995849 | Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c | 17.0.0, 16.1.4, 15.1.9 |
994033-3 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 17.1.1, 16.1.4, 15.1.9 |
993481-1 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 17.1.1, 16.1.4, 15.1.10 |
967905-5 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
950201-3 | 2-Critical | BT950201 | Tmm core on GCP | 17.1.1, 16.1.4, 15.1.9 |
888765-2 | 2-Critical | BT888765 | After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files★ | 16.1.4 |
723109-2 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 17.1.1, 16.1.4, 15.1.10 |
1290889-4 | 2-Critical | K000134792, BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 17.1.1, 16.1.4, 15.1.9 |
1256841-1 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 17.1.1, 16.1.4, 15.1.10 |
1232997-1 | 2-Critical | BT1232997 | IPSEC: The tmm process may exit with 'Invalid policy remote index' | 16.1.4, 15.1.10 |
1225789-2 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 17.1.1, 16.1.4, 15.1.9 |
1209709-4 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 17.1.1, 16.1.4, 15.1.9 |
1195377 | 2-Critical | BT1195377 | Getting Service Indicator log for disallowed RSA-1024 crypto algorithm | 17.1.0, 16.1.4 |
1181613-1 | 2-Critical | BT1181613 | IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete | 17.1.0, 16.1.4 |
1178221-3 | 2-Critical | BT1178221 | In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT | 17.1.0, 16.1.4, 15.1.9 |
1144477-1 | 2-Critical | BT1144477 | IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted | 17.1.0, 16.1.4 |
1136429-4 | 2-Critical | BT1136429 | Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group | 17.1.0, 16.1.4, 15.1.9 |
1134301-3 | 2-Critical | BT1134301 | IPsec interface mode may stop sending packets over tunnel after configuration update | 17.1.0, 16.1.4, 15.1.9 |
1128629 | 2-Critical | BT1128629 | Neurond crash observed during live install through test script | 17.1.0, 16.1.4, 15.1.9 |
1110893-4 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy | 17.1.0, 16.1.4, 15.1.9 |
1105901-2 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 17.1.1, 16.1.4, 15.1.10 |
1095217-1 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.1.0, 16.1.4, 15.1.9 |
1085805-2 | 2-Critical | BT1085805 | UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. | 17.1.0, 16.1.4 |
1085597-1 | 2-Critical | BT1085597 | IKEv1 IPsec peer cannot be created in config utility (web UI) | 17.1.0, 16.1.4 |
1082941-2 | 2-Critical | System account hardening | 17.1.0, 16.1.4, 15.1.9 | |
1076909-4 | 2-Critical | BT1076909 | Syslog-ng truncates the hostname at the first period. | 17.1.0, 16.1.4, 15.1.9 |
1075713-2 | 2-Critical | Multiple libtasn1 vulnuerabilities | 17.1.1, 16.1.4 | |
1075677-2 | 2-Critical | Multiple GnuTLS Mend findings | 17.1.1, 16.1.4, 15.1.10 | |
1035121-4 | 2-Critical | BT1035121 | Configsync syncs the node's monitor status | 17.0.0, 16.1.4, 15.1.9 |
1023829-2 | 2-Critical | BT1023829 | Security->Policies in Virtual Server web page spins mcpd 100%, which later cores | 17.0.0, 16.1.4, 15.1.9 |
998225-6 | 3-Major | BT998225 | TMM crash when disabling/re-enabling a blade that triggers a primary blade transition. | 17.0.0, 16.1.4, 15.1.9 |
995097-1 | 3-Major | BT995097 | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. | 17.0.0, 16.1.4, 15.1.10 |
992813-7 | 3-Major | BT992813 | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. | 17.0.0, 16.1.4, 15.1.10 |
989501-2 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 17.1.1, 16.1.4, 15.1.10 |
987301-3 | 3-Major | BT987301 | Software install on vCMP guest via block-device may fail with error 'reason unknown' | 17.0.0, 16.1.4, 15.1.9 |
966949-6 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | 17.1.0, 16.1.4, 15.1.9 |
964125-6 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 17.1.1, 16.1.4, 15.1.10 |
936093-5 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 17.1.1, 16.1.4, 15.1.9 |
930393-2 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration | 17.1.0, 16.1.4, 15.1.10 |
925469-2 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo | 17.1.0, 16.1.4, 15.1.9 |
921149-6 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy | 17.1.0, 16.1.4, 15.1.9 |
906273-1 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 17.1.1, 16.1.4, 15.1.10 |
804529-1 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 17.1.1, 16.1.4, 15.1.10 |
662301-8 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config | 17.1.0, 16.1.4, 15.1.9 |
1238693-2 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 | 17.1.0.1, 16.1.4 |
1232521-2 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 17.1.1, 16.1.4, 15.1.9 | |
1166329-2 | 3-Major | BT1166329 | The mcpd process fails on secondary blades, if the predefined classification applications are updated. | 17.1.0, 16.1.4 |
1160805-2 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin | 16.1.4, 15.1.9 |
1154933-4 | 3-Major | Improper permissions handling in REST SNMP endpoint | 17.1.0, 16.1.4, 15.1.9 | |
1153865-4 | 3-Major | BT1153865 | Restjavad OutOfMemoryError errors and restarts after upgrade★ | 17.1.0, 16.1.4, 15.1.9 |
1146017-1 | 3-Major | BT1146017 | WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile | 17.1.0, 16.1.4, 15.1.9 |
1136921-4 | 3-Major | BT1136921 | BGP might delay route updates after failover | 17.1.1, 16.1.4, 15.1.10 |
1128169-1 | 3-Major | BT1128169 | TMM core when IPsec tunnel object is reconfigured | 17.1.0, 16.1.4 |
1127169 | 3-Major | BT1127169 | The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG | 17.1.0, 16.1.4 |
1126805-3 | 3-Major | BT1126805 | TMM CPU usage statistics may show a lower than expected value on Virtual Edition | 17.1.0, 16.1.4, 15.1.9 |
1124209-3 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 17.1.1, 16.1.4, 15.1.9 |
1123885-2 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. | 17.1.0, 16.1.4, 15.1.9 |
1121517-2 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 | 16.1.4, 15.1.10 |
1113961-1 | 3-Major | K43391532, BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China | 17.1.0, 16.1.4, 15.1.9 |
1112537-2 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 17.1.1, 16.1.4, 15.1.10 |
1112109-4 | 3-Major | K000134769, BT1112109 | Unable to retrieve SCP files using WinSCP or relative path name | 17.1.0, 16.1.4, 15.1.9 |
1111629-4 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors | 17.1.0, 16.1.4, 15.1.9 |
1111421-1 | 3-Major | BT1111421 | IPsec SA info cannot be viewed in TMSH or the web UI | 17.1.0, 16.1.4 |
1106489-2 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. | 16.1.4, 15.1.10 |
1102849-3 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1101453-1 | 3-Major | BT1101453 | MCPD SIGABRT and core happened while deleting GTM pool member | 17.1.0, 16.1.4, 15.1.9 |
1100409-4 | 3-Major | BT1100409 | Valid connections may fail while a virtual server is in SYN cookie mode. | 17.1.0, 16.1.4, 15.1.9 |
1100321 | 3-Major | BT1100321 | MCPD memory leak | 17.1.0, 16.1.4, 15.1.10 |
1100125-4 | 3-Major | BT1100125 | Per virtual SYN cookie may not be activated on all HSB modules | 17.1.0, 16.1.4, 15.1.10 |
1091725-4 | 3-Major | BT1091725 | Memory leak in IPsec | 17.1.0, 16.1.4, 15.1.9 |
1088429-4 | 3-Major | BT1088429 | Kernel slab memory leak | 17.1.0, 16.1.4, 15.1.9 |
1086517-2 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1085837-2 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1084781-6 | 3-Major | Resource Admin permission modification | 17.1.0, 16.1.4, 15.1.9 | |
1081649-2 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management | 17.1.0, 16.1.4, 15.1.9 |
1081641-4 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page | 17.1.0, 16.1.4, 15.1.10 |
1080297-1 | 3-Major | BT1080297 | ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration | 17.1.0, 16.1.4, 15.1.9 |
1077533-1 | 3-Major | BT1077533 | BIG-IP fails to restart services after mprov runs during boot. | 17.1.1, 16.1.4, 15.1.10 |
1077405-2 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. | 17.1.0, 16.1.4, 15.1.9 |
1076785-2 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 16.1.4, 15.1.5.1 |
1069337-2 | 3-Major | CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument | 17.1.0, 16.1.4, 15.1.9 | |
1063237-4 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 | 16.1.4, 15.1.9 |
1062953-1 | 3-Major | BT1062953 | Unable to save configuration via tmsh or the GUI. | 17.0.0, 16.1.4 |
1053557-2 | 3-Major | BT1053557 | Support for Mellanox CX-6 | 17.1.0, 16.1.4, 15.1.9 |
1048709-2 | 3-Major | BT1048709 | FCS errors between the switch and HSB | 17.1.0, 16.1.4, 15.1.8 |
1044089-3 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 17.1.1, 16.1.4, 15.1.10 |
1032821-7 | 3-Major | BT1032821 | Syslog: invalid level/facility from /usr/libexec/smart_parse.pl | 17.0.0, 16.1.4, 15.1.9 |
1029105-1 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address | 17.1.0, 16.1.4, 15.1.4 |
1001069-5 | 3-Major | BT1001069 | VE CPU usage higher after upgrade, given same throughput | 17.1.0, 16.1.4, 15.1.9 |
964533-2 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 17.1.1, 16.1.4, 15.1.10 |
939757-8 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 17.1.1, 16.1.4, 15.1.10 |
904661-4 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition | 17.1.0, 16.1.4 |
889813-3 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second | 17.0.0, 16.1.4, 15.1.10, 14.1.4.5 |
838405-4 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 17.1.1, 16.1.4, 15.1.10 |
760496-4 | 4-Minor | BT760496 | Traffic processing interrupted by PF reset | 17.1.0, 16.1.4, 15.1.9 |
674026-6 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete.★ | 17.0.0, 16.1.4, 15.1.9 |
1256777-3 | 4-Minor | BT1256777 | In BGP, as-origination interval not persisting after restart when configured on a peer-group. | 17.1.1, 16.1.4 |
1252537-3 | 4-Minor | BT1252537 | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role | 17.1.1, 16.1.4 |
1185257-4 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 17.1.1, 16.1.4, 15.1.10 |
1155733-1 | 4-Minor | BT1155733 | NULL bytes are clipped from the end of buffer | 17.1.0, 16.1.4, 15.1.9 |
1117305-6 | 4-Minor | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 17.1.1, 16.1.4, 15.1.9 |
1106353-4 | 4-Minor | BT1106353 | [Zebos] Expand zebos/bgp commands in a qkview | 17.1.0, 16.1.4, 15.1.9 |
1090441-1 | 4-Minor | BT1090441 | IKEv2: Add algorithm info to SK_ logging | 17.1.0, 16.1.4 |
1076897-4 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly | 17.1.0, 16.1.4, 15.1.9 |
1076253-1 | 4-Minor | BT1076253 | IKE library memory leak | 17.0.0, 16.1.4, 15.1.9 |
1062385-4 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. | 17.1.0, 16.1.4, 15.1.9 |
1057457-3 | 4-Minor | CVE-2015-9019: libxslt vulnerability: math.random() | 17.0.0, 16.1.4, 15.1.8 | |
1057449-3 | 4-Minor | CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS | 17.0.0, 16.1.4, 15.1.8 | |
1057441-3 | 4-Minor | An out-of-bounds access flawb in the libxslt component | 17.0.0, 16.1.4, 15.1.8 | |
1057433-3 | 4-Minor | Integer overflow in libxslt component | 17.0.0, 16.1.4, 15.1.8 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1112349-4 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize | 17.1.0, 16.1.4, 15.1.9 |
937649-4 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict | 17.1.0, 16.1.4, 15.1.9 |
935193-4 | 2-Critical | BT935193 | With APM and AFM provisioned, single logout ( SLO ) fails | 17.0.0, 16.1.4, 15.1.10 |
1282357-1 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 17.1.1, 16.1.4, 15.1.10 |
1205501-2 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 17.1.1, 16.1.4, 15.1.9 |
1186249-2 | 2-Critical | BT1186249 | TMM crashes on reject rule | 17.1.0, 16.1.4 |
1156697-3 | 2-Critical | BT1156697 | Translucent VLAN groups may pass some packets without changing the locally administered bit | 17.1.0, 16.1.4, 15.1.9 |
1146377-2 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 17.1.1, 16.1.4, 15.1.9 |
1132405-4 | 2-Critical | BT1132405 | TMM does not process BFD echo pkts with src.addr == dst.addr | 17.1.0, 16.1.4, 15.1.9 |
1126093 | 2-Critical | BT1126093 | DNSSEC Key creation failure with internal FIPS card. | 17.1.1, 16.1.4 |
1110813-3 | 2-Critical | BT1110813 | Improve MPTCP retransmission handling while aborting | 17.1.0, 16.1.4, 15.1.9 |
1099545-2 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used | 17.1.0, 16.1.4, 15.1.9 |
1075073-2 | 2-Critical | BT1075073 | TMM Crash observed with Websocket and MQTT profile enabled | 17.0.0, 16.1.4, 15.1.9 |
1067669-1 | 2-Critical | BT1067669 | TCP/UDP virtual servers drop all incoming traffic. | 17.0.0, 16.1.4, 15.1.9 |
1030185-5 | 2-Critical | BT1030185 | TMM may crash when looking up a persistence record using "persist lookup" iRule commands | 17.0.0, 16.1.4, 15.1.9 |
1024241-1 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 17.1.1, 16.1.4, 15.1.9 |
985925-3 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 17.1.1, 16.1.4, 15.1.10 |
976525-5 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5 |
956133-2 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading.★ | 17.0.0, 16.1.4, 15.1.4, 14.1.4.4 |
948065-1 | 3-Major | BT948065 | DNS Responses egress with an incorrect source IP address. | 17.0.0, 16.1.4, 15.1.9 |
921541-6 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 17.1.1, 16.1.4, 15.1.10 |
878641-3 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 17.1.1, 16.1.4, 15.1.9 |
876569-2 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 17.1.1, 16.1.4, 15.1.10 |
851121-6 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 17.1.1, 16.1.4, 15.1.10 |
842425-6 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 17.1.1, 16.1.4, 15.1.10 |
693473-8 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 17.1.1, 16.1.4, 15.1.9 |
574762-4 | 3-Major | BT574762 | Forwarding flows leak when a routing update changes the egress vlan | 17.0.0, 16.1.4, 15.1.9 |
1292793-3 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 17.1.1, 16.1.4, 15.1.10 |
1291565-2 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 17.1.1, 16.1.4, 15.1.10 |
1284993-1 | 3-Major | BT1284993 | TLS extensions which are configured after session_ticket are not parsed from Client Hello messages | 17.1.1, 16.1.4 |
1284589-2 | 3-Major | BT1284589 | HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command | 16.1.4 |
1281637-1 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 17.1.1, 16.1.4, 15.1.9 |
1269733-3 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 17.1.1, 16.1.4, 15.1.10 |
1250085-3 | 3-Major | BT1250085 | BPDU is not processed with STP passthough mode enabled in BIG-IP | 17.1.1, 16.1.4 |
1238413-3 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 17.1.1, 16.1.4, 15.1.10 |
1229417-2 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 | |
1229369-3 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 17.1.1, 16.1.4, 15.1.10 |
1210469-3 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 17.1.1, 16.1.4, 15.1.9 |
1185133-2 | 3-Major | BT1185133 | ILX streaming plugins limited to MCP OIDs less than 10 million | 17.1.0, 16.1.4, 15.1.9 |
1184153-2 | 3-Major | BT1184153 | TMM crashes when you use the rateshaper with packetfilter enabled | 17.1.0, 16.1.4, 15.1.9 |
1159569-2 | 3-Major | BT1159569 | Persistence cache records may accumulate over time | 17.1.0, 16.1.4, 15.1.9 |
1155393-2 | 3-Major | BT1155393 | Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression | 17.1.0, 16.1.4, 15.1.9 |
1146241-2 | 3-Major | BT1146241 | FastL4 virtual server may egress packets with unexpected and erratic TTL values | 17.1.0, 16.1.4, 15.1.9 |
1146037-1 | 3-Major | BT1146037 | Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade | 17.1.0, 16.1.4 |
1144117-3 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 17.1.1, 16.1.4, 15.1.9 |
1141845-4 | 3-Major | BT1141845 | RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. | 17.1.0, 16.1.4, 15.1.9 |
1135313-4 | 3-Major | BT1135313 | Pool member current connection counts are incremented and not decremented | 17.1.0, 16.1.4, 15.1.9 |
1133881-2 | 3-Major | BT1133881 | Errors in attaching port lists to virtual server when TMC is used with same sources | 17.1.0, 16.1.4, 15.1.9 |
1133625-2 | 3-Major | BT1133625 | The HTTP2 protocol is not working when SSL persistence and session ticket are enabled | 17.1.0, 16.1.4, 15.1.9 |
1128721-2 | 3-Major | BT1128721 | L2 wire support on vCMP architecture platform | 17.1.0, 16.1.4, 15.1.8 |
1126841-3 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 17.1.1, 16.1.4, 15.1.10 |
1126329-2 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★ | 17.1.0, 16.1.4, 15.1.9 |
1123169-1 | 3-Major | BT1123169 | Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event | 17.1.0, 16.1.4, 15.1.9 |
1117609-2 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 17.1.1, 16.1.4, 15.1.10 |
1115041-1 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. | 17.1.0, 16.1.4, 15.1.9 |
1113181-2 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". | 16.1.4, 15.1.9 |
1112745-2 | 3-Major | BT1112745 | System CPU Usage detailed graph is not accessible on Cerebrus+ | 17.1.0, 16.1.4, 15.1.7 |
1111473-4 | 3-Major | BT1111473 | The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes | 17.1.0, 16.1.4, 15.1.9 |
1109953-4 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry | 17.1.0, 16.1.4, 15.1.9 |
1107565 | 3-Major | BT1107565 | SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 | 17.1.1, 16.1.4 |
1102429-2 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. | 17.1.0, 16.1.4, 15.1.9 |
1101697-2 | 3-Major | BT1101697 | TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). | 17.1.0, 16.1.4, 15.1.7 |
1101181-2 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1099229-4 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1096893-1 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 17.1.1, 16.1.4, 15.1.9 |
1091969-3 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. | 16.1.4, 15.1.9 |
1088173-2 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile | 17.1.0, 16.1.4, 15.1.7 |
1080569-2 | 3-Major | BT1080569 | BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1079769-1 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers | 17.0.0, 16.1.4, 15.1.9 |
1077553-3 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration | 17.1.0, 16.1.4, 15.1.9 |
1076577-3 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' | 17.1.0, 16.1.4, 15.1.7 |
1076573-3 | 3-Major | BT1076573 | MQTT profile addition is different in GUI and TMSH | 17.0.0, 16.1.4, 15.1.9 |
1074505-1 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1 |
1070389-4 | 3-Major | Tightening HTTP RFC enforcement | 17.1.0, 16.1.4, 15.1.9 | |
1068673-3 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. | 17.1.0, 16.1.4, 15.1.9 |
1060021-1 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. | 17.1.0, 16.1.4, 15.1.9 |
1053741-4 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason | 17.1.0, 16.1.4, 15.1.8 |
1053173-1 | 3-Major | BT1053173 | Support for MQTT functionality over websockets. | 17.0.0, 16.1.4 |
1043009 | 3-Major | BT1043009 | TMM dump capture for compression engine hang | 17.1.0, 16.1.4, 15.1.9 |
1040017-5 | 3-Major | BT1040017 | Final ACK validation during flow accept might fail with hardware SYN Cookie | 17.0.0, 16.1.4, 15.1.7 |
1012813-1 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" | 17.1.1, 16.1.4 |
1000561-5 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 17.1.1, 16.1.4, 15.1.9 |
1000069-3 | 3-Major | BT1000069 | Virtual server does not create the listener | 17.1.0, 16.1.4, 15.1.9 |
962177-6 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1 |
960677-1 | 4-Minor | BT960677 | Improvement in handling accelerated TLS traffic | 17.1.1, 16.1.4, 15.1.9 |
1281709-3 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 17.1.1, 16.1.4, 15.1.10 |
1240937-3 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 17.1.1, 16.1.4, 15.1.10 |
1211189-3 | 4-Minor | BT1211189 | Stale connections observed and handshake failures observed with errors | 17.1.1, 16.1.4 |
1156105-2 | 4-Minor | BT1156105 | Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition | 17.1.0, 16.1.4, 15.1.9 |
1137717-2 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 17.1.1, 16.1.4, 15.1.10 |
1133557-2 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 17.1.1, 16.1.4, 15.1.10 |
1132765-4 | 4-Minor | BT1132765 | Virtual server matching might fail in rare cases when using virtual server chaining. | 17.1.0, 16.1.4, 15.1.9 |
1128505-2 | 4-Minor | BT1128505 | HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy | 17.1.1, 16.1.4 |
1122377-2 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response | 17.1.0, 16.1.4, 15.1.9 |
1111981-3 | 4-Minor | BT1111981 | Decrement in MQTT current connections even if the connection was never active | 17.1.0, 16.1.4, 15.1.9 |
1103617-4 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. | 17.1.0, 16.1.4, 15.1.9 |
1101369-1 | 4-Minor | BT1101369 | MQTT connection stats are not updated properly | 17.1.0, 16.1.4, 15.1.9 |
1037265-2 | 4-Minor | K11453402, BT1037265 | Improper handling of multiple cookies with the same name. | 17.1.0, 16.1.4, 15.1.9 |
1034217-2 | 4-Minor | BT1034217 | Quic_update_rtt can leave ack_delay uninitialized. | 17.0.0, 16.1.4, 15.1.9 |
1030533-1 | 4-Minor | BT1030533 | The BIG-IP system may reject valid HTTP responses from OCSP servers. | 17.0.0, 16.1.4, 15.1.9 |
1027805-4 | 4-Minor | BT1027805 | DHCP flows crossing route-domain boundaries might fail. | 17.0.0, 16.1.4, 15.1.9 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1127445-3 | 2-Critical | BT1127445 | Performance degradation after Bug ID 1019853 | 17.1.0, 16.1.4, 15.1.9 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211341-4 | 1-Blocking | BT1211341 | Failed to delete custom monitor after dissociating from virtual server | 17.1.0, 16.1.4, 15.1.10 |
1137485-2 | 2-Critical | BT1137485 | Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly | 17.1.0, 16.1.4, 15.1.9 |
966461-7 | 3-Major | BT966461 | Tmm memory leak | 17.1.0, 16.1.4, 15.1.9 |
935945-2 | 3-Major | BT935945 | GTM HTTP/HTTPS monitors cannot be modified via GUI | 17.1.0, 16.1.4, 15.1.10 |
1230709-1 | 3-Major | BT1230709 | Remove unnecessary logging with nsec3_add_nonexist_proof | 16.1.4, 15.1.10 |
1200929-2 | 3-Major | BT1200929 | GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang | 17.1.0, 16.1.4, 15.1.10 |
1182353-3 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 17.1.1, 16.1.4, 15.1.9 |
1162081-6 | 3-Major | Upgrade the bind package to fix security vulnerabilities | 17.1.0, 16.1.4, 15.1.9 | |
1122497-4 | 3-Major | BT1122497 | Rapid response not functioning after configuration changes | 17.1.0, 16.1.4, 15.1.9 |
1108237-2 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. | 17.1.1, 16.1.4 |
1073677-1 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready | 17.1.0, 16.1.4, 15.1.10 |
1060145-1 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. | 17.1.0, 16.1.4, 15.1.9 |
1048077 | 3-Major | BT1048077 | SELinux errors with gtmd when using internal FIPS card | 17.1.0, 16.1.4 |
808913-1 | 4-Minor | BT808913 | Big3d cannot log the full XML buffer data | 17.0.0, 16.1.4, 15.1.9 |
1025497-1 | 4-Minor | BT1025497 | BIG-IP may accept and forward invalid DNS responses | 17.1.0, 16.1.4, 15.1.9 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1105341-2 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON | 17.1.0, 16.1.4, 15.1.9 |
923821-1 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 17.1.1, 16.1.4, 15.1.9 |
884945-1 | 2-Critical | BT884945 | Latency reduce in case of empty parameters. | 17.0.0, 16.1.4, 15.1.9 |
850141-2 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 17.1.1, 16.1.4, 15.1.9 |
791669-5 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3 |
1132697-3 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 17.1.1, 16.1.4, 15.1.9 |
1113161-2 | 2-Critical | BT1113161 | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★ | 17.1.0, 16.1.4, 15.1.9 |
1095185-2 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync | 17.1.0, 16.1.4, 15.1.9 |
1040757-1 | 2-Critical | BT1040757 | A BD memory leak was fixed | 17.0.0, 16.1.4 |
974985-6 | 3-Major | BT974985 | Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable | 17.0.0, 16.1.4, 15.1.9 |
956373-4 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1 |
950917-4 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1 |
929077-4 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4 |
928997-3 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 17.1.1, 16.1.4, 15.1.9 |
903313-4 | 3-Major | BT903313 | OWASP page: File Types score in Broken Access Control category is always 0. | 17.0.0, 16.1.4 |
890169-4 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 17.1.1, 16.1.4, 15.1.10 |
1312057-1 | 3-Major | bd instability when using many remote loggers with Arcsight format | 17.1.1, 16.1.4 | |
1297089-3 | 3-Major | BT1297089 | Support Dynamic Parameter Extractions in declarative policy | 17.1.1, 16.1.4 |
1296469-2 | 3-Major | ASM UI hardening | 17.1.1, 16.1.4 | |
1286101-1 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 17.1.1, 16.1.4, 15.1.10 |
1216297-1 | 3-Major | BT1216297 | TMM core occurs when using disabling ASM of request_send event | 17.1.1, 16.1.4 |
1196537-1 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 17.1.1, 16.1.4, 15.1.9 |
1195125 | 3-Major | BT1195125 | "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix | 16.1.4 |
1194173-2 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 17.1.1, 16.1.4, 15.1.9 |
1190365-3 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 17.1.1, 16.1.4, 15.1.10 |
1186437-1 | 3-Major | BT1186437 | Link to Server Technologies is not working | 16.1.4 |
1186401-2 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 17.1.1, 16.1.4, 15.1.9 |
1186385-1 | 3-Major | BT1186385 | Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page | 16.1.4 |
1184841-2 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 17.1.1, 16.1.4, 15.1.10 |
1173493-4 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 17.1.1, 16.1.4, 15.1.10 |
1156889-3 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 17.1.1, 16.1.4, 15.1.9 |
1148009-2 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 17.1.1, 16.1.4, 15.1.9 |
1144497-2 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 17.1.1, 16.1.4, 15.1.9 |
1141665-2 | 3-Major | BT1141665 | Significant slowness in policy creation following Threat Campaign LU installation | 17.1.0, 16.1.4, 15.1.9 |
1137993-2 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 17.1.1, 16.1.4, 15.1.9 |
1132981-2 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 17.1.1, 16.1.4, 15.1.9 |
1132741-2 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 17.1.1, 16.1.4, 15.1.9 |
1128689-2 | 3-Major | BT1128689 | Performance improvement in signature engine | 16.1.4, 15.1.9 |
1127809-2 | 3-Major | BT1127809 | Due to incorrect URI parsing, the system does not extract the expected domain name | 17.1.0, 16.1.4, 15.1.9 |
1126409-3 | 3-Major | BT1126409 | BD process crash | 17.1.0, 16.1.4, 15.1.9 |
1117245-2 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 17.1.1, 16.1.4, 15.1.10 |
1113881-2 | 3-Major | BT1113881 | Headers without a space after the colon, trigger an HTTP RFC violation | 17.1.0, 16.1.4, 15.1.9 |
1112805-4 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 | 17.1.0, 16.1.4, 15.1.9 |
1110281-2 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 17.1.1, 16.1.4, 15.1.9 |
1106937-3 | 3-Major | BT1106937 | ASM may skip signature matching | 17.1.0, 16.1.4, 15.1.9 |
1102301-2 | 3-Major | BT1102301 | Content profiles created for types other than video and image allowing executable | 17.1.0, 16.1.4 |
1100669-3 | 3-Major | BT1100669 | Brute force captcha loop | 17.1.0, 16.1.4, 15.1.9 |
1100393-2 | 3-Major | BT1100393 | Multiple Referer header raise false positive evasion violation | 17.1.0, 16.1.4 |
1099193-2 | 3-Major | BT1099193 | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | 17.1.0, 16.1.4, 15.1.9 |
1098609-4 | 3-Major | BT1098609 | BD crash on specific scenario | 17.1.1, 16.1.4, 15.1.9 |
1095041-2 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. | 17.1.0, 16.1.4, 15.1.10 |
1089853-2 | 3-Major | BT1089853 | "Virtual Server" or "Bot Defense Profile" links in Request Details are not working | 17.1.0, 16.1.4 |
1089345-1 | 3-Major | BT1089345 | BD crash when mcp is down, usually on startups | 17.1.0, 16.1.4 |
1085661-1 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 17.1.1, 16.1.4, 15.1.10 |
1084257-2 | 3-Major | New HTTP RFC Compliance check in headers | 17.1.0, 17.0.0.1, 16.1.4, 15.1.7 | |
1080613-1 | 3-Major | BT1080613 | LU configurations revert to default and installations roll back to genesis files★ | 17.1.0, 16.1.4, 15.1.9 |
1078065-2 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 17.1.1, 16.1.4, 15.1.9 |
1072165-2 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format | 17.1.0, 16.1.4, 15.1.9 |
1069729-3 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 17.1.1, 16.1.4, 15.1.9 |
1067589-3 | 3-Major | BT1067589 | Memory leak in nsyncd | 17.1.0, 16.1.4, 15.1.9 |
1067557-2 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 17.1.1, 16.1.4, 15.1.9 |
1059513-1 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 17.1.1, 16.1.4, 15.1.10 |
1058597-5 | 3-Major | BT1058597 | Bd crash on first request after system recovery. | 17.0.0, 16.1.4, 15.1.9 |
1048949-1 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 17.1.1, 16.1.4, 15.1.9 |
1029989-6 | 3-Major | BT1029989 | CORS : default port of origin header is set 80, even when the protocol in the header is https | 16.1.4, 15.1.10 |
1023889-3 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 17.1.1, 16.1.4, 15.1.10 |
1017557-1 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN | 17.1.0, 16.1.4, 15.1.9 |
942617-2 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 17.1.1, 16.1.4, 15.1.10 |
810917-1 | 4-Minor | BT810917 | OWASP Compliance score is shown for parent and child policies that are not applicable. | 17.0.0, 16.1.4 |
1213333 | 4-Minor | BT1213333 | Check box to select all attack signatures does not work properly | 16.1.4 |
1189865-2 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 17.1.1, 16.1.4, 15.1.9 |
1184929-1 | 4-Minor | BT1184929 | GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled | 16.1.4 |
1133997-3 | 4-Minor | BT1133997 | Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import | 17.1.1, 16.1.4 |
1132925-3 | 4-Minor | BT1132925 | Bot defense does not work with DNS Resolvers configured under non-zero route domains | 17.1.0, 16.1.4, 15.1.9 |
1123153-3 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 17.1.1, 16.1.4, 15.1.9 |
1113753-2 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 17.1.1, 16.1.4, 15.1.10 |
1111793-2 | 4-Minor | BT1111793 | New HTTP RFC Compliance check for incorrect newline separators between request line and first header | 17.1.0, 16.1.4, 15.1.7 |
1108657-3 | 4-Minor | BT1108657 | No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" | 17.1.0, 16.1.4 |
1099765-3 | 4-Minor | BT1099765 | Inconsistent behavior in violation detection with maximum parameter enforcement | 17.1.1, 16.1.4, 15.1.10 |
1092965-2 | 4-Minor | BT1092965 | Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value | 17.1.0, 16.1.4, 15.1.9 |
1084857-2 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 17.1.1, 16.1.4, 15.1.10 |
1083513-1 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 17.1.1, 16.1.4, 15.1.10 |
1076825-1 | 4-Minor | BT1076825 | "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★ | 17.1.1, 16.1.4 |
1026277-6 | 4-Minor | BT1026277 | Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled | 17.0.0, 16.1.4 |
1003765-2 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled | 17.1.0, 16.1.4, 15.1.4.1 |
1113333-3 | 5-Cosmetic | BT1113333 | Change ArcSight Threat Campaign key names to be camelCase | 17.1.0, 16.1.4, 15.1.9 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932485-5 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1111189-2 | 3-Major | BT1111189 | Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. | 17.1.0, 16.1.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
965837-4 | 2-Critical | BT965837 | When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection | 17.0.0, 16.1.4, 15.1.9 |
1283645 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
1111149-2 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.1, 16.1.4, 15.1.9 |
1110489-3 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 17.1.1, 16.1.4, 15.1.9 |
1106757-3 | 2-Critical | BT1106757 | Horizon VDI clients are intermittently disconnected | 17.1.0, 16.1.4, 15.1.9 |
1082581-2 | 2-Critical | BT1082581 | Apmd sees large memory growth due to CRLDP Cache handling | 17.1.0, 16.1.4, 15.1.9, 14.1.5.3 |
1078829-1 | 2-Critical | BT1078829 | Login as current user fails in VMware | 17.0.0, 16.1.4, 15.1.10 |
1065501-2 | 2-Critical | BT1065501 | [API Protection]Per request policy is getting timed out | 17.0.0, 16.1.4, 15.1.9 |
1046633-1 | 2-Critical | BT1046633 | Rare tmm crash when sending packets to apmd fails | 17.0.0, 16.1.4, 15.1.9 |
957453-1 | 3-Major | BT957453 | Javascript parser incompatible with ECMAScript 6/7+ javascript versions | 17.1.0, 16.1.4, 15.1.9 |
956645-4 | 3-Major | BT956645 | Per-request policy execution may timeout. | 17.0.0, 16.1.4, 15.1.9, 14.1.4.5 |
819645-1 | 3-Major | BT819645 | Reset Horizon View application does not work when accessing through F5 APM | 17.1.0, 16.1.4, 15.1.9 |
796065-2 | 3-Major | BT796065 | PingAccess filter can accumulate connections increasing memory use. | 16.1.4 |
752077-4 | 3-Major | BT752077 | Kerberos replay cache leaks file descriptors | 17.0.0, 16.1.4, 15.1.9 |
490138-1 | 3-Major | BT490138 | Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers | 17.1.0, 16.1.4, 15.1.9 |
1268521 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop | 17.1.1, 16.1.4, 15.1.10 |
1232977-3 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists | 17.1.1, 16.1.4 |
1208949-1 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 17.1.1, 16.1.4, 15.1.10 |
1205029 | 3-Major | BT1205029 | WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application | 17.1.1, 16.1.4 |
1196401-2 | 3-Major | BT1196401 | Restarting TMM does not restart APM Daemon | 17.1.0, 16.1.4, 15.1.9 |
1180365-2 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 17.1.1, 16.1.4, 15.1.10 |
1173669-1 | 3-Major | BT1173669 | Unable to reach backend server with Per Request policy and Per Session together | 17.1.0, 16.1.4, 15.1.9 |
1167985-2 | 3-Major | BT1167985 | Network Access resource settings validation errors | 17.1.1, 16.1.4 |
1166449-2 | 3-Major | BT1166449 | APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list | 17.1.0, 16.1.4, 15.1.9 |
1145361 | 3-Major | BT1145361 | When JWT is cached the error "JWT Expired and cannot be used" is observed | 17.1.1, 16.1.4 |
1124109-2 | 3-Major | Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS | 17.1.0, 16.1.4, 15.1.10 | |
1113661-1 | 3-Major | BT1113661 | When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation | 17.1.0, 16.1.4 |
1111397-4 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 17.1.1, 16.1.4, 15.1.9 |
1108109-4 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images★ | 17.1.0, 16.1.4, 15.1.9 |
1104409-1 | 3-Major | BT1104409 | Added Rewrite Control Lists builder to Admin UI | 17.1.0, 16.1.4, 15.1.9 |
1101321-3 | 3-Major | BT1101321 | APM log files are flooded after a client connection fails. | 17.1.0, 16.1.4, 15.1.9 |
1100549-3 | 3-Major | BT1100549 | "Resource Administrator" role cannot change ACL order | 17.1.0, 16.1.4, 15.1.9 |
1099305-2 | 3-Major | BT1099305 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.0, 16.1.4, 15.1.9 |
1089101-2 | 3-Major | BT1089101 | Apply Access Policy notification in UI after auto discovery | 17.1.0, 16.1.4, 15.1.9 |
1075849-5 | 3-Major | APM client hardening | 17.1.0, 16.1.4, 15.1.8.2 | |
1070029-1 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 17.1.1, 16.1.4, 15.1.10 |
1067609-2 | 3-Major | Static keys were used while generating UUIDs under OAuth module | 17.1.0, 16.1.4, 15.1.9 | |
1064001-1 | 3-Major | BT1064001 | POST request to a virtual server with stream profile and a access policy is aborted. | 17.0.0, 16.1.4, 15.1.9 |
1060477-1 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 17.1.1, 16.1.4, 15.1.9 |
1050165 | 3-Major | BT1050165 | APM - users end up with SSO disabled for their session, admin intervention required to clear session | 17.1.0, 16.1.4, 15.1.9 |
1046401-2 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 17.1.1, 16.1.4, 15.1.10 |
1042505-1 | 3-Major | BT1042505 | Session variable "session.user.agent" does not get populated for edge clients | 17.0.0, 16.1.4, 15.1.9 |
1039941-3 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 17.1.1, 16.1.4, 15.1.10 |
1038753-4 | 3-Major | K75431121, BT1038753 | OAuth Bearer with SSO does not process headers as expected | 17.1.0, 16.1.4, 15.1.9 |
1037877-3 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE | 17.1.0, 16.1.4, 15.1.9 |
1018877-2 | 3-Major | BT1018877 | Subsession variable values mixing between sessions | 17.0.0, 16.1.4, 15.1.9 |
1013729-2 | 3-Major | BT1013729 | Changing User login password using VMware View Horizon client results in “HTTP error 500” | 17.0.0, 16.1.4, 15.1.10 |
1010961-1 | 3-Major | BT1010961 | Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow | 17.1.0, 16.1.4 |
1010809-3 | 3-Major | BT1010809 | Connection is reset when sending a HTTP HEAD request to APM Virtual Server | 17.1.0, 16.1.4, 15.1.9 |
1002413-2 | 3-Major | BT1002413 | Websso puts quotation marks around non-string claim type 'custom' values | 17.0.0, 16.1.4 |
1000669-4 | 3-Major | BT1000669 | Tmm memory leak 'string cache' leading to SIGFPE | 17.0.0, 16.1.4, 15.1.9 |
1252005 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 17.1.1, 16.1.4, 15.1.10 |
1224409 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 17.1.1, 16.1.4, 15.1.10 |
1195385 | 4-Minor | BT1195385 | OAuth Scope Internal Validation fails upon multiple providers with same type | 17.1.1, 16.1.4 |
1088389-2 | 4-Minor | BT1088389 | Admin to define the AD Query/LDAP Query page-size globally | 17.1.0, 16.1.4, 15.1.9 |
1079441-2 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries | 17.1.0, 16.1.4, 15.1.9 |
1050009-2 | 4-Minor | BT1050009 | Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs | 17.1.0, 16.1.4, 15.1.9 |
1041985-1 | 4-Minor | BT1041985 | TMM memory utilization increases after upgrade★ | 17.1.1, 16.1.4, 15.1.9 |
1040829-4 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 17.1.1, 16.1.4, 15.1.10 |
1028081-1 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 17.1.1, 16.1.4, 15.1.9 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1269889-3 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 17.1.1, 16.1.4, 15.1.10 |
1239901-2 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 17.1.1, 16.1.4, 15.1.9 |
1141853-2 | 2-Critical | BT1141853 | SIP MRF ALG can lead to a TMM core | 17.1.0, 16.1.4, 15.1.9 |
1291149-3 | 3-Major | BT1291149 | Cores with fail over and message routing | 17.1.1, 16.1.4, 15.1.10 |
1287313-2 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 17.1.1, 16.1.4, 15.1.10 |
1189513-4 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 17.1.1, 16.1.4, 15.1.9 |
1167941-3 | 3-Major | BT1167941 | CGNAT SIP ALG INVITE loops between BIG-IP and Server | 17.1.0, 16.1.4, 15.1.9 |
1038057-4 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 17.1.1, 16.1.4, 15.1.9 |
1213469-1 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped | 17.1.1, 16.1.4 |
1116941-1 | 4-Minor | BT1116941 | Need larger Content-Length value supported for SIP | 17.1.0, 16.1.4, 15.1.9 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1317705-2 | 1-Blocking | TMM may restart on certain DNS traffic | 17.1.1, 16.1.4 | |
1013353-1 | 1-Blocking | BT1013353 | ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on VS | 16.1.4 |
1292093 | 2-Critical | BT1292093 | Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x | 16.1.4 |
1287425 | 2-Critical | BT1287425 | Observed crash while running sweep flood tests | 16.1.4 |
1136917-1 | 2-Critical | BT1136917 | TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server. | 17.1.0, 16.1.4 |
1106273-3 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 17.1.1, 16.1.4, 15.1.9 |
1069809 | 2-Critical | BT1069809 | AFM rules with ipi-category src do not match traffic after failover. | 16.1.4, 15.1.9 |
1048425-4 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled | 16.1.4 |
1040685-4 | 2-Critical | BT1040685 | Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) | 17.0.0, 16.1.4, 15.1.10 |
1038549-1 | 2-Critical | BT1038549 | TMM core when BDoS is enabled for an extended time | 16.1.4 |
997429-1 | 3-Major | BT997429 | When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled | 17.1.0, 16.1.4, 15.1.9 |
993269-3 | 3-Major | BT993269 | DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option | 17.0.0, 16.1.4, 15.1.9 |
952521-1 | 3-Major | BT952521 | Memory allocation error while creating an address list with a large range of IPv6 addresses★ | 17.0.0, 16.1.4, 15.1.9 |
929913-3 | 3-Major | BT929913 | External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events | 17.0.0, 16.1.4, 15.1.9 |
1287873 | 3-Major | BT1287873 | Hardware mitigation is not working for a few SIP vectors | 16.1.4 |
1216573-1 | 3-Major | BT1216573 | AFM Learning Domain issue when trying with many valid domains | 16.1.4 |
1209409-3 | 3-Major | BT1209409 | Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU | 16.1.4 |
1127117-1 | 3-Major | BT1127117 | High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes | 17.1.0, 16.1.4, 15.1.9 |
1124149-2 | 3-Major | BT1124149 | Increase the configuration for the PCCD Max Blob size from 4GB to 8GB | 17.1.0, 16.1.4, 15.1.9 |
1121521-2 | 3-Major | BT1121521 | Libssh upgrade from v0.7.7 to v0.9.6 | 17.1.0, 16.1.4, 15.1.8 |
1112781 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 17.1.1, 16.1.4, 15.1.9 |
1078625 | 3-Major | BT1078625 | TMM crashes during DoS processing | 17.1.1, 16.1.4 |
1070033-2 | 3-Major | BT1070033 | Virtual server may not fully enter hardware SYN Cookie mode. | 17.0.0, 16.1.4, 14.1.4.6 |
1020061-3 | 3-Major | BT1020061 | Nested address lists can increase configuration load time | 17.0.0, 16.1.4, 15.1.9 |
760355-4 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1 |
1215401-1 | 4-Minor | BT1215401 | Under Shared Objects, some country names are not available to select in the Address List | 16.1.4, 15.1.9 |
1211021-4 | 4-Minor | BT1211021 | Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues | 17.1.0, 16.1.4, 15.1.10 |
1069265-3 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 17.1.1, 16.1.4, 15.1.10 |
1003377-3 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option | 16.1.4, 15.1.9 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1159397-1 | 1-Blocking | BT1159397 | The high utilization of memory when blade turns offline results in core | 17.1.0, 16.1.4, 15.1.9 |
1186925-4 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 17.1.1, 16.1.4, 15.1.9 |
1095989-1 | 2-Critical | BT1095989 | PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface | 17.1.0, 16.1.4 |
829653-1 | 3-Major | BT829653 | Memory leak due to session context not freed | 17.0.0, 16.1.4 |
1259489-3 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 17.1.1, 16.1.4, 15.1.10 |
1238249-1 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 17.1.1, 16.1.4, 15.1.10 |
1226121-2 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 17.1.1, 16.1.4, 15.1.9 |
1207381-3 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 17.1.1, 16.1.4, 15.1.9 |
1190353-3 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 17.1.1, 16.1.4, 15.1.10 |
1174085-1 | 3-Major | BT1174085 | spmdb_session_hash_entry_delete releases the hash's reference | 17.1.1, 16.1.4, 15.1.9 |
1174033-2 | 3-Major | BT1174033 | The UPDATE EVENT is triggered with faulty session_info and resulting in core | 17.1.0, 16.1.4, 15.1.9 |
1108681-4 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline | 17.1.0, 16.1.4, 15.1.9 |
1093357-4 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 17.1.1, 16.1.4, 15.1.10 |
1089829-3 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers | 17.1.0, 16.1.4, 15.1.9 |
1020041-3 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 17.1.1, 16.1.4, 15.1.10 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1016045-4 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. | 16.1.4, 15.1.9 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211297-3 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 17.1.1, 16.1.4, 15.1.9 |
1060057-2 | 3-Major | BT1060057 | Enable or Disable APM dynamically with Bados generates APM error | 17.1.0, 16.1.4, 15.1.9 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1161965-3 | 3-Major | BT1161965 | File descriptor(fd) and shared memory leak in wr_urldbd | 17.1.0, 16.1.4, 15.1.9 |
974205-5 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6 |
1168137-3 | 4-Minor | BT1168137 | PEM Classification Auto-Update for month is working as hourly | 17.1.0, 16.1.4, 15.1.9 |
1167889 | 4-Minor | BT1167889 | PEM classification signature scheduled updates do not complete | 17.1.0, 16.1.4, 15.1.9 |
1117297-1 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts★ | 17.1.0, 16.1.4, 15.1.9 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
954001-7 | 3-Major | REST File Upload hardening | 17.1.1, 16.1.4, 15.1.10 | |
1196477-3 | 3-Major | BT1196477 | Request timeout in restnoded | 17.1.1, 16.1.4, 15.1.9 |
1049237-1 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 17.1.1, 16.1.4, 15.1.10 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
889605-2 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath | 17.1.0, 16.1.4, 15.1.9 |
1004697-3 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space | 16.1.4, 15.1.10 |
1093933-3 | 4-Minor | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1122205-1 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 17.1.1, 16.1.4, 15.1.10 |
1098837-1 | 4-Minor | BT1098837 | Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables | 17.1.0, 16.1.4, 15.1.9 |
1135073-3 | 5-Cosmetic | BT1135073 | IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled | 17.1.0, 16.1.4, 15.1.9 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1107549-2 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak | 17.1.0, 16.1.4, 15.1.8 |
1110241-2 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory | 17.1.0, 16.1.4, 15.1.9 |
1046917-4 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes | 17.1.0, 16.1.4, 15.1.8 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
922737-1 | 2-Critical | BT922737 | TMM crashes with a sigsegv while passing traffic | 17.1.0, 16.1.4, 15.1.10 |
1104037-2 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire | 17.1.0, 16.1.4, 15.1.10 |
1289365-1 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★ | 17.1.1, 16.1.4, 15.1.10 |
1095145-3 | 4-Minor | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service | 17.1.0, 16.1.4 |
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1285173-3 | CVE-2023-38138 | K000133474, BT1285173 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1265425-2 | CVE-2023-38423 | K000134535, BT1265425 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1185421-4 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1223369-3 | CVE-2024-23982 | K000135946 | Classification of certain UDP traffic may cause crash | 17.1.1, 16.1.3.4, 15.1.10 |
1213305-3 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208989-3 | CVE-2023-27378 | K000132726, BT1208989 | Improper value handling in DOS Profile properties page | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208001-1 | CVE-2023-22374 | K000130415, BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961-4 | CVE-2023-27378 | K000132726, BT1204961 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793-4 | CVE-2023-27378 | K000132726, BT1204793 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1196033-2 | CVE-2023-27378 | K000132726, BT1196033 | Improper value handling in DataSafe UI | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1106989-3 | CVE-2023-29163 | K20145107, BT1106989 | Certain configuration settings may lead to memory accumulation | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086293-4 | CVE-2023-22358 | K76964818, BT1086293 | Untrusted search path vulnerability in APM Windows Client installer processes | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086289-4 | CVE-2023-22358 | K76964818, BT1086289 | BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1207661-4 | CVE-2023-28406 | K000132768, BT1207661 | Datasafe UI hardening | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1096373-2 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982785-2 | CVE-2022-25946 | K52322100 | Guided Configuration hardening | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
890917-8 | CVE-2023-22323 | K56412001, BT890917 | Performance may be reduced while processing SSL traffic | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1143073-4 | CVE-2022-41622 | K94221585, BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1107437-3 | CVE-2023-22839 | K37708118, BT1107437 | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1106161-2 | CVE-2022-41800 | K13325942, BT1106161 | Securing iControlRest API for appliance mode | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1105389-4 | CVE-2023-23552 | K17542533, BT1105389 | Incorrect HTTP request handling may lead to resource leak | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1093821-4 | CVE-2023-22422 | K43881487, BT1093821 | TMM may behave unexpectedly while processing HTTP traffic | 17.1.0, 17.0.0.2, 16.1.3.3 |
1085077-4 | CVE-2023-22340 | K34525368, BT1085077 | TMM may crash while processing SIP-ALG traffic | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
1083225-2 | CVE-2023-22842 | K08182564, BT1083225 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1062569-1 | CVE-2023-22664 | K56676554, BT1062569 | HTTP/2 stream bottom filter leaks memory at teardown under certain conditions | 17.1.0, 17.0.0.2, 16.1.3.3 |
1032553-5 | CVE-2023-22281 | K46048342, BT1032553 | Core when virtual server with destination NATing receives multicast | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1112445-2 | CVE-2023-22302 | K58550078, BT1112445 | Fix to avoid zombie node on the chain | 17.1.0, 17.0.0.2, 16.1.3.3 |
1073005-2 | CVE-2023-22326 | K83284425, BT1073005 | iControl REST use of the dig command does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1065917-2 | CVE-2023-22418 | K95503300, BT1065917 | BIG-IP APM Virtual Server does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1113385-4 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1103369-2 | 3-Major | BT1103369 | DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1134085-2 | 2-Critical | BT1134085 | Intermittent TMM core when iRule is configured with SSL persistence | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1122473-4 | 2-Critical | BT1122473 | TMM panic while initializing URL DB | 17.1.0, 16.1.3.3, 15.1.9 |
1174873-3 | 3-Major | BT1174873 | Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982777-9 | CVE-2022-27230 | K21317311, BT982777 | APM hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982769-12 | CVE-2022-27806 | K68647001, BT982769 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982753-2 | CVE-2022-27806 | K68647001, BT982753 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982745-5 | CVE-2022-27806 | K68647001, BT982745 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
963625-3 | CVE-2022-27806 | K68647001, BT963625 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
959153-3 | CVE-2022-27806 | K68647001, BT959153 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
1106289-2 | CVE-2022-41624 | K43024307, BT1106289 | TMM may leak memory when processing sideband connections. | 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
1068821 | CVE-2022-41806 | K00721320, BT1068821 | TMM may crash when processing AFM NAT64 policy | 16.1.3.2 |
1004881-5 | CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 | K12492858, BT1004881 | Update angular, jquery, moment, axios, and lodash libraries in AGC | 17.0.0, 16.1.3.2, 15.1.8 |
Functional Change Fixes
None
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1137037 | 2-Critical | BT1137037 | System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x★ | 16.1.3.2 |
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
972517-7 | CVE-2023-43746 | K41072952, BT972517 | Appliance mode hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1104493-1 | CVE-2022-35272 | K90024104, BT1104493 | Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy | 17.1.0, 17.0.0.1, 16.1.3.1 |
1093621-2 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
1085729-2 | CVE-2022-41836 | K47204506, BT1085729 | bd may crash while processing specific request | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1076397-1 | CVE-2022-35735 | K13213418, BT1076397 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1073841-1 | CVE-2022-34862 | K66510514, BT1073841 | URI normalization does not function as expected | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073357-2 | CVE-2022-34862 | K66510514, BT1073357 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1067505-4 | CVE-2022-34651 | K59197053, BT1067505 | TMM may crash while processing TLS traffic with HTTP::respond | 17.0.0, 16.1.3.1, 15.1.6.1 |
1066673-1 | CVE-2022-35728 | K55580033, BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1024029-2 | CVE-2022-35245 | K58235223, BT1024029 | TMM may crash when processing traffic with per-session APM Access Policy | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
919357-8 | CVE-2022-41770 | K22505850, BT919357 | iControl REST hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
881809-8 | CVE-2022-41983 | K31523465, BT881809 | Client SSL and Server SSL profile hardening | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
740321-1 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084013-4 | CVE-2022-36795 | K52494562, BT1084013 | TMM does not follow TCP best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1081153-2 | CVE-2022-41813 | K93723284, BT1081153 | TMM may crash while processing administrative requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073549-1 | CVE-2022-35735 | K13213418, BT1073549 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1055925-1 | CVE-2022-34844 | K34511555, BT1055925 | TMM may crash while processing traffic on AWS | 17.0.0, 16.1.3.1, 15.1.6.1 |
1043281-6 | CVE-2021-3712 | K19559038, BT1043281 | OpenSSL vulnerability CVE-2021-3712 | 17.0.0, 16.1.3.1, 15.1.6.1 |
1006921-1 | CVE-2022-33962 | K80970653, BT1006921 | iRules Hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063641-4 | CVE-2022-33968 | K23465404, BT1063641 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063637-4 | CVE-2022-33968 | K23465404, BT1063637 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1036057-1 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1025261-3 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1071621-1 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1120433-2 | 1-Blocking | BT1120433 | Removed gtmd and big3d daemon from the FIPS-compliant list | 17.1.0, 16.1.3.1 |
989517-3 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
957637-1 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
936501-1 | 2-Critical | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled | 17.1.0, 16.1.3.1, 15.1.9 |
759928-6 | 2-Critical | BT759928 | Engineering Hotfixes might not contain all required packages | 17.0.0, 16.1.3.1, 15.1.7 |
1097193-2 | 2-Critical | K000134769, BT1097193 | Unable to SCP files using WinSCP or relative path name | 17.1.0, 16.1.3.1, 15.1.9 |
1076921-1 | 2-Critical | BT1076921 | The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1048853-1 | 2-Critical | BT1048853 | TMM memory leak of "IKE VBUF" | 17.0.0, 16.1.3.1, 15.1.7 |
1041865-4 | 2-Critical | K16392416, BT1041865 | Correctable machine check errors [mce] should be suppressed | 17.0.0, 16.1.3.1, 15.1.7 |
992121-4 | 3-Major | BT992121 | REST "/mgmt/tm/services" endpoint is not accessible | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
720610-4 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3 |
1123149 | 3-Major | BT1123149 | Sys-icheck fail for /etc/security/opasswd | 17.1.0, 16.1.3.1 |
1120685 | 3-Major | BT1120685 | Unable to update the password in the CLI when password-memory is set to > 0 | 17.1.0, 16.1.3.1 |
1091345-2 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1087621-1 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1048137-2 | 3-Major | BT1048137 | IPsec IKEv1 intermittent but consistent tunnel setup failures | 17.0.0, 16.1.3.1, 15.1.9 |
1042737-4 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1024661-3 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
756918-4 | 4-Minor | BT756918 | Engineering Hotfix ISOs may be nearly as large as full Release ISOs | 17.0.0, 16.1.3.1, 15.1.7 |
1090569-1 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1080317-3 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1067105-2 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944381-2 | 2-Critical | BT944381 | Dynamic CRL checking for client certificate is not working when TLS1.3 is used. | 17.0.0, 16.1.3.1, 15.1.6.1 |
780857-4 | 2-Critical | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1113549-3 | 2-Critical | BT1113549 | System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★ | 17.1.0, 16.1.3.1 |
1110205-2 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown | 17.1.0, 16.1.3.1, 15.1.9 |
1087469-2 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. | 17.1.0, 16.1.3.1, 15.1.6.1 |
1087217-2 | 2-Critical | BT1087217 | TMM crash as part of the fix made for ID912209 | 17.1.0, 16.1.3.1 |
1086677-4 | 2-Critical | BT1086677 | TMM Crashes in xvprintf() because of NULL Flow Key | 17.0.0, 16.1.3.1, 15.1.7 |
1080581-1 | 2-Critical | BT1080581 | Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.★ | 17.0.0, 16.1.3.1, 15.1.5.1 |
1074517-1 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1073609-4 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1020645 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | 17.1.0, 16.1.3.1, 15.1.4.1 |
999881-6 | 3-Major | BT999881 | Tcl command 'string first' not working if payload contains Unicode characters. | 17.0.0, 16.1.3.1, 15.1.7 |
948985-3 | 3-Major | BT948985 | Workaround to address Nitrox 3 compression engine hang | 17.0.0, 16.1.3.1, 15.1.6.1 |
922413-8 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
748886-4 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1109833-1 | 3-Major | BT1109833 | HTTP2 monitors not sending request | 17.1.0, 16.1.3.1 |
1091761-1 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1082225-4 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1070789 | 3-Major | BT1070789 | SSL fwd proxy invalidating certificate even through bundle has valid CA | 17.1.0, 16.1.3.1 |
1068445-1 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1060989 | 3-Major | BT1060989 | Improper handling of HTTP::collect | 17.1.0, 16.1.3.1 |
1053149-1 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1043805-3 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
1036169-4 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1022453-4 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1006157-3 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
987885-6 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1104073-2 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1077701-1 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
984749-1 | 3-Major | BT984749 | Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." | 17.0.0, 16.1.3.1, 15.1.7 |
1091249-2 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1078669-2 | 3-Major | BT1078669 | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. | 17.0.0, 16.1.3.1, 15.1.7 |
1071301-1 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071233-1 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
950069-1 | 4-Minor | BT950069 | Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" | 17.0.0, 16.1.3.1, 15.1.6.1 |
1084673-2 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1048685-4 | 2-Critical | BT1048685 | Rare TMM crash when using Bot Defense Challenge | 17.0.0, 16.1.3.1, 15.1.7 |
1015881-4 | 2-Critical | BT1015881 | TMM might crash after configuration failure | 17.1.0, 16.1.3.1, 15.1.7 |
886533-5 | 3-Major | BT886533 | Icap server connection adjustments | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1083913-2 | 3-Major | BT1083913 | Missing error check in ICAP handling | 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1082461-2 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1078765-1 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1062493-1 | 3-Major | BT1062493 | BD crash close to it's startup | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1056957-1 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. | 17.1.0, 17.0.0.1, 16.1.3.1 |
1036305-5 | 3-Major | BT1036305 | "Mandatory request body is missing" violation in staging but request is unexpectedly blocked | 17.0.0, 16.1.3.1, 15.1.6.1 |
1030133-2 | 3-Major | BT1030133 | BD core on XML out of memory | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1014973-5 | 3-Major | BT1014973 | ASM changed cookie value. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
948241-4 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
947333-2 | 4-Minor | BT947333 | Irrelevant content profile diffs in Policy Diff | 17.1.0, 17.0.0.1, 16.1.3.1 |
1079721 | 4-Minor | BT1079721 | OWASP 2017 A2 Category - Login enforcement link is broken | 16.1.3.1 |
1073625-2 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1058297-2 | 4-Minor | BT1058297 | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★ | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1046317-2 | 4-Minor | BT1046317 | Violation details are not populated with staged URLs for some violation types | 17.0.0, 16.1.3.1, 15.1.6.1 |
1040513-5 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1014573-1 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1029689-2 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
926341-5 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★ | 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
987341-1 | 2-Critical | BT987341 | BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1071485-3 | 3-Major | BT1071485 | For IP based bypass, Response Analytics sends RST. | 17.0.0, 16.1.3.1, 15.1.10 |
1063345-5 | 3-Major | BT1063345 | Urldbmgrd may crash while downloading the database. | 17.0.0, 16.1.3.1, 15.1.9 |
1043217-1 | 3-Major | BT1043217 | NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1039725-1 | 3-Major | BT1039725 | Reverse proxy traffic fails when a per-request policy is attached to a virtual server. | 17.0.0, 16.1.3.1, 15.1.9 |
1024437-6 | 3-Major | BT1024437 | Urldb index building fails to open index temp file | 17.0.0, 16.1.3.1, 15.1.9 |
1022493-4 | 3-Major | BT1022493 | Slow file descriptor leak in urldbmgrd (sockets open over time) | 17.0.0, 16.1.3.1, 15.1.10 |
1010597-1 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain★ | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
921441-4 | 3-Major | BT921441 | MR_INGRESS iRules that change diameter messages corrupt diam_msg | 17.0.0, 16.1.3.1, 15.1.7 |
1103233-2 | 4-Minor | BT1103233 | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
977153-3 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1091565-1 | 2-Critical | BT1091565 | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | 17.1.0, 16.1.3.1, 15.1.9 |
1090649-3 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1084993 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
911585-5 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
815901-2 | 4-Minor | BT815901 | Add rule to the disabled pem policy is not allowed | 17.0.0, 16.1.3.1, 15.1.7 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
832133-7 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050273-1 | 3-Major | BT1050273 | ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator. | 17.0.0, 16.1.3.1, 15.1.5 |
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
996233-1 | CVE-2022-33947 | K38893457, BT996233 | Tomcat may crash while processing TMUI requests | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
972489-7 | CVE-2022-35243 | K11010341, BT972489 | BIG-IP Appliance Mode iControl hardening | 17.0.0, 16.1.3, 15.1.5.1, 14.1.5 |
1079505-4 | CVE-2022-33203 | K52534925, BT1079505 | TMM may consume excessive resources while processing SSL Orchestrator traffic | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1081201-1 | CVE-2022-41694 | K64829234, BT1081201 | MCPD certification import hardening | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1078821-1 | 2-Critical | BT1078821 | Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1036285-1 | 3-Major | BT1036285 | Enforce password expiry after local user creation | 17.0.0, 16.1.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
947905-4 | 1-Blocking | BT947905 | Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails★ | 16.1.3, 16.0.1 |
1101705-2 | 1-Blocking | BT1101705 | RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1083977-1 | 1-Blocking | BT1083977 | MCPD crashes when changing HTTPD configuration, all secondary blades of clustered system remain offline★ | 17.0.0, 16.1.3 |
943109-4 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
940225-4 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1108181-2 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1079817-1 | 2-Critical | BT1079817 | Java null pointer exception when saving UCS with iAppsLX installed★ | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
950149 | 3-Major | BT950149 | Add configuration to ccmode for compliance with the Common Criteria STIP PPM. | 17.0.0, 16.1.3 |
896941 | 3-Major | BT896941 | Common Criteria ccmode script updated | 17.0.0, 16.1.3 |
886649-5 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
724653-5 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1106325 | 3-Major | BT1106325 | Upgrade from BIG-IP 16.1.3 to BIG-IP 17.0 does not work when FIPS mode is enabled★ | 16.1.3 |
1089849 | 3-Major | BT1089849 | NIST SP800-90B compliance | 17.1.0, 17.0.0.1, 16.1.3 |
1064357-1 | 3-Major | BT1064357 | execute_post_install: EPSEC: Installation of EPSEC package failed | 17.0.0, 16.1.3, 15.1.7 |
1061481-1 | 3-Major | BT1061481 | Denied strings were found in the /var/log/ folder after an update or reboot | 17.1.0, 17.0.0.1, 16.1.3 |
1004833 | 3-Major | BT1004833 | NIST SP800-90B compliance | 17.0.0, 16.1.3, 15.1.4, 14.1.4.2 |
1100609 | 4-Minor | BT1100609 | Length Mismatch in DNS/DHCP IPv6 address in logs and pcap | 17.1.0, 16.1.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071689-1 | 2-Critical | BT1071689 | SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout | 17.0.0, 16.1.3 |
987077-3 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure | 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6 |
945357 | 3-Major | BT945357 | BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH. | 17.0.0, 16.1.3 |
934697-5 | 3-Major | BT934697 | Route domain is not reachable (strict mode) | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1082505 | 3-Major | BT1082505 | TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1063977-3 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. | 17.1.0, 16.1.3 |
1071269 | 4-Minor | BT1071269 | SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0.★ | 16.1.3 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1084173-1 | 3-Major | BT1084173 | Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). | 17.0.0, 16.1.3, 15.1.6.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1070833-2 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning | 17.1.0, 16.1.3, 15.1.6.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
849029-7 | 3-Major | BT849029 | No configurable setting for maximum entries in CRLDP cache | 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
1097821-2 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
1053309-1 | 3-Major | BT1053309 | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
945853-4 | 2-Critical | BT945853 | Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession | 16.1.3, 15.1.3 |
990461-5 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
1079637-1 | 3-Major | BT1079637 | Incorrect Neuron rule order | 17.0.0, 16.1.3, 15.1.5.1 |
1012581-1 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1094177-4 | 1-Blocking | BT1094177 | Analytics iApp installation fails | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
1023721 | 3-Major | BT1023721 | iapp_restricted_key not available on fresh installation and overwrites the peer device's master key during config sync | 17.0.0, 16.1.3 |
1004665 | 3-Major | BT1004665 | Secure iAppsLX Restricted Storage issues. | 17.0.0, 16.1.3 |
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
965853-6 | CVE-2022-28695 | K08510472, BT965853 | IM package file hardening★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
964489-7 | CVE-2022-28695 | K08510472, BT964489 | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1051561-7 | CVE-2022-1388 | K23605346, BT1051561 | BIG-IP iControl REST vulnerability CVE-2022-1388 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
993981-3 | CVE-2022-28705 | K52340447, BT993981 | TMM may crash when ePVA is enabled | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982697-7 | CVE-2022-26071 | K41440465, BT982697 | ICMP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
951257-5 | CVE-2022-26130 | K82034427, BT951257 | FTP active data channels are not established | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
946325-7 | CVE-2022-28716 | K25451853, BT946325 | PEM subscriber GUI hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
830361-9 | CVE-2012-6711 | K05122252, BT830361 | CVE-2012-6711 Bash Vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1087201-6 | CVE-2022-0778 | K31323265, BT1087201 | OpenSSL Vulnerability: CVE-2022-0778 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078721-1 | CVE-2022-27189 | K16187341, BT1078721 | TMM may consume excessive resources while processing ICAP traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078053-1 | CVE-2022-28701 | K99123750, BT1078053 | TMM may consume excessive resources while processing STREAM traffic | 17.0.0, 16.1.2.2 |
1071593-4 | CVE-2022-32455 | K16852653, BT1071593 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1069629-4 | CVE-2022-32455 | K16852653, BT1069629 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1067993-4 | CVE-2022-28714 | K54460845, BT1067993 | APM Windows Client installer hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059185-1 | CVE-2022-26415 | K81952114, BT1059185 | iControl REST Hardening | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1057801-6 | CVE-2022-28707 | K70300233, BT1057801 | TMUI does not follow current best practices | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056933-3 | CVE-2022-26370 | K51539421, BT1056933 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1055737-1 | CVE-2022-35236 | K79933541, BT1055737 | TMM may consume excessive resources while processing HTTP/2 traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1051797 | CVE-2018-18281 | K36462841, BT1051797 | Linux kernel vulnerability: CVE-2018-18281 | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047053-3 | CVE-2022-28691 | K37155600, BT1047053 | TMM may consume excessive resources while processing RTSP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1032513-3 | CVE-2022-35240 | K28405643, BT1032513 | TMM may consume excessive resources while processing MRF traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1002565-1 | CVE-2021-23840 | K24624116, BT1002565 | OpenSSL vulnerability CVE-2021-23840 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
992073-2 | CVE-2022-27181 | K93543114, BT992073 | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982757-3 | CVE-2022-26835 | K53197140 | APM Access Guided Configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982341-7 | CVE-2022-26835 | K53197140, BT982341 | iControl REST endpoint hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
915981-4 | CVE-2022-26340 | K38271531, BT915981 | BIG-IP SCP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
823877-7 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1071365-5 | CVE-2022-29474 | K59904248, BT1071365 | iControl SOAP WSDL hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066729-1 | CVE-2022-28708 | K85054496, BT1066729 | TMM may crash while processing DNS traffic | 17.0.0, 16.1.2.2, 15.1.5.1 |
1057809-6 | CVE-2022-27659 | K41877405, BT1057809 | Saved dashboard hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047089-2 | CVE-2022-29491 | K14229426, BT1047089 | TMM may terminate while processing TLS/DTLS traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1001937-1 | CVE-2022-27634 | K57555833, BT1001937 | APM configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1 |
1000021-7 | CVE-2022-27182 | K31856317, BT1000021 | TMM may consume excessive resources while processing packet filters | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1020609-7 | CVE-2022-23032 | K30525503, BT1020609 | BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 | 16.1.2.2 |
713754-3 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
435231 | 2-Critical | K79342815, BT435231 | Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters | 17.0.0, 16.1.2.2 |
1050537-1 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
882709-6 | 3-Major | BT882709 | Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
874941-4 | 3-Major | BT874941 | HTTP authentication in the access policy times out after 60 seconds | 16.1.2.2, 15.1.6.1, 14.1.5 |
669046-7 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1046669-1 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033837-1 | 4-Minor | K23605346, BT1033837 | REST authentication tokens persist on reboot★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1070009 | 1-Blocking | BT1070009 | iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform | 17.0.0, 16.1.2.2 |
976669-5 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6 |
935177-3 | 2-Critical | BT935177 | IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm | 17.0.0, 16.1.2.2, 15.1.6.1 |
1059165-1 | 2-Critical | BT1059165 | Multiple virtual server pages fail to load. | 17.0.0, 16.1.2.2 |
1048141-3 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047213-1 | 2-Critical | BT1047213 | VPN Client to Client communication fails when clients are connected to different TMMs. | 17.0.0, 16.1.2.2 |
1007901-1 | 2-Critical | BT1007901 | Support for FIPS 140-3 Module identifier service. | 17.0.0, 16.1.2.2 |
999125-1 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
992865-3 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 17.1.0, 16.1.2.2, 15.1.4 |
988165-3 | 3-Major | BT988165 | VMware CPU reservation is now enforced. | 17.0.0, 16.1.2.2, 15.1.5.1 |
984585-3 | 3-Major | BT984585 | IP Reputation option not shown in GUI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
963541-1 | 3-Major | BT963541 | Net-snmp5.8 crash | 17.0.0, 16.1.2.2, 15.1.5.1 |
959985-3 | 3-Major | BT959985 | Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. | 17.0.0, 16.1.2.2, 15.1.6.1 |
943669-4 | 3-Major | BT943669 | B4450 blade reboot | 16.1.2.2, 15.1.2 |
943577-1 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
912253-2 | 3-Major | BT912253 | Non-admin users cannot run show running-config or list sys | 17.0.0, 16.1.2.2, 15.1.5.1 |
907549-6 | 3-Major | BT907549 | Memory leak in BWC::Measure | 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5 |
901669-6 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
755976-9 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1083537 | 3-Major | BT1083537 | FIPS 140-3 Certification | 17.1.0, 17.0.0.1, 16.1.2.2 |
1076377-3 | 3-Major | BT1076377 | OSPF path calculation for IA and E routes is incorrect. | 17.0.0, 16.1.2.2, 15.1.9 |
1074113-1 | 3-Major | BT1074113 | IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer | 17.0.0, 16.1.2.2 |
1071609-2 | 3-Major | BT1071609 | IPsec IKEv1: Log Key Exchange payload in racoon.log. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1066285-4 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1065585-1 | 3-Major | BT1065585 | System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition | 17.0.0, 16.1.2.2 |
1064461-4 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1060625-1 | 3-Major | BT1060625 | Wrong INTERNAL_IP6_DNS length. | 17.1.0, 17.0.0, 16.1.2.2 |
1060149-2 | 3-Major | BT1060149 | BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1059853 | 3-Major | BT1059853 | Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.★ | 17.0.0, 16.1.2.2 |
1056993-2 | 3-Major | BT1056993 | 404 error is raised on GUI when clicking "App IQ." | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056741-2 | 3-Major | BT1056741 | ECDSA certificates signed by RSA CA are not selected based by SNI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1052893-4 | 3-Major | BT1052893 | Configuration option to delay reboot if dataplane becomes inoperable | 17.1.1, 16.1.2.2 |
1048541-1 | 3-Major | BT1048541 | Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1047169-1 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1022637-1 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1020789-4 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1019357-2 | 3-Major | BT1019357 | Active fails to resend ipsec ikev2_message_id_sync if no response received | 17.0.0, 16.1.2.2, 15.1.6.1 |
1008837-1 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4 |
1008269-1 | 3-Major | BT1008269 | Error: out of stack space | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
976337-2 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. | 16.1.2.2, 15.1.5.1 |
742753-8 | 4-Minor | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
528894-5 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1072237-1 | 4-Minor | BT1072237 | Retrieval of policy action stats causes memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067617-4 | 4-Minor | BT1067617 | BGP default route not advertised after mid-session OPEN. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1062333-6 | 4-Minor | Linux kernel vulnerability: CVE-2019-19523 | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1061797-1 | 4-Minor | BT1061797 | Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 | 17.0.0, 16.1.2.2, 15.1.5.1 |
1058677-2 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1046693-4 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045549-4 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1040821-4 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034589-1 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034329-1 | 4-Minor | BT1034329 | SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1031425-3 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1030645-4 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1024621-4 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1011217-5 | 4-Minor | BT1011217 | TurboFlex Profile setting reverts to turboflex-base after upgrade★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
1002809-4 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968929-2 | 2-Critical | BT968929 | TMM may crash when resetting a connection on an APM virtual server | 17.0.0, 16.1.2.2 |
910213-7 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1071449-4 | 2-Critical | BT1071449 | The statsd memory leak on platforms with license disabled processors. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1064617-1 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059053-2 | 2-Critical | BT1059053 | Tmm crash when passing traffic over some configurations with L2 virtual wire | 17.0.0, 16.1.2.2, 15.1.5.1 |
1047581-3 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
999901-1 | 3-Major | K68816502, BT999901 | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
993517-1 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
977761 | 3-Major | BT977761 | Connections are dropped if a certificate is revoked. | 17.1.0, 16.1.2.2 |
967101-1 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
955617-8 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
953601-4 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
936441-7 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
912517-7 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
902377-4 | 3-Major | BT902377 | HTML profile forces re-chunk even though HTML::disable | 17.0.0, 16.1.2.2, 15.1.5.1 |
883049-9 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
803109-4 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
794385-6 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
672963-1 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1083989-1 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1073973-1 | 3-Major | BT1073973 | Gateway HTTP/2, response payload intermittently not forwarded to client. | 17.0.0, 16.1.2.2 |
1072953-2 | 3-Major | BT1072953 | Memory leak in traffic management interface. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1071585-1 | 3-Major | BT1071585 | BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode | 17.0.0, 16.1.2.2 |
1068561-1 | 3-Major | BT1068561 | Can't create key on the second netHSM partition. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1068353-1 | 3-Major | BT1068353 | Unexpected event sequence may cause HTTP/2 flow stall during shutdown | 16.1.2.2 |
1064157-1 | 3-Major | BT1064157 | Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows | 17.0.0, 16.1.2.2, 15.1.6.1 |
1063453-1 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1058469-1 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056401-4 | 3-Major | BT1056401 | Valid clients connecting under active syncookie mode might experience latency. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1055097-1 | 3-Major | BT1055097 | TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow. | 17.0.0, 16.1.2.2 |
1052929-4 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1043357-4 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043017-4 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1042913-2 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1042509-1 | 3-Major | BT1042509 | On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request | 17.0.0, 16.1.2.2 |
1029897-1 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1024841-2 | 3-Major | BT1024841 | SSL connection mirroring with ocsp connection failure on standby | 17.0.0, 16.1.2.2, 15.1.5.1 |
1024225-3 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1020549-1 | 3-Major | BT1020549 | Server-side connections stall with zero window with OneConnect profile | 17.0.0, 16.1.2.2 |
1017721-5 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1 |
1017533-3 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1016449-3 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008501-1 | 3-Major | BT1008501 | TMM core | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008009-3 | 3-Major | BT1008009 | SSL mirroring null hs during session sync state | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1006781-2 | 3-Major | BT1006781 | Server SYN is sent on VLAN 0 when destination MAC is multicast | 17.0.0, 16.1.2.2, 15.1.4.1 |
1004897-5 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4 |
1004689-4 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
838305-9 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
717806-8 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1080341-4 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1075205-1 | 4-Minor | BT1075205 | Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client. | 17.0.0, 16.1.2.2 |
1064669-1 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1026605-6 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1026005-1 | 4-Minor | BT1026005 | BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1016441-4 | 4-Minor | RFC Enforcement Hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 | |
1016049-6 | 4-Minor | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
968581-4 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1062513-4 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1030881-1 | 2-Critical | BT1030881 | [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.★ | 17.0.0, 16.1.2.2 |
1027657-4 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1011433-1 | 2-Critical | BT1011433 | TMM may crash under memory pressure when performing DNS resolution | 17.0.0, 16.1.2.2, 15.1.6.1 |
1010617-1 | 2-Critical | BT1010617 | String operation against DNS resource records cause tmm memory corruption | 17.0.0, 16.1.2.2, 15.1.5.1 |
876677-2 | 3-Major | BT876677 | When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1076401-5 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1064189-1 | 3-Major | BT1064189 | DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning | 17.0.0, 16.1.2.2 |
1046785-1 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5 |
1044425-1 | 3-Major | K85021277, BT1044425 | NSEC3 record improvements for NXDOMAIN | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1020337-2 | 3-Major | BT1020337 | DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator | 17.0.0, 16.1.2.2, 15.1.5.1 |
1018613-1 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1079909-1 | 2-Critical | K82724554, BT1079909 | The bd generates a core file | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1069501-1 | 2-Critical | K22251611, BT1069501 | ASM may not match certain signatures | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1069449-1 | 2-Critical | K39002226, BT1069449 | ASM attack signatures may not match cookies as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1068237-1 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1000789-1 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
965785-4 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
961509-5 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
926845-7 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
923221-8 | 3-Major | BT923221 | BD does not use all the CPU cores | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
818889-1 | 3-Major | BT818889 | False positive malformed json or xml violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1077281-2 | 3-Major | BT1077281 | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | 17.1.0, 16.1.2.2, 15.1.6.1 |
1072197-1 | 3-Major | K94142349, BT1072197 | Issue with input normalization in WebSocket. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1070273-1 | 3-Major | BT1070273 | OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1069133-4 | 3-Major | BT1069133 | ASMConfig memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067285-1 | 3-Major | BT1067285 | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066829-1 | 3-Major | BT1066829 | Memory leak for xml/json auto-detected parameter with signature patterns. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1061617-4 | 3-Major | BT1061617 | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1060933-1 | 3-Major | K49237345 | Issue with input normalization. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059621-2 | 3-Major | BT1059621 | IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs. | 17.0.0, 16.1.2.2 |
1056365-1 | 3-Major | BT1056365 | Bot Defense injection does not follow best SOP practice. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1052173-1 | 3-Major | BT1052173 | For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation. | 17.0.0, 16.1.2.2 |
1052169 | 3-Major | BT1052169 | Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode | 16.1.2.2 |
1051213-1 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1051209-1 | 3-Major | K53593534, BT1051209 | BD may not process certain HTTP payloads as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047389-4 | 3-Major | BT1047389 | Bot Defense challenge hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043533-3 | 3-Major | BT1043533 | Unable to pick up the properties of the parameters from audit reports. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1043385-4 | 3-Major | BT1043385 | No Signature detected If Authorization header is missing padding. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1042605-1 | 3-Major | BT1042605 | ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above★ | 17.0.0, 16.1.2.2, 15.1.5.1 |
1041149-1 | 3-Major | BT1041149 | Staging of URL does not affect apply value signatures | 17.0.0, 16.1.2.2, 15.1.5.1 |
1038733-4 | 3-Major | BT1038733 | Attack signature not detected for unsupported authorization types. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1037457-1 | 3-Major | BT1037457 | High CPU during specific dos mitigation | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033017-1 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1030853-1 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1028473-1 | 3-Major | BT1028473 | URL sent with trailing slash might not be matched in ASM policy | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1023993-4 | 3-Major | BT1023993 | Brute Force is not blocking requests, even when auth failure happens multiple times | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1021521-1 | 3-Major | BT1021521 | JSON Schema is not enforced if OpenAPI media-type is wild card. | 17.0.0, 16.1.2.2 |
1019721-1 | 3-Major | BT1019721 | Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export | 17.0.0, 16.1.2.2 |
1012221-1 | 3-Major | BT1012221 | Message: childInheritanceStatus is not compatible with parentInheritanceStatus★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1011069-1 | 3-Major | BT1011069 | Group/User R/W permissions should be changed for .pid and .cfg files. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1008849-4 | 3-Major | BT1008849 | OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. | 17.0.0, 16.1.2.2, 15.1.5.1 |
844045-4 | 4-Minor | BT844045 | ASM Response event logging for "Illegal response" violations. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066377-1 | 4-Minor | BT1066377 | OpenAPI - Content profile is not consistent with wildcard configuration | 17.0.0, 16.1.2.2 |
1050697-4 | 4-Minor | BT1050697 | Traffic learning page counts Disabled signatures when they are ready to be enforced | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1048445-1 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name | 17.1.0, 16.1.2.2, 15.1.6.1 |
1039245-2 | 4-Minor | BT1039245 | Policy Properties screen does not load and display | 17.0.0, 16.1.2.2 |
1038741-4 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1036521-1 | 4-Minor | BT1036521 | TMM crash in certain cases | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1035361-4 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1034941-1 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1021637-4 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | 17.1.0, 16.1.2.2, 15.1.6.1 |
1020717-4 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038913-4 | 3-Major | BT1038913 | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
858005-1 | 3-Major | BT858005 | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
423519-5 | 3-Major | K74302282, BT423519 | Bypass disabling the redirection controls configuration of APM RDP Resource. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045229-1 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1044121-3 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1029397-4 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
957905-1 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1082885-1 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic | 17.0.0, 16.1.2.2, 15.1.6, 14.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
964625-5 | 3-Major | BT964625 | Improper processing of firewall-rule metadata | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
959609-4 | 3-Major | BT959609 | Autodiscd daemon keeps crashing | 17.0.0, 16.1.2.2, 15.1.6.1 |
929909-3 | 3-Major | BT929909 | TCP Packets are not dropped in IP Intelligence | 17.0.0, 16.1.2.2, 15.1.5.1 |
1008265-1 | 3-Major | K92306170, BT1008265 | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1072057-1 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1086897-1 | 2-Critical | BT1086897 | PEM subcriber lookup can fail for internet side/subscriber side new connections | 17.0.0, 16.1.2.2 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1028269-2 | 2-Critical | BT1028269 | Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1019613-5 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1064217-1 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038445-1 | 2-Critical | BT1038445 | During upgrade to 16.1, the previous FPS Engine live update remains active★ | 17.0.0, 16.1.2.2 |
873617-1 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071181-2 | 3-Major | BT1071181 | Improving Signature Detection Accuracy | 16.1.2.2, 15.1.6.1, 14.1.5 |
1060409-2 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1033829-3 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1052153-2 | 3-Major | BT1052153 | Signature downloads for traffic classification updates via proxy fail | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1072733-4 | 2-Critical | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1070677-1 | 3-Major | BT1070677 | Learning phase does not take traffic into account - dropping all. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
940261-1 | 4-Minor | BT940261 | Support IPS package downloads via HTTP proxy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944121-4 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
854129-6 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050969-1 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
969297 | 3-Major | BT969297 | Virtual IP configured on a system with SelfIP on vwire becomes unresponsive | 16.1.2.2 |
1058401-1 | 3-Major | BT1058401 | SSL Bypass does not work for inbound traffic | 17.0.0, 16.1.2.2 |
1048033-1 | 3-Major | BT1048033 | Server-speaks-first traffic might not work with SSL Orchestrator | 17.0.0, 16.1.2.2 |
1047377-1 | 3-Major | BT1047377 | "Server-speak-first" traffic might not work with SSL Orchestrator | 17.0.0, 16.1.2.2 |
1029869-1 | 3-Major | BT1029869 | Use of ha-sync script may cause gossip communications to fail | 17.0.0, 16.1.2.2, 15.1.6.1 |
1029585-1 | 3-Major | BT1029585 | Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync | 17.0.0, 16.1.2.2, 15.1.6.1 |
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1045101-4 | CVE-2022-26890 | K03442392, BT1045101 | Bd may crash while processing ASM traffic | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5 |
940185-7 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1065789-1 | CVE-2023-24594 | K000133132, BT1065789 | TMM may send duplicated alerts while processing SSL connections | 17.0.0, 16.1.2.1, 15.1.5 |
1063389-6 | CVE-2015-5191 | K84583382, BT1063389 | open-vm-tools vulnerability: CVE-2015-5191 | 17.0.0, 16.1.2.1, 14.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1015133-5 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749332-1 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4 |
996001-5 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
994305-3 | 3-Major | BT994305 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 | 17.0.0, 16.1.2.1, 15.1.5.1 |
968657-1 | 3-Major | BT968657 | Added support for IMDSv2 on AWS | 17.0.0, 16.1.2.1, 15.1.5.1 |
1032949-1 | 3-Major | BT1032949 | Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. | 17.0.0, 16.1.2.1, 15.1.5 |
1041765-2 | 4-Minor | BT1041765 | Racoon may crash in rare cases | 17.0.0, 16.1.2.1, 15.1.10 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
999097-1 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
910673-6 | 3-Major | BT910673 | Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' | 17.0.0, 16.1.2.1, 15.1.5.1 |
898929-6 | 3-Major | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1038629-4 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1031609-1 | 3-Major | BT1031609 | Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1019609-1 | 3-Major | BT1019609 | No Error logging when BIG-IP device's IP address is not added in client list on netHSM.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1017513-5 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
1007749-2 | 3-Major | BT1007749 | URI TCL parse functions fail when there are interior segments with periods and semi-colons | 17.0.0, 16.1.2.1, 15.1.5 |
1048433-1 | 4-Minor | BT1048433 | Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.★ | 16.1.2.1, 15.1.5.1 |
1024761-1 | 4-Minor | BT1024761 | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | 17.0.0, 16.1.2.1, 15.1.5 |
1005109-4 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
935249-3 | 3-Major | BT935249 | GTM virtual servers have the wrong status | 17.0.0, 16.1.2.1, 15.1.5 |
1039553-1 | 3-Major | BT1039553 | Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors | 17.0.0, 16.1.2.1, 15.1.5 |
1021061-4 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993613-7 | 2-Critical | BT993613 | Device fails to request full sync | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
984593-1 | 3-Major | BT984593 | BD crash | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
921697-1 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error.★ | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6 |
907025-5 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
885765-1 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
830341-5 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1043205-1 | 3-Major | BT1043205 | SSRF Violation should be shown as a Parameter Entity Reference. | 16.1.2.1 |
1042069-1 | 3-Major | Some signatures are not matched under specific conditions. | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5 | |
1002385-1 | 4-Minor | K67397230, BT1002385 | Fixing issue with input normalization | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1009093-2 | 2-Critical | BT1009093 | GUI widgets pages are not functioning correctly | 17.0.0, 16.1.2.1, 15.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
969317-4 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
828761-5 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
827393-5 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
738593-3 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1007677-2 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | 17.0.0, 16.1.2.1, 15.1.4.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039329-2 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1025529-2 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
956013-4 | 3-Major | BT956013 | System reports{{validation_errors}} | 16.1.2.1, 15.1.5, 14.1.4.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023437-1 | 3-Major | Buffer overflow during attack with large HTTP Headers | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1055361-1 | 2-Critical | BT1055361 | Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. | 17.0.0, 16.1.2.1, 15.1.5.1 |
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
991421-2 | CVE-2022-23016 | K91013510, BT991421 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2, 15.1.4.1 |
989701-8 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
988549-10 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
968893-3 | CVE-2022-23014 | K93526903, BT968893 | TMM crash when processing APM traffic | 17.0.0, 16.1.2, 15.1.4.1 |
940317-9 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1037181-1 | CVE-2022-23022 | K96924184, BT1037181 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.2 |
1032405-1 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1031269 | CVE-2022-23020 | K17514331, BT1031269 | TMM may consume excessive resources when processing logging profiles | 17.0.0, 16.1.2 |
1030689-1 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1029629-1 | CVE-2022-28706 | K03755971, BT1029629 | TMM may crash while processing DNS lookups | 17.0.0, 16.1.2, 15.1.5.1 |
1028669-7 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028573-6 | CVE-2020-10878 | K40508224, BT1028573 | Perl vulnerability: CVE-2020-10878 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1028497-7 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1021713-1 | CVE-2022-41806 | K00721320, BT1021713 | TMM may crash when processing AFM NAT64 policy | 17.0.0, 16.1.2, 15.1.5.1 |
1012365-4 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1007489-7 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
974341-6 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
973409-6 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
941649-8 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
803965-10 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1035729-1 | CVE-2022-23021 | K57111075, BT1035729 | TMM may crash while processing traffic http traffic | 17.0.0, 16.1.2 |
1009725-1 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985953-6 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039049-2 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
997313-2 | 2-Critical | BT997313 | Unable to create APM policies in a sync-only folder★ | 17.0.0, 16.1.2, 15.1.4.1 |
1031357-2 | 2-Critical | BT1031357 | After reboot of standby and terminating peer, some IPsec traffic-selectors are still online | 17.0.0, 16.1.2 |
1029949-2 | 2-Critical | BT1029949 | IPsec traffic selector state may show incorrect state on high availability (HA) standby device | 17.0.0, 16.1.2 |
998221-1 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3 |
946185-3 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
922185-3 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
881085-4 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1045421-1 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032737-2 | 3-Major | BT1032737 | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | 17.0.0, 16.1.2, 15.1.4.1 |
1032077-1 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028969-1 | 3-Major | BT1028969 | An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working | 17.0.0, 16.1.2 |
1026549-1 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1022757-2 | 3-Major | BT1022757 | Tmm core due to corrupt list of ike-sa instances for a connection | 17.0.0, 16.1.2, 15.1.9 |
1021773-1 | 3-Major | BT1021773 | Mcpd core. | 17.0.0, 16.1.2, 15.1.7 |
1020377-1 | 3-Major | BT1020377 | Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon | 17.0.0, 16.1.2 |
1015645-2 | 3-Major | BT1015645 | IPSec SA's missing after reboot | 17.0.0, 16.1.2 |
1009949-4 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1003257-6 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
921365-2 | 4-Minor | BT921365 | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | 17.0.0, 16.1.2, 15.1.4 |
1034617-1 | 4-Minor | BT1034617 | Login/Security Banner text not showing in console login. | 17.0.0, 16.1.2 |
1030845-1 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1022417-1 | 4-Minor | BT1022417 | Ike stops with error ikev2_send_request: [WINDOW] full window | 17.0.0, 16.1.2, 15.1.9 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039041 | 1-Blocking | BT1039041 | Log Message: Clock advanced by <number> ticks | 17.0.0, 16.1.2 |
1040361-1 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5 |
915773-7 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1023365-2 | 3-Major | BT1023365 | SSL server response could be dropped on immediate client shutdown. | 17.0.0, 16.1.2, 15.1.4.1 |
1021481-1 | 3-Major | BT1021481 | 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden. | 17.0.0, 16.1.2 |
1020957-1 | 3-Major | BT1020957 | HTTP response may be truncated by the BIG-IP system | 17.0.0, 16.1.2 |
1018577-4 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1016113-1 | 3-Major | BT1016113 | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | 17.0.0, 16.1.2, 15.1.4 |
1008017-2 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
895557-5 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2 |
1031901-2 | 4-Minor | BT1031901 | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | 17.0.0, 16.1.2, 15.1.4.1 |
1018493-1 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1002945-4 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1035853-1 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
1028773-1 | 2-Critical | BT1028773 | Support for DNS Over TLS | 17.0.0, 16.1.2 |
1009037-1 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1021417-1 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
912149-7 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1019853-1 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1017153-4 | 2-Critical | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1011065-1 | 2-Critical | K39002226, BT1011065 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1 |
1011061-4 | 2-Critical | K39002226, BT1011061 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
947341-4 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1 |
932133-1 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
842013-1 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1042917-1 | 3-Major | BT1042917 | Using 'Full Export' of security policy should result with no diffs after importing it back to device. | 17.0.0, 16.1.2 |
1028109-1 | 3-Major | BT1028109 | Detected attack signature is reported with the wrong context. | 17.0.0, 16.1.2 |
1022269-1 | 3-Major | BT1022269 | False positive RFC compliant violation | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1004069-4 | 3-Major | BT1004069 | Brute force attack is detected too soon | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
1004537-2 | 4-Minor | BT1004537 | Traffic Learning: Accept actions for multiple suggestions not localized | 17.0.0, 16.1.2, 15.1.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932137-7 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
922105-1 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1035133-4 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
948113-1 | 4-Minor | BT948113 | User-defined report scheduling fails | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1020705-2 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1027217-1 | 1-Blocking | BT1027217 | Script errors in Network Access window using browser. | 17.0.0, 16.1.2, 15.1.4.1 |
1006893-4 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
993457-1 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1021485-3 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1017233-2 | 3-Major | BT1017233 | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | 17.0.0, 16.1.2, 15.1.4.1 |
939877-3 | 4-Minor | BT939877 | OAuth refresh token not found | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1007113-3 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1018285-2 | 4-Minor | BT1018285 | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | 17.0.0, 16.1.2, 15.1.4.1 |
1003633-1 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1049229-1 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1013629-4 | 3-Major | BT1013629 | URLCAT: Scan finds many Group/User Read/Write (666/664/662) files | 17.0.0, 16.1.2, 15.1.9 |
686783-1 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032689 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 16.1.2, 15.1.4.1, 14.1.4.5 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
929213-2 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038669-1 | 3-Major | BT1038669 | Antserver keeps restarting. | 17.0.0, 16.1.2, 15.1.5 |
1032797-1 | 3-Major | BT1032797 | Tmm continuously cores when parsing custom category URLs | 17.0.0, 16.1.2, 15.1.5 |
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
979877-9 | CVE-2020-1971 | K42910051, BT979877 | CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information | 16.1.1, 15.1.4, 14.1.5.1 |
954425-4 | CVE-2022-23031 | K61112120, BT954425 | Hardening of Live-Update | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
797797-7 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3 |
1013569-1 | CVE-2022-31473 | K34893234, BT1013569 | Hardening of iApps processing | 17.0.0, 16.1.1, 15.1.4 |
1008561-4 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
911141-1 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
974241-3 | 2-Critical | BT974241 | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | 17.0.0, 16.1.1, 15.1.4 |
887117-4 | 3-Major | BT887117 | Invalid SessionDB messages are sent to Standby | 17.0.0, 16.1.1, 15.1.4.1 |
1019829-2 | 3-Major | BT1019829 | Configsync.copyonswitch variable is not functioning on reboot | 16.1.1 |
1018309-5 | 3-Major | BT1018309 | Loading config file with imish removes the last character | 17.0.0, 16.1.1, 15.1.4.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023341-1 | 1-Blocking | HSM hardening | 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5 | |
995405-1 | 2-Critical | BT995405 | After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★ | 17.0.0, 16.1.3, 16.1.1 |
1040677 | 2-Critical | BT1040677 | BIG-IP D120 platform reports page allocation failures in N3FIPS driver | 17.0.0, 16.1.1 |
980617-1 | 3-Major | BT980617 | SNAT iRule is not working with HTTP/2 and HTTP Router profiles | 17.0.0, 16.1.1, 15.1.10 |
912945-3 | 4-Minor | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039069-1 | 1-Blocking | BT1039069 | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★ | 17.0.0, 16.1.1, 15.1.4 |
993489-1 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
996381-1 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
970329-1 | 2-Critical | K70134152, BT970329 | ASM hardening | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
965229-5 | 2-Critical | BT965229 | ASM Load hangs after upgrade★ | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
986937-3 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4 |
981069-3 | 3-Major | BT981069 | Reset cause: "Internal error ( requested abort (payload release error))" | 17.0.0, 16.1.1, 15.1.4 |
962589-4 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
951133-4 | 3-Major | BT951133 | Live Update does not work properly after upgrade★ | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4 |
920149-3 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4 |
888289-8 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1005105-3 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 17.0.0, 16.1.1, 15.1.4, 14.1.4.5 |
1000741-1 | 3-Major | K67397230, BT1000741 | Fixing issue with input normalization | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
941625-3 | 4-Minor | BT941625 | BD sometimes encounters errors related to TS cookie building | 17.0.0, 16.1.1, 15.1.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
924945-5 | 3-Major | BT924945 | Fail to detach HTTP profile from virtual server | 17.0.0, 16.1.1, 16.0.1.2, 15.1.3 |
913085-6 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
909161-1 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1024101-1 | 3-Major | BT1024101 | SWG as a Service license improvements | 17.0.0, 16.1.3, 16.1.1 |
1022625-2 | 3-Major | BT1022625 | Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator | 17.0.0, 16.1.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993913-4 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
1012721-4 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5 |
1007821-3 | 2-Critical | BT1007821 | SIP message routing may cause tmm crash | 17.0.0, 16.1.1, 15.1.4 |
996113-2 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
805821-1 | 3-Major | BT805821 | GTP log message contains no useful information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
919301-1 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913413-1 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913409-1 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913393-1 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
992213-3 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 17.0.0, 16.1.1, 15.1.4, 14.1.4.2 |
1000405-1 | 3-Major | BT1000405 | VLAN/Tunnels not listed when creating a new rule via GUI | 17.0.0, 16.1.1, 15.1.4 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1018145 | 3-Major | BT1018145 | Firewall Manager user role is not allowed to configure/view protocol inspection profiles | 16.1.1, 15.1.4 |
Cumulative fix details for BIG-IP v16.1.4.3 that are included in this release
999901-1 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Links to More Info: K68816502, BT999901
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.
Links to More Info: BT999881
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
999097-1 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
998225-6 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.
Links to More Info: BT998225
Component: TMOS
Symptoms:
TMM crashes during the primary blade transition.
Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes on primary blade transition.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
998221-1 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
997429-1 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled
Links to More Info: BT997429
Component: Advanced Firewall Manager
Symptoms:
Some DoS-related log messages may be missing
Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.
Impact:
Applications dependent on log frequency may be impacted.
Workaround:
Configure the mitigation limit about 10% over the attack limit.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
997313-2 : Unable to create APM policies in a sync-only folder★
Links to More Info: BT997313
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
996381-1 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
996113-2 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
995849-1 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c
Links to More Info: BT995849
Component: TMOS
Symptoms:
Tmm crashes while processing a large number of tunnels.
Conditions:
-- A large number of ipsec tunnels
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Memory allocation failures are handled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
995405-1 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★
Links to More Info: BT995405
Component: Local Traffic Manager
Symptoms:
After an RPM upgrade, SSL Orchestrator traffic does not pass
Conditions:
Upgrading SSL Orchestrator via RPM
Impact:
Traffic will not pass.
Workaround:
Bigstart restart tmm
Fix:
Fixed an issue that was preventing from passing after an RPM upgrade.
Fixed Versions:
17.0.0, 16.1.3, 16.1.1
995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Links to More Info: BT995097
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.
For instance, you can enter the following command:
tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }
And the system inserts the following instruction in the /etc/dhclient.conf file:
supersede domain-search "one.example.com", "two.example.com" ;
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
Links to More Info: BT994305
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools are not available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools are not available.
Workaround:
None.
Fix:
The version of open-vm-tools has been updated to 11.1.5.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
994033-3 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
993913-4 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
993613-7 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
993517-1 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
993489-1 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
993481-1 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
993457-1 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
Links to More Info: BT993269
Component: Advanced Firewall Manager
Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.
DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.
Conditions:
-- DoS timestamp cookies are enabled, and either of the following:
-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.
Impact:
Traffic is dropped due to incorrect timestamps.
Workaround:
Disable timestamp cookies on the affected VLAN.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
992865-3 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4
992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Links to More Info: BT992813
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
Fix:
The list of dhcp-options known to mcpd has been updated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
992213-3 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2
992121-4 : REST "/mgmt/tm/services" endpoint is not accessible
Links to More Info: BT992121
Component: TMOS
Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.
Conditions:
When accessing /mgmt/tm/services through REST API
Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.
Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
989701-8 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
989517-3 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
989501-2 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
988165-3 : VMware CPU reservation is now enforced.
Links to More Info: BT988165
Component: TMOS
Symptoms:
CPU reservation is not enabled which can result in insufficient CPU resource for virtual edition guest.
Conditions:
BIG-IP Virtual Edition running in VMware.
Impact:
Performance may be lower than expected particularly if ESXi is over subscribed and traffic volume is high.
Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.
Fix:
The VMware CPU reservation of 2GHz per core is now automatically enabled in the OVF file. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will see 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
987885-6 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
987341-1 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.
Links to More Info: BT987341
Component: Access Policy Manager
Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.
Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.
Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
987301-3 : Software install on vCMP guest via block-device may fail with error 'reason unknown'
Links to More Info: BT987301
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
-- /var/log/liveinstall may contain an error similar to:
I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty
-- /var/log/kern.log may contain an error similar to:
Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712
Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
987077-3 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.
Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.
Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Links to More Info: BT986937
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
Fix:
The error no longer occurs on child policy creation.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4
985953-6 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
984749-1 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."
Links to More Info: BT984749
Component: Global Traffic Manager (DNS)
Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".
Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."
Impact:
Client Cache Hit/Miss Statistics ratio affected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
984593-1 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
984585-3 : IP Reputation option not shown in GUI.
Links to More Info: BT984585
Component: TMOS
Symptoms:
Cannot configure IP Reputation option from the GUI.
Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.
Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.
Workaround:
Use tmsh to configure IP Reputation.
Fix:
The IP Reputation option is now shown in the GUI.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
982785-2 : Guided Configuration hardening
Links to More Info: K52322100
982757-3 : APM Access Guided Configuration hardening
Links to More Info: K53197140
981917-4 : CVE-2020-8286 - cUrl Vulnerability
Links to More Info: K15402727
981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"
Links to More Info: BT981069
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Fix:
Fixed an issue that was triggering resets on traffic.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles
Links to More Info: BT980617
Component: Local Traffic Manager
Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.
Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured
Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.
Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.
Fixed Versions:
17.0.0, 16.1.1, 15.1.10
979877-9 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information
977761 : Connections are dropped if a certificate is revoked.
Links to More Info: BT977761
Component: Local Traffic Manager
Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.
Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.
Impact:
Ssl handshake failures due to revoked server certificate
Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.
Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.
Fixed Versions:
17.1.0, 16.1.2.2
977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
976669-5 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Links to More Info: BT976669
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Links to More Info: BT976525
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5
976337-2 : i40evf Requested 4 queues, but PF only gave us 16.
Links to More Info: BT976337
Component: TMOS
Symptoms:
During BIG-IP system boot, a message is logged:
i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.
Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)
Impact:
A message is logged but it is benign and can be ignored.
Fixed Versions:
16.1.2.2, 15.1.5.1
974985-6 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
Links to More Info: BT974985
Component: Application Security Manager
Symptoms:
Non http traffic isn't forwarded to the backend server
Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-http traffic
Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>
Fix:
Fix DOSL7::disable command handler in the tmm code
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Links to More Info: BT974241
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
974205-5 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6
970329-1 : ASM hardening
Links to More Info: K70134152, BT970329
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDI
Links to More Info: BT969317
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
969297 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
Links to More Info: BT969297
Component: SSL Orchestrator
Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.
Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.
Impact:
The virtual server is unreachable.
Workaround:
None
Fix:
ARP forwarding to peer is decided based on whether Virtual IP and self-IP is configured or not.
Fixed Versions:
16.1.2.2
968929-2 : TMM may crash when resetting a connection on an APM virtual server
Links to More Info: BT968929
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
- HTTP profile without fallback host.
- iRules.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.
Fixed Versions:
17.0.0, 16.1.2.2
968657-1 : Added support for IMDSv2 on AWS
Links to More Info: BT968657
Component: TMOS
Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:
get_dossier call on the command line fails with:
01170003:3: halGetDossier returned error (1): Dossier generation failed.
This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.
Conditions:
AWS instances started with IMDSv2.
Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.
Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
968581-4 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
Links to More Info: BT968581
Component: Local Traffic Manager
Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.
Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.
Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.
Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
967101-1 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.
Links to More Info: BT967101
Component: Local Traffic Manager
Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)
Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.
Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
966461-7 : Tmm memory leak
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm leaks memory for DNSSEC requests.
Conditions:
NetHSM is configured but disconnected.
or
Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.
Impact:
Tmm memory utilization increases over time.
Workaround:
None
Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.
tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
965837-4 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
Links to More Info: BT965837
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.
Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
Fixed a TMM crash related to ping access.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
Links to More Info: BT965785
Component: Application Security Manager
Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.
Conditions:
There is no specific condition, the problem occurs rarely.
Impact:
Sync process requires an additional ASM restart
Workaround:
Restart ASM after sync process finished
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
965229-5 : ASM Load hangs after upgrade★
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
964625-5 : Improper processing of firewall-rule metadata
Links to More Info: BT964625
Component: Advanced Firewall Manager
Symptoms:
The 'mcpd' process may suffer a failure and be restarted.
Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.
Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.
Workaround:
Reduce the number of firewall policy rules.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
964533-2 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
Fix:
Log level has been changed so this issue no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
964125-6 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
963541-1 : Net-snmp5.8 crash
Links to More Info: BT963541
Component: TMOS
Symptoms:
Snmpd crashes.
Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.
Impact:
Snmpd crashes.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Links to More Info: BT962589
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
962177-6 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1
961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policy
Links to More Info: BT961509
Component: Application Security Manager
Symptoms:
WebSocket frames receive a close frame
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled
Impact:
WebSocket frame blocked in transparent mode
Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No
Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
960677-1 : Improvement in handling accelerated TLS traffic
Links to More Info: BT960677
Component: Local Traffic Manager
Symptoms:
Rare aborted TLS connections.
Conditions:
None
Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.
Workaround:
None
Fix:
The aborted connections will no longer be aborted and will complete normally.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
959985-3 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.
Links to More Info: BT959985
Component: TMOS
Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.
Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.
Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.
Workaround:
None
Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
959609-4 : Autodiscd daemon keeps crashing
Links to More Info: BT959609
Component: Advanced Firewall Manager
Symptoms:
Autodiscd daemon keeps crashing.
Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.
Impact:
Auto discovery feature is not working as expected
Workaround:
None.
Fix:
Auto discovery feature now works as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
957905-1 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.
Links to More Info: BT957905
Component: Service Provider
Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.
SIP Responses that don't contain a content_length header are accepted and forwarded to the client.
The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.
Conditions:
SIP request / response without content_length header.
Impact:
RFC 6731 non compliance.
Workaround:
N/A
Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.
content_length header is treated as optional for UDP and SCTP.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
957637-1 : The pfmand daemon can crash when it starts.
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.
The crash may happen more than once, until the process finally settles and is able to start correctly.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
957453-1 : Javascript parser incompatible with ECMAScript 6/7+ javascript versions
Links to More Info: BT957453
Component: Access Policy Manager
Symptoms:
A web application failed to function on the client side.
Conditions:
-- APM proxying a web application.
-- Web application uses ES6/7 or higher javascript.
Impact:
The web application failed to function.
Workaround:
None
Fix:
The fix is implemented in two steps:
STEP 1:
Initial implementation with bug ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.
With this fix, a custom iRule workaround can be applied to fix a limited set of possible cases.
STEP 2:
With bug ID 957453, the implementation of the light rewriter on the server side is also completed.
No iRule workaround is required to support ES6/7+ javascript versions after the implementation of bug ID 957453.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
956645-4 : Per-request policy execution may timeout.
Links to More Info: BT956645
Component: Access Policy Manager
Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Impact:
Some clients will fail to connect to their destination.
Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).
Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9, 14.1.4.5
956373-4 : ASM sync files not cleaned up immediately after processing
Links to More Info: BT956373
Component: Application Security Manager
Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate
Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition
Impact:
If the files are large it may lead to "lack of disk space" problem.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1
956133-2 : MAC address might be displayed as 'none' after upgrading.★
Links to More Info: BT956133
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.
Impact:
Traffic disrupted when the MAC address is set to 'none'.
Workaround:
N/A
Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.4
956013-4 : System reports{{validation_errors}}
Links to More Info: BT956013
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
Fixed Versions:
16.1.2.1, 15.1.5, 14.1.4.5
955617-8 : Cannot modify properties of a monitor that is already in use by a pool
Links to More Info: BT955617
Component: Local Traffic Manager
Symptoms:
If the monitor is associated with a node or pool, then modifying monitor properties other than the destination address is displaying incorrect error. For example, modifying the receive string results in following error:
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
This error should only be generated if the destination address of an associated monitor is being modified, but this error message is generated when other parameters are modified.
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties cannot be modified if they are in use by a pool.
Workaround:
Remove the monitor, modify it, and then add it again.
Fix:
Monitor properties can be modified even when the monitor is attached to the node or pool, updated values reflect in the node or pool.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
954001-7 : REST File Upload hardening
Component: Device Management
Symptoms:
REST file upload does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Only upload trusted files to the BIG-IP.
Fix:
REST file uploads now follow best security practices.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
953601-4 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
Links to More Info: BT953601
Component: Local Traffic Manager
Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.
Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.
Impact:
HTTPS monitor shows pool members or nodes down when they are up.
Workaround:
Restart bigd or remove and add monitors.
Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
952521-1 : Memory allocation error while creating an address list with a large range of IPv6 addresses★
Links to More Info: BT952521
Component: Advanced Firewall Manager
Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"
Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.
Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.
Workaround:
Use CIDR notation or multiple, smaller IP ranges.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
951133-4 : Live Update does not work properly after upgrade★
Links to More Info: BT951133
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4
950917-4 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Links to More Info: BT950917
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1
950201-3 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
950149 : Add configuration to ccmode for compliance with the Common Criteria STIP PPM.
Links to More Info: BT950149
Component: TMOS
Symptoms:
To comply with configuration requirements for the Common Criteria STIP PPM, the ccmode script must be updated.
Conditions:
Required compliance with Common Criteria STIP PPM configuration.
Impact:
Without these updates, the BIG-IP will not be compliant with the Common Criteria STIP requirements.
Workaround:
Follow the instructions in the Common Criteria Guidance document.
Fix:
This fix added configuration elements for compliance to Common Criteria STIP PPM requirements.
Fixed Versions:
17.0.0, 16.1.3
950069-1 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"
Links to More Info: BT950069
Component: Global Traffic Manager (DNS)
Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.
Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols
Impact:
Unable to edit the record.
Workaround:
Two workarounds available:
1. Use zonerunner to delete the record and then recreate it with the desired RDATA value
2. Manually edit the bind zone file (see K7032)
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
949857-7 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync
948985-3 : Workaround to address Nitrox 3 compression engine hang
Links to More Info: BT948985
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 compression engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chips: 5xxx, 7xxx, 12250, and B2250.
You can check if your platform has nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable, and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable HTTP compression or use software compression.
Fix:
Added db key compression.nitrox3.dispatchsize to control the request size.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
948241-4 : Count Stateful anomalies based only on Device ID
Links to More Info: BT948241
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
948113-1 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
948065-1 : DNS Responses egress with an incorrect source IP address.
Links to More Info: BT948065
Component: Local Traffic Manager
Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.
Conditions:
Large responses of ~2460 bytes from local BIND
Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.
Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.
Note: This workaround has limitations, as some records in 'Additional Section' are truncated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
947905-4 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails★
Links to More Info: BT947905
Component: TMOS
Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.
The system posts errors similar to the following:
-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (system-settings.ssh_max_session_limit) : framework/SchemaCmd.cpp, line 825
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Unexpected Error: "Can't load keyword definition (system-settings.ssh_max_session_limit)"
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property
Conditions:
Upgrade from one of the following release:
-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch
to one of the following releases:
-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1
Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.
Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.
You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903
Fixed Versions:
16.1.3, 16.0.1
947341-4 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Links to More Info: BT947341
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1
947333-2 : Irrelevant content profile diffs in Policy Diff
Links to More Info: BT947333
Component: Application Security Manager
Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected
Conditions:
-- Import a policy
-- Perform a policy diff
Impact:
Policy diff showing irrelevant diffs
Workaround:
None
Fix:
Removed grayed out diffs from policy diff content profile section
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1
946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★
Links to More Info: BT946185
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
945853-4 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession
Links to More Info: BT945853
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during a configuration change.
Conditions:
This occurs under the following conditions:
-- Create/modify/delete multiple virtual servers in quick succession.
-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes during a configuration change.
Fixed Versions:
16.1.3, 15.1.3
945357 : BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.
Links to More Info: BT945357
Component: Local Traffic Manager
Symptoms:
A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).
Conditions:
In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.
Impact:
Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.
Workaround:
This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.
Fix:
This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.
Fixed Versions:
17.0.0, 16.1.3
944381-2 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
Links to More Info: BT944381
Component: Local Traffic Manager
Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.
Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.
Impact:
The handshake should fail but complete successfully
Fix:
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3.
After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
944121-4 : Missing SNI information when using non-default domain https monitor running in TMM mode.
Links to More Info: BT944121
Component: In-tmm monitors
Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
In-TMM monitors do not send any packet when TLS1.3 monitor is used.
Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
- Another Condition :
TLS1.3 Monitor is used
Impact:
The TLS connection might fail in case of SNI
No SYN packet is sent in case of TLS1.3 monitor
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
943669-4 : B4450 blade reboot
Links to More Info: BT943669
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when needed.
Fixed Versions:
16.1.2.2, 15.1.2
943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions
Links to More Info: BT943577
Component: TMOS
Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
- the same traffic-matching-criteria is attached to the same virtual server
- the original port-list is modified (e.g. a description is changed)
- the TMC is changed to reference a _different_ port-list
Impact:
Unable to sync configurations.
Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.
If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.
1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:
tmsh save sys config
(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
cat /config{/partitions/*,}/bigip{_base,}.conf |
awk '
BEGIN { p=0 }
/^(ltm traffic-matching-criteria|net port-list) / { p=1 }
/^}/ { if (p) { p=0; print } }
{ if (p) print; }
' ) > /var/tmp/portlists-and-tmcs.txt
2. Copy /var/tmp/portlists-and-tmcs.txt to the target system
3. On the target system, load that file:
tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt
3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
4. On the source system, force a full-load sync to the device-group:
tmsh run cm config-sync force-full-load-push to-group <name of sync-group>
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
943109-4 : Mcpd crash when bulk deleting Bot Defense profiles
Links to More Info: BT943109
Component: TMOS
Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.
Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.
Impact:
Crash of mcpd causing failover.
Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.
Fix:
There is no longer a crash of mcpd when deleting a large number of Bot Defense in a bulk using TMSH.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
942617-2 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable
Links to More Info: BT942617
Component: Application Security Manager
Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.
Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables
Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.
Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.
Fix:
Trim() to delete the whitspaces.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
941625-3 : BD sometimes encounters errors related to TS cookie building
Links to More Info: BT941625
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
940261-1 : Support IPS package downloads via HTTP proxy.
Links to More Info: BT940261
Component: Protocol Inspection
Symptoms:
IPS package download via HTTP proxy does not work.
2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.
Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered
Impact:
The IPS IM package fails to download.
Workaround:
No workaround.
Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
940225-4 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
939877-3 : OAuth refresh token not found
Links to More Info: BT939877
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4
939757-8 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
936501-1 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
Links to More Info: BT936501
Component: TMOS
Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:
"file not allowed"
Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf
Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
936441-7 : Nitrox5 SDK driver logging messages
Links to More Info: BT936441
Component: Local Traffic Manager
Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):
Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1
The above set of messages seems to be logged at about 2900-3000 times a second.
These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.
Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.
Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
936093-5 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
935945-2 : GTM HTTP/HTTPS monitors cannot be modified via GUI
Links to More Info: BT935945
Component: Global Traffic Manager (DNS)
Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:
01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.
Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.
Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.
Workaround:
If 'recv-status-code' has never been set, use tmsh instead.
Note: You can set 'recv-status-code' using tmsh, for example:
tmsh modify gtm monitor http http-default recv-status-code 200
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
935249-3 : GTM virtual servers have the wrong status
Links to More Info: BT935249
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).
Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.
Fix:
The HTTP status code is now correctly searched only in the first line of the response.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
935193-4 : With APM and AFM provisioned, single logout ( SLO ) fails
Links to More Info: BT935193
Component: Local Traffic Manager
Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:
-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message
Conditions:
Failures occur with Redirect SLO.
Impact:
SAML single logout does not work.
Workaround:
Use POST binding SLO requests.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
Links to More Info: BT935177
Component: TMOS
Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.
Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.
The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
934697-5 : Route domain is not reachable (strict mode)
Links to More Info: BT934697
Component: Local Traffic Manager
Symptoms:
Network flows are reset and following errors are found in /var/log/ltm:
Route domain not reachable (strict mode).
Conditions:
This might occur in either one of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.
or
Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.
Other
=====
Tunnel scenario's such as IPSec where client and encrypted traffic are in different route domains.
Impact:
Traffic is not sent to the node that is in a route domain.
The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.
Workaround:
Specify the node along with Route Domain ID.
-- For iRules, change from this:
when HTTP_REQUEST {
node 10.10.10.10 80
}
To this (assuming route domain 1):
when HTTP_REQUEST {
node 10.10.10.10%1 80
}
-- For LTM policies, change from this:
actions {
0 {
forward
select
node 10.2.35.20
}
}
To this (assuming route domain 1):
actions {
0 {
forward
select
node 10.2.35.20%1
}
}
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
932485-5 : Incorrect sum(hits_count) value in aggregate tables
Links to More Info: BT932485
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
932133-1 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
930393-2 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
Links to More Info: BT930393
Component: TMOS
Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.
Conditions:
-- Using IKEv1 and one of the following:
+ Performing an upgrade.
+ IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.
Impact:
IPsec tunnel is down permanently.
Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.
Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
929913-3 : External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events
Links to More Info: BT929913
Component: Advanced Firewall Manager
Symptoms:
DNS logs on LTM side do not print the all src_IP, per-srcIP, etc.
Conditions:
-- DNS logging is enabled
-- A DNS flood is detected
Impact:
Some information related to DNS attack event is missing such as src_IP, Per-SrcIP and Per-DstIP events.
Fix:
DNS now logs all src_IP, Per-SrcIP and Per-DstIP events.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
929909-3 : TCP Packets are not dropped in IP Intelligence
Links to More Info: BT929909
Component: Advanced Firewall Manager
Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets
Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned
Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.
Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade★
Links to More Info: BT929213
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.
sys db iapplxrpm.timeout {
default-value "60"
scf-config "true"
value "60"
value-range "integer min:30 max:600"
}
For example:
tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad
Increasing the db key and restarting restjavad should not be traffic impacting.
After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.
Note: The maximum db key value of 600 may be needed in some cases.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
929077-4 : Bot Defense allow list does not apply when using default Route Domain and XFF header
Links to More Info: BT929077
Component: Application Security Manager
Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.
Impact:
Request from an IP address that is on the allow list is blocked.
Workaround:
Allow the IP address using an iRule.
Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4
928997-3 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
926845-7 : Inactive ASM policies are deleted upon upgrade
Links to More Info: BT926845
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
926341-5 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★
Links to More Info: BT926341
Component: Application Visibility and Reporting
Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.
Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.
Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.
Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.
When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5
925469-2 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
924945-5 : Fail to detach HTTP profile from virtual server
Links to More Info: BT924945
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.3
923821-1 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
Fix:
Captcha will now be triggered after successful CSI challenge.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
923221-8 : BD does not use all the CPU cores
Links to More Info: BT923221
Component: Application Security Manager
Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP software is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
Run the following commands from bash shell.
1. # mount -o remount,rw /usr
2. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Important: Make a backup of the file before editing.
3. Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF',
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
4. # mount -o remount,ro /usr
5. Restart the asm process:
# bigstart restart asm.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
922737-1 : TMM crashes with a sigsegv while passing traffic
Links to More Info: BT922737
Component: SSL Orchestrator
Symptoms:
TMM crashes with a sigsegv while passing traffic.
Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server with service profile applied on the same BIG-IP system.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
922413-8 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'★
Links to More Info: BT922185
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
922105-1 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
921697-1 : Attack signature updates fail to install with Installation Error.★
Links to More Info: BT921697
Component: Application Security Manager
Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:
/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)
/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781
Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.
2. Installing a new ASU file
Impact:
The attack signature update fails.
Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.
Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:
1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg
2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800
3. Restart ASM.
# bigstart restart asm
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6
921541-6 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
Fix:
The HTTP session hang no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
921441-4 : MR_INGRESS iRules that change diameter messages corrupt diam_msg
Links to More Info: BT921441
Component: Service Provider
Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.
There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found
Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:
ltm rule Diameter - iRule {
when MR_INGRESS {
DIAMETER:: host origin "hostname.realm.example"
}
}
-- Traffic arrives containing CER and ULR messages.
Impact:
Using the iRule to change the host origin corrupts the diameter message.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
921365-2 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Links to More Info: BT921365
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
921149-6 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
920149-3 : Live Update default factory file for Server Technologies cannot be reinstalled
Links to More Info: BT920149
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4
919301-1 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
915773-7 : Restart of TMM after stale interface reference
Links to More Info: BT915773
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
913413-1 : 'GTP::header extension count' iRule command returns 0
Links to More Info: BT913413
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913409-1 : GTP::header extension command may abort connection due to unreasonable TCL error
Links to More Info: BT913409
Component: Service Provider
Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.
Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message
Impact:
TCL error log is shown and connection is aborted
Workaround:
None
Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913393-1 : Tmsh help page for GTP iRule contains incorrect and missing information
Links to More Info: BT913393
Component: Service Provider
Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.
Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.
Impact:
User may not be able to use related iRule command properly.
Workaround:
None
Fix:
Tmsh help page for GTP iRule is updated
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913085-6 : Avrd core when avrd process is stopped or restarted
Links to More Info: BT913085
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Links to More Info: BT912945
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
912517-7 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT912517
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle, or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
For BIG-IP versions prior to 17.0.0, a database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
912253-2 : Non-admin users cannot run show running-config or list sys
Links to More Info: BT912253
Component: TMOS
Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
The list /sys or list /sys telemd commands trigger the following error:
01070823:3: Read Access Denied: user (oper) type (Telemd configuration).
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
912149-7 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Links to More Info: BT912149
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
911585-5 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
Fix:
Enhanced application to accept new sessions under problem conditions.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
911141-1 : GTP v1 APN is not decoded/encoded properly
Links to More Info: BT911141
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
910673-6 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
Links to More Info: BT910673
Component: Local Traffic Manager
Symptoms:
Thales installation script fails with error message.
ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.
Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.
Impact:
Thales/nCipher NetHSM client software installation fails.
Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
910213-7 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Links to More Info: BT910213
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.
Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.
There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
909161-1 : A core file is generated upon avrd process restart or stop
Links to More Info: BT909161
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
907549-6 : Memory leak in BWC::Measure
Links to More Info: BT907549
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
Memory is not leaked.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5
907025-5 : Live update error" 'Try to reload page'
Links to More Info: BT907025
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
906273-1 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
904661-4 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
Fixed Versions:
17.1.0, 16.1.4
903313-4 : OWASP page: File Types score in Broken Access Control category is always 0.
Links to More Info: BT903313
Component: Application Security Manager
Symptoms:
Under Broken Access Control category, the contribution of Disallowed File Types seems to be 0 no matter what is the number of Disallowed File Types in policy. As a result, it is not possible to reach full compliance.
Conditions:
Security Policy is configured. Not Applicable for parent or child policy.
Impact:
For any OWASP configurable policy (i.e. not parent or child policy), the policy cannot reach the maximum score for Broken Access Control category
Fixed Versions:
17.0.0, 16.1.4
902377-4 : HTML profile forces re-chunk even though HTML::disable
Links to More Info: BT902377
Component: Local Traffic Manager
Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.
Conditions:
Using HTML::disable in an HTTP_RESPONSE event.
Impact:
The HTML profile still performs a re-chunk.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
901669-6 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
Links to More Info: BT901669
Component: TMOS
Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.
-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.
Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.
Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.
The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.
Impact:
The 'tmsh show cm failover-status' command indicates an error.
Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:
tmsh restart sys service sod
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
898929-6 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Links to More Info: BT898929
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
896941 : Common Criteria ccmode script updated
Links to More Info: BT896941
Component: TMOS
Symptoms:
Configuration of SSH must be done to support Common Criteria compliance. This is currently done by following instructions in the Common Criteria Guidance Document.
Conditions:
Common Criteria compliance configuration.
Impact:
This update automates the SSH configuration.
Workaround:
Continue to follow Common Criteria Guidance document instructions for SSH configuration.
Fix:
Added SSH configuration to meet Common Criteria requirements.
Fixed Versions:
17.0.0, 16.1.3
895557-5 : NTLM profile logs error when used with profiles that do redirect
Links to More Info: BT895557
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2
890169-4 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
889813-3 : Show net bwc policy prints bytes-per-second instead of bits-per-second
Links to More Info: BT889813
Component: TMOS
Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.
Conditions:
Running the tmsh command:
tmsh show net bwc policy
Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10, 14.1.4.5
889605-2 : iApp with Bot profile is unavailable if application folder includes a subpath
Links to More Info: BT889605
Component: iApp Technology
Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.
Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.
Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.
Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu
Fix:
Open the iApps >> Applications view in TMUI and load the iApp.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
888765-2 : After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files★
Links to More Info: BT888765
Component: TMOS
Symptoms:
After upgrading, CGNAT is de-provisioned and tmm is restarted after config load.
Conditions:
- CGNAT provisioned prior to upgrade
- Upgrade from 13.1.0 to 15.1.0.1 and reboot
Impact:
-- CGNAT is de-provisioned
-- Tmm restarts
Workaround:
After upgrading, re-provision CGNAT:
tmsh modify sys provision cgnat level <level>
tmsh save sys config
Fixed Versions:
16.1.4
888289-8 : Add option to skip percent characters during normalization
Links to More Info: BT888289
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
887117-4 : Invalid SessionDB messages are sent to Standby
Links to More Info: BT887117
Component: TMOS
Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:
SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.
Impact:
Standby drops these messages
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1
886649-5 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
886533-5 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
885765-1 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT885765
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.
Conditions:
When processing a large number of configuration updates.
Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
884945-1 : Latency reduce in case of empty parameters.
Links to More Info: BT884945
Component: Application Security Manager
Symptoms:
Traffic load with many empty parameters may lead to increased latency.
Conditions:
Sending requests with many empty parameters
Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.
Workaround:
None
Fix:
Ignore empty parameters
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
883049-9 : Statsd can deadlock with rrdshim if an rrd file is invalid
Links to More Info: BT883049
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
Fix:
Now detecting and rectifying truncation of RRD files.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
882709-6 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★
Links to More Info: BT882709
Component: TMOS
Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.
Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.
Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).
Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.
Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:
net vlan external {
interfaces {
1.1 {
tagged
}
}
tag 4000
}
-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.
-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.
Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.
-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.
Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.
Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment
Links to More Info: BT881085
Component: TMOS
Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.
Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).
Impact:
There might be intermittent remote-auth failures.
Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
878641-3 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
Fix:
Certificate request message now may contain CAs
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
876677-2 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.
Links to More Info: BT876677
Component: Global Traffic Manager (DNS)
Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:
notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.
Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is running slowly or malfunctioning
Impact:
TMM crashes and, in redundant configurations, the unit fails over.
Workaround:
Do not use the debug TMM.
Fix:
The debug assert was removed and replaced by a debug log.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
876569-2 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
Fix:
The system now handles gzip errors seen with QAT compression.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
874941-4 : HTTP authentication in the access policy times out after 60 seconds
Links to More Info: BT874941
Component: Access Policy Manager
Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.
Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.
Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.
Workaround:
None.
Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.
1. A db key to configure Connection Timeout for HTTP Server configuration:
+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout
2. A db key to configure Request Timeout for HTTP Server configuration:
+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout
Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.
The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.
Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.
Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5
873617-1 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.
Links to More Info: BT873617
Component: Fraud Protection Services
Symptoms:
DataSafe is not available with an AWAF license.
Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart
Impact:
DataSafe is not available.
Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.
Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
858005-1 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"
Links to More Info: BT858005
Component: Access Policy Manager
Symptoms:
APM Access Policy evaluation failed.
Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"
Impact:
APM end user’s session cannot be established.
Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent
Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
854129-6 : SSL monitor continues to send previously configured server SSL configuration after removal
Links to More Info: BT854129
Component: In-tmm monitors
Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.
Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.
Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.
Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').
Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
851121-6 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.
Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.
In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.
The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
850141-2 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
849029-7 : No configurable setting for maximum entries in CRLDP cache
Links to More Info: BT849029
Component: Access Policy Manager
Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.
Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.
Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.
Workaround:
None.
Fix:
There is now a setting for configuring maximum entries in CRLDP cache.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4
844045-4 : ASM Response event logging for "Illegal response" violations.
Links to More Info: BT844045
Component: Application Security Manager
Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.
Conditions:
-- Response logging is enabled
-- An illegal response occurs
Impact:
Response logging does not occur.
Workaround:
N/A
Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.
Added an internal variable:
disable_illegal_response_logging -- default value 0.
If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
842425-6 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
842013-1 : ASM Configuration is Lost on License Reactivation★
Links to More Info: BT842013
Component: Application Security Manager
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
838405-4 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
838305-9 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Links to More Info: BT838305
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
832133-7 : In-TMM monitors fail to match certain binary data in the response from the server
Links to More Info: BT832133
Component: In-tmm monitors
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.
- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
Either one of the following workarounds can be used:
- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
- Do not monitor the application through a binary response (if the application allows it).
Fix:
The monitor finds the recv string and shows the pool or member as available.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
830341-5 : False positives Mismatched message key on ASM TS cookie
Links to More Info: BT830341
Component: Application Security Manager
Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"
Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact
Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation
Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.
OR
2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint
Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm
Once enabled, ASM system does not trigger false positives.
Fixed Versions:
17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
829653-1 : Memory leak due to session context not freed
Links to More Info: BT829653
Component: Policy Enforcement Manager
Symptoms:
Memory increases slowly
Conditions:
A PEM iRule times out
Impact:
Memory could be exhausted depending on the frequency of the command timeouts
Fixed Versions:
17.0.0, 16.1.4
828761-5 : APM OAuth - Auth Server attached iRule works inconsistently
Links to More Info: BT828761
Component: Access Policy Manager
Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.
Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.
Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.
Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.
Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
827393-5 : In rare cases tmm crash is observed when using APM as RDG proxy.
Links to More Info: BT827393
Component: Access Policy Manager
Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.
Conditions:
APM is used as RDG proxy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm does not crash when APM is configured as RDG proxy.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
819645-1 : Reset Horizon View application does not work when accessing through F5 APM
Links to More Info: BT819645
Component: Access Policy Manager
Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.
Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android
Impact:
Impaired reset option functionality
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
818889-1 : False positive malformed json or xml violation.
Links to More Info: BT818889
Component: Application Security Manager
Symptoms:
A false positive malformed XML or JSON violation occurs.
Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.
Impact:
A false positive violation.
Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
815901-2 : Add rule to the disabled pem policy is not allowed
Links to More Info: BT815901
Component: Policy Enforcement Manager
Symptoms:
Adding rule to PEM policy is not allowed
Conditions:
A PEM policy is disabled
Impact:
You are unable to add rules to a PEM policy if it is disabled.
Fix:
Allow adding rules to disabled PEM policy
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
810917-1 : OWASP Compliance score is shown for parent and child policies that are not applicable.
Links to More Info: BT810917
Component: Application Security Manager
Symptoms:
OWASP score for a parent policy or child policy is shown as 0.
The more accurate value should be 'N/A' since these policies are not configurable for OWASP.
Conditions:
Create either child policy or parent policy. On Security ›› Application Security : Security Policies : Policies List page you will see in the OWASP Compliance score the value 0, and when going to OWASP page configuration (Security ›› Overview : OWASP Compliance) the user will see a note that the policy is not configurable for OWASP.
Impact:
When looking on the policies list, the user may get the impression that the parent or child policies can be configured to comply with OWASP.
Workaround:
Ignore OWASP Compliance score for child and parent policies.
Fixed Versions:
17.0.0, 16.1.4
808913-1 : Big3d cannot log the full XML buffer data
Links to More Info: BT808913
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d cannot log the full XML buffer data:
-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.
Conditions:
The gtm.debugprobelogging variable is enabled.
Impact:
Not able to debug big3d monitoring issues efficiently.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
805821-1 : GTP log message contains no useful information
Links to More Info: BT805821
Component: Service Provider
Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.
Conditions:
GTP profile or iRules fails to process message
Impact:
User lacks of information for troubleshooting
Workaround:
N/A
Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
804529-1 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.
Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.
For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In the above example, the word 'members' is displayed in selflink.
Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.
Workaround:
The following workarounds are available:
1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
803109-4 : Certain configuration may result in zombie forwarding flows
Links to More Info: BT803109
Component: Local Traffic Manager
Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.
On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.
Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.
Conditions:
-- OneConnect configured.
And one of the following:
-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.
Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.
The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs
Workaround:
You can use any of the following workarounds:
-- Remove the OneConnect profile from the Virtual Server.
-- Do not use 'source-port preserve-strict' setting on the Virtual Server.
-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.
Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
796065-2 : PingAccess filter can accumulate connections increasing memory use.
Links to More Info: BT796065
Component: Access Policy Manager
Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.
Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.
Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.
Workaround:
None
Fix:
Fixed an issue with the ping access filter.
Fixed Versions:
16.1.4
794385-6 : BGP sessions may be reset after CMP state change
Links to More Info: BT794385
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
Fix:
BGP session is no longer reset during CMP state change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
791669-5 : TMM might crash when Bot Defense is configured for multiple domains
Links to More Info: BT791669
Component: Application Security Manager
Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.
Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.
Impact:
TMM crash with core. Traffic disrupted while tmm restarts.
Workaround:
None,
Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3
780857-4 : HA failover network disruption when cluster management IP is not in the list of unicast addresses
Links to More Info: BT780857
Component: Local Traffic Manager
Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.
Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.
Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:
[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
Workaround:
You can add an explicit management IP firewall rule to allow this traffic:
tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }
This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
760496-4 : Traffic processing interrupted by PF reset
Links to More Info: BT760496
Component: TMOS
Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.
Conditions:
-- E710 NICs are used.
-- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
760355-4 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.
Fixed Versions:
16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
759928-6 : Engineering Hotfixes might not contain all required packages
Links to More Info: BT759928
Component: TMOS
Symptoms:
An Engineering Hotfix might be missing certain required packages.
Conditions:
This can occur with certain Engineering Hotfixes.
Impact:
Some of the required packages may be missing.
Workaround:
None
Fix:
Engineering Hotfix ISOs now automatically include packages for targets that may be affected by code change in a specific target.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
756918-4 : Engineering Hotfix ISOs may be nearly as large as full Release ISOs
Links to More Info: BT756918
Component: TMOS
Symptoms:
Engineering Hotfix ISO images might be unexpectedly large.
Conditions:
This might occur with certain Engineering Hotfix builds.
Impact:
Engineering Hotfixes are unnecessarily large.
Workaround:
None
Fix:
Engineering Hotfix ISO images are no longer created with a size that may occasionally exceed 2 GB, and no longer contain a complete set of packages replacing all packages installed by the original BIG-IP release upon which the Engineering Hotfix is based.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
755976-9 : ZebOS might miss kernel routes after mcpd deamon restart
Links to More Info: BT755976
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
752077-4 : Kerberos replay cache leaks file descriptors
Links to More Info: BT752077
Component: Access Policy Manager
Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:
-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept
There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:
-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write
Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.
Impact:
APM end users experience intermittent log on issues.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation
Links to More Info: BT749332
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST PUT operation cannot be used to update/modify the description.
Workaround:
You can use either of the following:
-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
-- You can also use PATCH operation and send only the required field which need modification.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4
748886-4 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Links to More Info: BT742753
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
Fix:
CSRF checks based on HTTP headers pre-logon have been improved.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
738593-3 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.
Links to More Info: BT738593
Component: Access Policy Manager
Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.
Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client only.
-- Launch resources and VMware Horizon Client will use Blast protocol to display VMware sessions.
-- Shadow session is enabled in desktop.
Impact:
Desktop's Shadow session resource icon is not showed on webtop of native client.
Workaround:
None
Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop of native client.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
724653-5 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.
Links to More Info: BT724653
Component: TMOS
Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).
Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.
For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan
And reloading the config will return the following error (as the partition has been deleted, including its flat config files):
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/var/libdata/dpi/conf/classification_update.conf
/defaults/urlcat_base.conf
/defaults/daemon.conf
/defaults/pem_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.
These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.
Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.
Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.
Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.
Fix:
Validation has been added that will make a config-sync receiver reject the operation if this includes the deletion of a non-empty partition. In this case, the config-sync will fail and report an error message similar to the following example:
0107082a:3: All objects from local device and all HA peer devices must be removed from a partition (test) before the partition may be removed, type ID (467), text ID (60706)
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
723109-2 : FIPS HSM: SO login failing when trying to update firmware
Links to More Info: BT723109
Component: TMOS
Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.
Conditions:
When trying to update FIPS firmware.
Impact:
This will not be able to upgrade the FIPS firmware.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
720610-4 : Automatic Update Check logs false 'Update Server unavailable' message on every run
Links to More Info: BT720610
Component: TMOS
Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.
Workaround:
None.
Fix:
The Automatic Update Check operation no longer logs false messages.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3
717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Links to More Info: BT717806
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
713754-3 : Apache vulnerability: CVE-2017-15715
Links to More Info: K27757011
693473-8 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
686783-1 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.
Links to More Info: BT686783
Component: Traffic Classification Engine
Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.
Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,
Impact:
Improper classification
Workaround:
Using an iRule can help classify the URL.
Fix:
Normalized the URL before putting in the custom database.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
674026-6 : iSeries AOM web UI update fails to complete.★
Links to More Info: BT674026
Component: TMOS
Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.
Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.
Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:
err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2
Workaround:
At the bash prompt run:
/etc/lcdui/bmcuiupdate
This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.
Fix:
AOM web UI update failures are now automatically corrected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
672963-1 : MSSQL monitor fails against databases using non-native charset
Links to More Info: BT672963
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is fails against databases using non-native charset.
Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:
1. Log in to the BIG-IP console into a bash prompt.
2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr
3. Restart bigd:
bigstart restart bigd
Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
669046-7 : Handling large replies to MCP audit_request messages
Links to More Info: BT669046
Component: TMOS
Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.
In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.
Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).
Memory usage is already high.
Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.
Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.
Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.
Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.
You can use tmsh/bash to view audit logs larger than 10,000 lines.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
662301-8 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Links to More Info: BT662301
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
574762-4 : Forwarding flows leak when a routing update changes the egress vlan
Links to More Info: BT574762
Component: Local Traffic Manager
Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.
Conditions:
Conditions to hit this are a route change on forwarded flows.
Impact:
Memory leak.
Workaround:
None
Fix:
Fixed a memory leak with forwarding flows.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition
Links to More Info: BT528894
Component: TMOS
Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.
Conditions:
-- The system includes partitions other than Common.
-- Configuration in a partition other than Common is modified.
-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").
Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).
/config/bigip_base.conf will no longer contain config stanzas that belong there.
Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.
However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.
Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.
Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".
Note that neither workaround is permanent and the issue will reoccur.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
490138-1 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers
Links to More Info: BT490138
Component: Access Policy Manager
Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently
Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm
Impact:
Kerberos authentication fails, user cannot log in
Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers
Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
435231 : Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters
Links to More Info: K79342815, BT435231
Component: Local Traffic Manager
Symptoms:
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) parameters are not supported.
Conditions:
This affects ciphersuites that use Diffie–Hellman Ephemeral (DHE) key exchange.
Impact:
Support for larger FFDHE groups will be chosen if offered by the client.
Note: You might notice an impact to performance as compared with the previously chosen DHE 1024.
Workaround:
None
Fix:
With the support for the FFDHE groups defined in RFC7919, the system now supports DHE2048, DHE3072, DHE4096 keys. The default DHE key size is 2048 bits. (In previous BIG-IP versions, the default was 1024 bits.)
You can configure this default value by enabling or disabling the DB variable tmm.ssl.dh1024. To do so, use the following TMSH command syntax:
modify sys db tmm.ssl.dh1024 value enable/disable
To use FFDHE2048, FFDHE3072, FFDHE4096 keys, you define them in a cipher rule, and then use this rule in a cipher group before associating it with an SSL profile.
Note: If you use a cipher rule that does not define any of the FFDHE2048, FFDHE3072, or FFDHE4096 groups (e.g., f5-default), this feature is not enabled.
For more information, and for steps to define these rules, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.
Behavior Change:
RFC7919 Negotiated FFDHE parameters are now supported.
The FFDHE2048, FFDHE3072, FFDHE4096 keys are supported in this release. The default is DHE 2048 bits.
In previous versions, the default DHE key size was 1024 bits. If you want to continue to use DHE 1024 you can enable db var tmm.ssl.dh1024, by default it is disabled.
For more information, and for steps to use this feature, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.
Fixed Versions:
17.0.0, 16.1.2.2
423519-5 : Bypass disabling the redirection controls configuration of APM RDP Resource.
Links to More Info: K74302282, BT423519
Component: Access Policy Manager
Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.
Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.
Impact:
User can bypass RDP resource restrictions.
Workaround:
NA
Fix:
User is not allowed to perform any redirection controls of the RDP resource.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1495217-3 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No workaround
Fix:
Best security practices are now applied.
Fixed Versions:
16.1.4.3, 15.1.10.4
1492361-2 : TMUI Security Hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best practices when processing URLs.
Conditions:
N/A
Impact:
N/A
Workaround:
N/A
Fix:
TMUI now behaves as expected.
Fixed Versions:
16.1.4.3, 15.1.10.4
1391357-1 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address
Links to More Info: K000136909, BT1391357
1381357-2 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability
Links to More Info: K000137365, BT1381357
1366025-2 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106, BT1366025
1361169-2 : Connections may persist after processing HTTP/2 requests
Links to More Info: K000133467, BT1361169
1360917-4 : TMUI hardening
Component: TMOS
Symptoms:
In certain situations, TMUI does not follow best security practices.
Conditions:
When a domain or subdomain of the BIG-IP system is shared with another host.
Impact:
N/A
Workaround:
Avoid having the BIG-IP share upper-level domain names with untrusted hosts.
Fix:
Best security practices are now followed.
Fixed Versions:
16.1.4.3, 15.1.10.4
1354253-2 : HTTP Request smuggling with redirect iRule
Links to More Info: K000137322, BT1354253
Component: Local Traffic Manager
Symptoms:
See: https://my.f5.com/manage/s/article/K000137322
Conditions:
See: https://my.f5.com/manage/s/article/K000137322
Impact:
See: https://my.f5.com/manage/s/article/K000137322
Workaround:
See: https://my.f5.com/manage/s/article/K000137322
Fix:
See: https://my.f5.com/manage/s/article/K000137322
Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.
Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3
1324745-2 : An undisclosed TMUI endpoint may allow unexpected behavior
Links to More Info: K000135689, BT1324745
1317705-2 : TMM may restart on certain DNS traffic
Component: Advanced Firewall Manager
Symptoms:
The TMM may restart and leave a core while processing certain DNS traffic when AFM is licensed and enabled.
Conditions:
The BIG-IP is licensed and provisioned for AFM.
There is a listener processing DNS traffic.
Impact:
The TMM crashes and leaves a core file.
Workaround:
NA
Fix:
DNS traffic is handled as expected.
Fixed Versions:
17.1.1, 16.1.4
1316277-2 : Large CRL files may only be partially uploaded
Links to More Info: K000137796, BT1316277
Component: TMOS
Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.
Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load
Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.
Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.
Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.
The log received will look like:
01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.
Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3
1315193-1 : TMM Crash in certain condition when processing IPSec traffic
Component: TMOS
Symptoms:
Under certain conditions the TMM may crash and leave a core when processing IPSec traffic.
Conditions:
The Big-IP is processing IPSec traffic.
Impact:
The TMM restarts
Workaround:
N/A
Fix:
IPSec traffic is handled as expected.
Fixed Versions:
17.1.1, 16.1.4
1314301-2 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled
Links to More Info: K000137334, BT1314301
1312057-1 : bd instability when using many remote loggers with Arcsight format
Component: Application Security Manager
Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.
Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.
Impact:
bd will restart and leave a core file.
Workaround:
None.
Fix:
bd processes traffic as expected.
Fixed Versions:
17.1.1, 16.1.4
1297089-3 : Support Dynamic Parameter Extractions in declarative policy
Links to More Info: BT1297089
Component: Application Security Manager
Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.
Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.
Impact:
Dynamic extraction configuration is lost.
Workaround:
Export the policy in xml or binary format.
Fix:
Added support in JSON policy also to dynamic parameter extractions.
Fixed Versions:
17.1.1, 16.1.4
1296489-3 : ASM UI hardening
Links to More Info: K000138047, BT1296489
1296469-2 : ASM UI hardening
Component: Application Security Manager
Symptoms:
The ASM UI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
NA
Fix:
The ASM UI now follows best security practices.
Fixed Versions:
17.1.1, 16.1.4
1295661-2 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418
Links to More Info: K000134746, BT1295661
1292793-3 : FIX protocol late binding flows that are not PVA accelerated may fail
Links to More Info: BT1292793
Component: Local Traffic Manager
Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.
Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.
Impact:
Connection may stall.
Workaround:
Disable late binding. If late binding cannot be disabled, then
disable pva-flow-aging and pva-flow-evict to avoid the issue.
Fix:
FIX protocol flow works as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1292093 : Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x
Links to More Info: BT1292093
Component: Advanced Firewall Manager
Symptoms:
In 16.1.x, Neuron based HW SYN cookie is broken.
Conditions:
-- Neuron-equipped hardware (BIG-IP iSeries)
-- Configure TCP Half Open at profile level.
-- Send Traffic.
-- Check HW SYN Cookies.
Impact:
This breaks the HW SYN cookie functionality
Workaround:
None
Fix:
Updates are implemented to return the correct parameters and HW SYN Cookie is working fine
Fixed Versions:
16.1.4
1291565-2 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup
Links to More Info: BT1291565
Component: Local Traffic Manager
Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.
Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info
Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.
Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.
Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod
Fix:
Cleanup the multicast entries populated on old device name when the name is updated.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1291149-3 : Cores with fail over and message routing
Links to More Info: BT1291149
Component: Service Provider
Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.
Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.
Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.
Workaround:
None
Fix:
The MR message store iteration is fixed, no corruption or cores observed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1290889-4 : TMM disconnects from processes such as mcpd causing TMM to restart
Links to More Info: K000134792, BT1290889
Component: TMOS
Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:
crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting
When this occurs, in a default configuration, no core file is generated.
TMM may also disconnect unexpectedly from other services (i.e. tmrouted).
TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.
Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.
Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance
Workaround:
Do not use tunnels.
Fix:
TMM will not unexpectedly reset connections when tunnels are in use.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1289365-1 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★
Links to More Info: BT1289365
Component: SSL Orchestrator
Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.
Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.
Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1289189-3 : In certain traffic patterns, TMM crash
Links to More Info: K000137333, BT1289189
1287873 : Hardware mitigation is not working for a few SIP vectors
Links to More Info: BT1287873
Component: Advanced Firewall Manager
Symptoms:
Hardware mitigation not happening as int_drops are not incrementing
bd_stats are incrementing but SPVA stat bd_hit is not incrementing
Conditions:
Configure SIP vectors with the threshold levels in any Hardware platform and send the related traffic
Impact:
Hardware mitigation will not happen for SIP Vectors
Workaround:
NA
Fix:
Neuron rules had been written in the neuron chip for these vectors so that stats were counting correctly
Fixed Versions:
16.1.4
1287425 : Observed crash while running sweep flood tests
Links to More Info: BT1287425
Component: Advanced Firewall Manager
Symptoms:
While testing sweep flood tests, the TMM crashes.
Conditions:
The sweep flood test case was failing.
Impact:
TMM crash
Workaround:
None
Fix:
Fixed the issue where no crash is observed while testing the sweep flood tests.
Fixed Versions:
16.1.4
1287313-2 : SIP response message with missing Reason-Phrase or with spaces are not accepted
Links to More Info: BT1287313
Component: Service Provider
Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.
Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped
Impact:
Connectivity issue.
Workaround:
None
Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1286101-1 : JSON Schema validation failure with E notation number
Links to More Info: BT1286101
Component: Application Security Manager
Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.
Conditions:
The E notation is without a dot.
For example, the following trigger this issue:
- 0E-8
- 0e-8
But, the following do not trigger this issue:
- 0.0E-8
- 0.0e-8
The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.
Impact:
False positive.
Workaround:
Use E notation with a dot or disable schema validation violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1285173-3 : Improper query string handling on undisclosed pages
Links to More Info: K000133474, BT1285173
1284993-1 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages
Links to More Info: BT1284993
Component: Local Traffic Manager
Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.
Conditions:
Configure SSL extensions along with session_ticket extension.
Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.
Workaround:
Configure all the required extensions before the session_ticket extension.
Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.
Fixed Versions:
17.1.1, 16.1.4
1284969-1 : Adding ssh-rsa key for passwordless authentication
Links to More Info: BT1284969
Component: TMOS
Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.
Conditions:
The system must be in FIPS 140-3 mode.
Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.
Workaround:
None
Fix:
SSHD should support the ssh-rsa key for passwordless authentication.
Fixed Versions:
17.1.0.1, 16.1.4
1284589-2 : HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command
Links to More Info: BT1284589
Component: Local Traffic Manager
Symptoms:
When you use HTTP::disable discard command, proxy connect/ connection to server is not established.
Conditions:
-> Basic HTTP VS
-> iRule
when HTTP_REQUEST {
HTTP::disable discard
node <ip port>
}
Impact:
HTTP CONNECT requests from clients hangs.
Workaround:
Use HTTP::disable command
Fixed Versions:
16.1.4
1283645 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued
Links to More Info: BT1283645
Component: Access Policy Manager
Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.
Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.
Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.
Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.
The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.
Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.
For more details on the deployment of the fix, refer to the K000133476 article.
For more details regarding the issue, refer to the K000132932 article.
Fixed Versions:
17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1282357-1 : Double HTTP::disable can lead to tmm core
Links to More Info: BT1282357
Component: Local Traffic Manager
Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.
Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
set collects 0
TCP::collect
}
when CLIENT_DATA {
if { $collects eq 1 } {
HTTP::disable
HTTP::disable
}
TCP::release
TCP::collect
incr collects
}
when HTTP_REQUEST {
log local0. "Request"
}
when HTTP_DISABLED {
log local0. "Disabled"
}
Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.
Workaround:
Avoid calling HTTP::disable more than once per connflow
Fix:
Treat disable via iRule as a NOP when a disable is in progress
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1282181-1 : High CPU or increased translation errors following upgrade or restart when DAG distribution changes
Component: TMOS
Symptoms:
Dagv2 tables are randomized and may change when a tmm is restarted. This can result in a change of traffic distribution, which in some cases may lead to traffic disruption.
The specific condition when this option was introduced is using a CGNAT pool that is not large enough.
Other ways of encountering include increased translation failed errors following an upgrade or restart or blade replacement.
Conditions:
- tmm is restarted (or chassis rebooted)
Impact:
- dag distribution changes which may cause a traffic disruption.
Workaround:
You can restart tmm until the distribution is good, which can be checked using tools like cmp_dest.
Fix:
Added a DB variable to control dagv2 behavior.
A tmm restart is required after locking the new dag tables.
Behavior Change:
A new DB variable is available that allows you to lock the current dagv2 tables:
tmsh modify sys db dag.dagv2.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_pgs -s table)
tmsh modify sys db dag.dagv2.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_hsbs -s table)
tmsh modify sys db dag.dagv2.mirror.pgs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_pgs -s table)
tmsh modify sys db dag.dagv2.mirror.hsbs value $(tmctl -d blade -q -L 1 tmm/daglib_dagv2_mirror_hsbs -s table)
It's important to store both normal and mirroring tables because of internal dag workings.
The change also requires cmp state to be the same as defined in tables - this is important in case a blade is lost etc.
This also works on SP DAG in LSN NAPT deployments
Fixed Versions:
16.1.4
1281709-3 : Traffic-group ID may not be updated properly on a TMM listener
Links to More Info: BT1281709
Component: Local Traffic Manager
Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.
Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.
OR
An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.
Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.
Workaround:
Use an incremental sync. Do not use MCP transactions.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1281637-1 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
Links to More Info: BT1281637
Component: Local Traffic Manager
Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.
Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.
Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.
Workaround:
None
Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1271349-3 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Links to More Info: K000133098, BT1271349
1269889-3 : LTM crashes are observed while running SIP traffic and pool members are offline
Links to More Info: BT1269889
Component: Service Provider
Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Conditions:
- When all pool members are offline or there are no pool members in the pool.
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1269733-3 : HTTP GET request with headers has incorrect flags causing timeout
Links to More Info: BT1269733
Component: Local Traffic Manager
Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.
The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.
Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.
Impact:
The HTTP GET request causing timeout.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1268521 : SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop
Links to More Info: BT1268521
Component: Access Policy Manager
Symptoms:
User fails to authenticate when VMware VDI with SAML authentication is used with multiple RD resources assigned to Webtop.
Conditions:
1. Webtop is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration.
Impact:
Remote desktop is not opened.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1265425-2 : Improper query string handling on undisclosed pages
Links to More Info: K000134535, BT1265425
1259489-3 : PEM subsystem memory leak is observed when using PEM::subscriber information
Links to More Info: BT1259489
Component: Policy Enforcement Manager
Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.
Conditions:
- PEM is provisioned.
- PEM iRules are used that access PEM::session or PEM::subscriber information.
Impact:
TMM can have excessive memory consumption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256841-1 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script
Links to More Info: BT1256841
Component: TMOS
Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.
Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.
Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable
Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.
Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256777-3 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.
Links to More Info: BT1256777
Component: TMOS
Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.
Conditions:
- When as-origination interval is configured on a peer-group.
Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1252537-3 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
Links to More Info: BT1252537
Component: TMOS
Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.
Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.
Impact:
Limited availability, forces Resource Admin to use GUI.
Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.
Fix:
Resource Administrator can now initiate a reboot and shutdown using both the GUI or TMSH.
Fixed Versions:
17.1.1, 16.1.4
1252005 : VMware USB redirection does not work with DaaS
Links to More Info: BT1252005
Component: Access Policy Manager
Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.
Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop
Impact:
USB device is not available.
Workaround:
None.
Fix:
USB device should be available
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1250085-3 : BPDU is not processed with STP passthough mode enabled in BIG-IP
Links to More Info: BT1250085
Component: Local Traffic Manager
Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
tshark -nnr < .pcap >
Conditions:
- Platforms C117, C115, C112, and C113
Impact:
BPDU packets will not pass through other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.
Workaround:
None
Fix:
STP passthrough mode now works as expected on C117, C115, C112, and C113 platforms
Fixed Versions:
17.1.1, 16.1.4
1240937-3 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1240121-1 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
Links to More Info: K000132643, BT1240121
1239901-2 : LTM crashes while running SIP traffic
Links to More Info: BT1239901
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fix:
TMM does not crash while running SIP traffic.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1238693-2 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
Links to More Info: BT1238693
Component: TMOS
Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Conditions:
System must be in FIPS 140-3 mode.
Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Workaround:
None
Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.
Fixed Versions:
17.1.0.1, 16.1.4
1238629-1 : TMM core when processing certain DNS traffic with bad actor (BA) enabled
Links to More Info: K000137521, BT1238629
1238413-3 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1238321-4 : OpenSSL Vulnerability CVE-2022-4304
Links to More Info: K000132943
1238249-1 : PEM Report Usage Flow log is inaccurate
Links to More Info: BT1238249
Component: Policy Enforcement Manager
Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.
Conditions:
- HSL logging is configured.
Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.
Workaround:
None
Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1235813-9 : OpenSSL vulnerability CVE-2023-0215
Links to More Info: K000132946, BT1235813
1235801-4 : OpenSSL vulnerability CVE-2023-0286
Links to More Info: K000132941, BT1235801
1232997-1 : IPSEC: The tmm process may exit with 'Invalid policy remote index'
Links to More Info: BT1232997
Component: TMOS
Symptoms:
The tmm process restarts after logging the following message to /var/log/tmm*:
notice panic: iked/isakmp.c:2338: Assertion "Invalid policy remote index" failed.
Conditions:
May occur during an SA deletion or an update of IPsec configuration.
Impact:
Unexpected high availability (HA) failover, or interruption to traffic processing on a standalone unit, while the tmm process restarts.
Workaround:
None
Fix:
When the remote index is null, the system gracefully fails the init packet creation. Continuous traffic to the BIG-IP system retriggers the tunnel, and the IPsec config will be updated by then.
Fixed Versions:
16.1.4, 15.1.10
1232977-3 : TMM leaking memory in OAuth scope identifiers when parsing scope lists
Links to More Info: BT1232977
Component: Access Policy Manager
Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.
Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.
Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.
Workaround:
None
Fix:
Increment the index so that all scope identifiers are stored and parsed without any leaks.
Fixed Versions:
17.1.1, 16.1.4
1232521-2 : SCTP connection sticking on BIG-IP even after connection terminated
Component: TMOS
Symptoms:
After an SCTP client has terminated, the BIG-IP still shows the connection when issuing "show sys conn protocol sctp"
Conditions:
Under certain conditions, an SCTP client connection may still exist even if the client has sent a SHUTDOWN request.
Impact:
Memory resources will be consumed as these type of lingering connections accumulate
Fix:
SCTP connections are properly internally closed when required.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1230709-1 : Remove unnecessary logging with nsec3_add_nonexist_proof
Links to More Info: BT1230709
Component: Global Traffic Manager (DNS)
Symptoms:
For few DNSSEC queries to non-existent domains, NSEC3 records will be missing.
Following log message is included:
nsec3_add_nonexist_proof: to_prove returns NULL with qname
Conditions:
Receives DNSSEC request to a non-existent query.
Impact:
Missing NSEC3 records.
Workaround:
None
Fixed Versions:
16.1.4, 15.1.10
1229417-2 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: Local Traffic Manager
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.
Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.
Workaround:
NA
Fix:
The library has been patched to address the issue.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1229369-3 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1226121-2 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
Fix:
PEM session logging can be used as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1225789-2 : The iHealth API is transitioning from SSODB to OKTA
Links to More Info: BT1225789
Component: TMOS
Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.
Conditions:
- Authentication
Impact:
Qkview file will not be uploaded to iHealth automatically.
Workaround:
Qkview file must be uploaded manually to iHealth.
Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1224409 : Unable to set session variables of length >4080 using the -secure flag
Links to More Info: BT1224409
Component: Access Policy Manager
Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.
Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.
Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1224125-1 : When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used.
Links to More Info: BT1224125
Component: TMOS
Symptoms:
As part of the upgrade from older versions to 16.1.3.2 and 17.1, the use of non-approved keys as per FIPS 140-3 standards is permitted for RSA keys with a length of 1024 and 512 bits, as well as for EC521, DSA, and SM2 keys.
It should be noted that the creation of new keys is not permitted.
Conditions:
The FIPS 140-3 non-approved ciphers, that is, RSA keys with a length of 1024 and 512 bits, EC521, DSA and SM2 keys are only permitted in the following cases:
1) When upgrading from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
2) Importing UCS from the older versions to FIPS 140-3 supported versions (16.1.3.2 and 17.1)
Impact:
Non-Approved keys could exist in the configuration after the BigIP version upgrade and UCS installation on a FIPS 140-3 approved system.
Workaround:
When upgrading or installing UCS, ensure that you do not use any non-approved ciphers (as per FIPS 140-3) in the configuration.
Fix:
Added a warning message in /var/log/ltm when non-approved keys are imported during upgrade or UCS installation
Sample log:
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_2.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b5004e:4: /Common/TEST_KEY_SI_23.key: FIPS 140-3 mode does not support the use of key sizes 512 and 1024.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA2.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50050:4: /Common/TEST_KEY_TYPE_DSA.key: FIPS 140-3 mode does not support the use of private and public keys of type DSA and SM2.
Jan 18 05:22:40 bigip1.localdomain warning mcpd[15163]: 01b50052:4: /Common/TEST_KEY_curve3.key: FIPS 140-3 mode does not support EC curve secp521r1.
Fixed Versions:
17.1.0, 16.1.4
1223369-3 : Classification of certain UDP traffic may cause crash
Links to More Info: K000135946
1220629-3 : TMM may crash on response from certain backend traffic
Links to More Info: K000137675, BT1220629
1216573-1 : AFM Learning Domain issue when trying with many valid domains
Links to More Info: BT1216573
Component: Advanced Firewall Manager
Symptoms:
Trying with too many valid domains and not all these domains have entries created in the NXDOMAIN table when they are trying to do learning.
Conditions:
The NXDOMAIN vector is enabled be it at the device level, virtual server level, or at both levels.
Impact:
We will not be able to honor the legitimate DNS A query when we have an NXDOMAIN attack detected.
Workaround:
None
Fixed Versions:
16.1.4
1216297-1 : TMM core occurs when using disabling ASM of request_send event
Links to More Info: BT1216297
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
Fixed Versions:
17.1.1, 16.1.4
1215401-1 : Under Shared Objects, some country names are not available to select in the Address List
Links to More Info: BT1215401
Component: Advanced Firewall Manager
Symptoms:
Users can create a shared object list to define countries to block traffic from. On searching a name, a list will be shown from which the user can choose and add it to the address list.
There is a limit of only 8 entries in the drop-down menu to choose from.
Some countries are not shown in this list due to the ordering of entries returned from the database.
Conditions:
DOS is enabled
Impact:
As some countries are not available to select, they cannot be included in the Address List to block traffic.
Workaround:
Instead of the country (which is not available to select), all the regions within the country can be added to the block list. This is very cumbersome and error-prone as the list of regions should be known that are configurable in BIG IP.
Fix:
The database query is modified such that the list of countries is ordered first followed by a list of countries with regions.
Fixed Versions:
16.1.4, 15.1.9
1213469-1 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.
Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
}
}
Fix:
In SIP ALG, if the Route header is FQDN in INVITE, then it should allow it to pass without any modification.
Fixed Versions:
17.1.1, 16.1.4
1213333 : Check box to select all attack signatures does not work properly
Links to More Info: BT1213333
Component: Application Security Manager
Symptoms:
The check box to select all attack signatures does not select all attack signatures correctly
Conditions:
After creating ASM policy navigate to attack-signatures section :
Security ›› Application Security : Security Policies : Policies List ›› phpauction
Click on the check box
Impact:
Attack signatures are not selected properly
Workaround:
None
Fix:
Check box selects all attack signatures correctly
Fixed Versions:
16.1.4
1213305-3 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1213305
1211513-2 : HSB loopback validation feature
Links to More Info: BT1211513
Component: TMOS
Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.
Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.
Impact:
There is no impact. This is a new diagnostic feature.
Workaround:
None
Fix:
Loopback validation now occurs on hardware platforms equipped with HSB.
Behavior Change:
A new diagnostic feature + failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms that have this hardware component. This feature adds 2 new db variables that can be altered with tmsh modify sys db:
tmm.hsb.loopbackValidation:
This is enabled by default. Setting to disabled will cause loopback validation packets to stop being sent.
tmm.hsb.loopbackvalidationErrthreshold:
Set to 0 by default. If this value is set to 0, BIG-IP will only log corruption detection without taking any action. If set to a value greater than 0, an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches this value. (An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system).
If a validation loopback packet is found to be corrupted, one or more messages like the following will appear in /var/log/tmm:
notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043
These logs are rate-limited to 129 logs per 24-hour period. If tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:
notice Reached threshold count for corrupted HSB loopback packets
This log message will then be typically followed by a reboot.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1211341-4 : Failed to delete custom monitor after dissociating from virtual server
Links to More Info: BT1211341
Component: Global Traffic Manager (DNS)
Symptoms:
When dissociated from virtual server, unable to delete custom monitor.
Conditions:
- Dissociate the custom monitor from virtual server
- Delete the custom monitor
Impact:
Unable to delete custom monitor.
Workaround:
None
Fix:
The custom monitor can be deleted after dissociating from virtual server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1211297-3 : Handling DoS profiles created dynamically using iRule and L7Policy
Links to More Info: BT1211297
Component: Anomaly Detection Services
Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
Fix:
No TMM crash due to persistent connections.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1211189-3 : Stale connections observed and handshake failures observed with errors
Links to More Info: BT1211189
Component: Local Traffic Manager
Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.
Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.
Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.
Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).
Fix:
None
Fixed Versions:
17.1.1, 16.1.4
1211021-4 : Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues
Links to More Info: BT1211021
Component: Advanced Firewall Manager
Symptoms:
Entries added or updated in IP Intelligence (IPI) feed lists are not enforced. This occurs when threads in Dynamic White or Black Daemon (DWBLD) module are in deadlock.
Conditions:
- IPI license is enabled.
- Feed lists and policies are configured.
Impact:
Enforcement of entries in new and updated IPI feed lists does not happen.
Workaround:
Run the command "bigstart restart dwbld" to resolve the issue.
Check for "Empty items" message in /var/log/dwbld.log. If same message is seen for more than 100 times continuously, threads are in lock state and we can recover by restarting DWBLD module.
Fix:
The function "set_curl_state" was returning without unlocking mutex in a condition.
The mutex is now unlocked appropriately and prevents locking up of DWBLD threads.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1210469-3 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1209709-4 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1209409-3 : Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU
Links to More Info: BT1209409
Component: Advanced Firewall Manager
Symptoms:
If there are thousands of addresses in an address list, validation of the addresses can take extended time. While MCPD is validating the addresses it will use nearly 100% of the CPU. Also, during this time, other daemon might timeout their connection with MCPD and/or restart.
Conditions:
- Thousands of addresses in an address list.
Impact:
- Longer load /sys configuration time including on upgrade.
- Longer configuration sync time, where full configuration sync is more prone to cause this issue.
- Modifications using the webUI consume longer time and might timeout.
Depending on how long MCPD spends validating the addresses, other daemons, including TMM, might timeout their connection to MCPD and/or restart.
Workaround:
None
Fix:
The time it takes mcpd to validate an addresses list that contains nested address lists is greatly reduced.
Fixed Versions:
16.1.4
1208989-3 : Improper value handling in DOS Profile properties page
Links to More Info: K000132726, BT1208989
1208949-1 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'
Links to More Info: BT1208949
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
Network Access is in use.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1208529-4 : TMM crash when handling IPSEC traffic
Links to More Info: K000132420, BT1208529
1208001-1 : iControl SOAP vulnerability CVE-2023-22374
Links to More Info: K000130415, BT1208001
1207661-4 : Datasafe UI hardening
Links to More Info: K000132768, BT1207661
1207381-3 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205501-2 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
Fix:
The server SSL profiles will now reloaded successfully after changes are made.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205029 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Links to More Info: BT1205029
Component: Access Policy Manager
Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.
Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.
Fix:
When sessions are different we are clearing the cache tokens so that new tokens are generated for different sessions.
Fixed Versions:
17.1.1, 16.1.4
1204961-4 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204961
1204793-4 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204793
1200929-2 : GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang
Links to More Info: BT1200929
Component: Global Traffic Manager (DNS)
Symptoms:
If GTM objects larger than 16384 bytes are created, then the GTM sync process will not complete. In addition, the gtm_add process (which requests a GTM sync for all objects) will not complete.
Following is the symptom for gtm_add:
After "Retrieving remote GTM configuration...", the process will pause for 300 seconds (5 minutes), and then exit, with a message "Syncer failed to retrieve configuration".
For a normal GTM sync, where gtm_add is not being used, the symptom is that the synchronisation of configuration changes is not working.
Conditions:
The presence of any MCPD object in the GTM configuration (/config/bigip_gtm.conf) which is larger than 16384 bytes, for example a large GTM rule.
Note: The GTM iRules are distinct from LTM iRules. Only GTM objects, such as GTM rules (applied to wideIPs) are relevant to this issue.
Impact:
Unable to complete GTM sync, unable to add a new GTM into the sync group.
Workaround:
Reduce the size of the problematic object to lower than 16384 bytes. For example, if the issue is with a GTM iRule, then try removing comments, blank lines, or unnecessary log statements that do not affect the functionality of the rule.
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1196537-1 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196477-3 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196401-2 : Restarting TMM does not restart APM Daemon
Links to More Info: BT1196401
Component: Access Policy Manager
Symptoms:
Due to asynchronous nature of TMM threads and APM plugin channel threads, a core can trigger when TMM exited and APM Daemon (APMD) is still available with earlier TMM plugin handlers.
Conditions:
When TMM restarts and APM still has old TMPLUGIN handle (which will become invalid eventually).
Impact:
Might observe APMD core.
Workaround:
Restart APM, when TMM is restarted.
Fix:
Updated TMM bigstart scripts to restart APMD and related tm_plugin services.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1196033-2 : Improper value handling in DataSafe UI
Links to More Info: K000132726, BT1196033
1195489-2 : iControl REST input sanitization
Links to More Info: K000137522, BT1195489
1195385 : OAuth Scope Internal Validation fails upon multiple providers with same type
Links to More Info: BT1195385
Component: Access Policy Manager
Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.
Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.
There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.
In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.
Impact:
The policy rule displays the deny page.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1195377 : Getting Service Indicator log for disallowed RSA-1024 crypto algorithm
Links to More Info: BT1195377
Component: TMOS
Symptoms:
Displaying disallowed algorithm as approved. It must not display approved log for disallowed algorithms when FIPS license is installed on the platform.
Conditions:
- FIPS license is installed on the platform.
- Creating a bit key.
Impact:
Creating keys for approved algorithms only
Workaround:
Change log statements or do not create a key for disallowed algorithms.
Fix:
Approved log for disallowed algorithms is not displayed.
Fixed Versions:
17.1.0, 16.1.4
1195125 : "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix
Links to More Info: BT1195125
Component: Application Security Manager
Symptoms:
A GraphQL query without variables in its query will cause the error message to be reported in BD logs, even though it's not an error.
Conditions:
A request with GraphQL query without variables.
Impact:
Error prints in the enforcer logs.
Fix:
No error reports are detected in the BD logs.
Fixed Versions:
16.1.4
1194173-2 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Links to More Info: BT1194173
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
Fix:
The attack signature check runs on normalised parameter value.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1190365-3 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1190353-3 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
Fix:
Added the proxy settings in wr_urldbd BrightCloud database.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1189865-2 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
The violation is blocked due to "Cookie not RFC-compliant" violation and we are looking at the request log details.
Impact:
The description is empty and we can't know what is the problem with the request.
Fix:
After the fix, the description is shown in the request log details in the description field
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189513-4 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189465-3 : Edge Client allows connections to untrusted APM Virtual Servers
Links to More Info: K000132539, BT1189465
1189461-3 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858
Links to More Info: K000132563, BT1189461
1189457-3 : Hardening of client connection handling from Edge client.
Links to More Info: K000132522, BT1189457
1186925-4 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1186437-1 : Link to Server Technologies is not working
Links to More Info: BT1186437
Component: Application Security Manager
Symptoms:
Link to configure Server technologies under category ' A6 Security Misconfiguration' of OWASP Top 10 dashboard says "The requested URL was not found on this server."
Conditions:
Click on category A6 - Server Technologies link
Impact:
Configuring Server technologies is not linking to the expected page
Workaround:
None
Fix:
Linked the correct page to Server Technologies; the policy configuration page
Fixed Versions:
16.1.4
1186401-2 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1186385-1 : Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page
Links to More Info: BT1186385
Component: Application Security Manager
Symptoms:
The wrong page is linked to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement'.
Conditions:
Clicking on Enforced Cookies or SameSite Cookie Attribute Enforcement
Impact:
You are taken to the Policies List page.
Workaround:
None
Fix:
Updated the correct links for both the entities
Fixed Versions:
16.1.4
1186249-2 : TMM crashes on reject rule
Links to More Info: BT1186249
Component: Local Traffic Manager
Symptoms:
The TMM crashes when the configuration has a rule that contains a reject in an HTTP_RESPONSE.
Conditions:
The crash happens when this rule is processed after a client has disconnected.
Impact:
TMM crashes every time this condition occurs.
Workaround:
If possible, avoid the use of reject or use HTTP::disable before the reject.
Fix:
Reject can be used without a crash.
Fixed Versions:
17.1.0, 16.1.4
1185421-4 : iControl SOAP uncaught exception when handling certain payloads
Links to More Info: K000133472, BT1185421
1185257-4 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1185133-2 : ILX streaming plugins limited to MCP OIDs less than 10 million
Links to More Info: BT1185133
Component: Local Traffic Manager
Symptoms:
When trying to get started with iRules LX, every script attempted results in the following error:
"Sep 16 11:16:26 pid[6958] streaming tm_register failed"
Conditions:
MCP configuration (MCP OID's) should go beyond 10 million.
Impact:
Unable to run iRules LX streaming plugins.
Workaround:
The below command forces MCPD to load the configuration from the text file with an empty database, thus the OID counter is reset to 0.
bigstart stop
rm -f /var/db/mcpdb*
bigstart start
Fix:
The TMSTAT segment names are limited to 31 characters (not including terminating NUL). With 23 characters used by the constant portion, 8 characters are left for both OID and CPU. The CPU will be 1 or 2 characters, leaving 6 or 7 characters for the OID. When exceeded, the tmstat_create fails.
tmplugin_nodejsplugin_1000000_0 err 0
tmplugin_nodejsplugin_10000000_0 err -1
Change the plugin class from "nodejsplugin" to "nodejs" or similar, to allow 6 more digits of OID space (allowing to 10 trillion).
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1184929-1 : GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled
Links to More Info: BT1184929
Component: Application Security Manager
Symptoms:
Mismatch of configuration seen on OWASP dashboard. GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled
Conditions:
Entity details in OWASP compliance dashboard.
Impact:
GUI link displays inconsistent values for entity details.
Workaround:
None
Fix:
Values are updated to FULFILLED and NOT FULFILLED to maintain consitency.
Fixed Versions:
16.1.4
1184841-2 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Links to More Info: BT1184841
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1184153-2 : TMM crashes when you use the rateshaper with packetfilter enabled
Links to More Info: BT1184153
Component: Local Traffic Manager
Symptoms:
Tmm might crash when you use the packet-filter with the packetfilter.established option enabled, and when rate-class is applied via packet-filter rule.
Conditions:
- packet-filter with packetfilter.established option enabled.
AND
- rate-class is applied via packet-filter rule.
Impact:
TMM crash/failover.
Workaround:
Do not apply rate-class via packetfilter or disable the packetfilter.established option.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1183453-1 : Local privilege escalation vulnerability (CVE-2022-31676)
Links to More Info: K87046687
1182353-3 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1181613-1 : IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete
Links to More Info: BT1181613
Component: TMOS
Symptoms:
After the deletion of an IKE SA, the child IPsec SAs will not be deleted.
Conditions:
-- IKEv2 IPsec tunnels
-- Tunnels use Route Domains.
-- An IPsec SA is deleted.
Impact:
The BIG-IP believes it still has valid IPsec SAs to use, while the remote peer does not. In this case, if the BIG-IP is normally the initiator, the tunnel will be unusable until the lifetime expires on the existing IPsec SAs.
Fix:
IPsec SAs are now deleted after the related IKE SA is deleted.
Fixed Versions:
17.1.0, 16.1.4
1180365-2 : APM Integration with Citrix Cloud Connector
Links to More Info: BT1180365
Component: Access Policy Manager
Symptoms:
* Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
* Apps/Desktop will not be published.
Conditions:
* When Citrix cloud connector is used to publish apps instead of Citrix Delivery controller, once the user clicks on the App/Desktop, the cloud connector sends an empty response.
* Hence user will not be able to publish any apps/ Desktop.
Impact:
Users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1178221-3 : In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT
Links to More Info: BT1178221
Component: TMOS
Symptoms:
When the retransmit happens, and other side is not reachable, the BIG-IP logs the "err packet length does not match field of ikev2 header" and then "ERR dropping unordered message".
Conditions:
Tunnel is established between Initiatior and Responder.
Responder is able to send DPD request. but not able to receive response.
Impact:
Wrong information logged.
DPD response packet corruption.
Workaround:
None
Fix:
Logs will display correct message.
Packet will not corrupt.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1174873-3 : Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F"
Links to More Info: BT1174873
Component: Access Policy Manager
Symptoms:
In muti-domain Single Sign-On (SSO) or SAML Auth, the location header query string separator is converted from "?" to "%3F" or / to "%2F"
Conditions:
- Create an access policy with a redirect to login page.
Impact:
MultiDomain Auth or SAML Auth will fail
Workaround:
None
Fix:
A function that was used to normalize URLs was corrected.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1174085-1 : spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
multiple references accessing and trying to modify the same entry
Conditions:
when failover from active to stand by while stalling the connection
Impact:
Illegal access of the memory.
Workaround:
NA
Fix:
delete the entry for every reference
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1174033-2 : The UPDATE EVENT is triggered with faulty session_info and resulting in core
Links to More Info: BT1174033
Component: Policy Enforcement Manager
Symptoms:
The UPDATE EVENT requires a proper initialization of the session_info which in turn is used to set the tcl pcb's cmdctx. With properly defined cmdctx, the sess_data is populated successfully. But, without proper initialization of the session_info makes the cmdctx to carry incorrect vaules, thus resulting in a core when populating the sess_data.
Conditions:
Enable the Global UPDATE-EVENT option and make sure you log
some session attributes as part of the UPDATE EVENT.
Impact:
Results in a core.
Workaround:
None
Fix:
Triggering UPDATE EVENT is not causing any core.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1173669-1 : Unable to reach backend server with Per Request policy and Per Session together
Links to More Info: BT1173669
Component: Access Policy Manager
Symptoms:
It is observed that backend pool is not reachable.
Conditions:
The OAuth case with Per Request policy and Per Session together.
Impact:
Backend Pool is not reachable.
Workaround:
None
Fix:
Variables pushed with server configuration into per request flow are accessed with last rather than the server configuration.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1173493-4 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1173441-3 : The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired
Links to More Info: BT1173441
Component: TMOS
Symptoms:
The 'tmsh save sys config' call is being triggered when REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Conditions:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired.
Impact:
There is no functional impact. However, in the BIG-IPs where there is huge configuration, a 'tmsh save sys config' call takes a lot of time and thus impacts the performance.
Workaround:
None
Fix:
The REST authentication tokens (X-F5-Auth-Token) are deleted or expired without triggering the 'tmsh save sys config' call as the call is unnecessary.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1168137-3 : PEM Classification Auto-Update for month is working as hourly
Links to More Info: BT1168137
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature auto-update as monthly, but it runs on hourly.
If the update schedule is set to daily or weekly, then the latest IM package is downloaded based on the set update schedule. But, when it is set to monthly, it is working on hourly.
Conditions:
Automatic updates for classification signatures is configured and enabled, and update schedule should be set to monthly.
Impact:
Classification update is not working on monthly basis.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1167985-2 : Network Access resource settings validation errors
Links to More Info: BT1167985
Component: Access Policy Manager
Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name
Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore
Impact:
Administrators could not correctly configure some network access resource settings.
Fixed Versions:
17.1.1, 16.1.4
1167941-3 : CGNAT SIP ALG INVITE loops between BIG-IP and Server
Links to More Info: BT1167941
Component: Service Provider
Symptoms:
On an inbound call on the ephemeral listener, if the INVITE message TO header is not registered, and From header is registered, then INVITE is sent out on the ephemeral listener which might cause a loop issue, if the server sends back the INVITE to BIG-IP again.
Conditions:
It occurs with inbound calls.
Impact:
It could lead to performance issue if the loop continues.
Workaround:
Step 1 or 2 can be used as a workaround based on the use case.
1)If the From and To headers are the same, 400 bad response is given.
Also, the packets are dropped in case the destination address is not translated.
ltm rule sip_in_rule {
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && [IP::addr [IP::remote_addr] equals $localAddr]} {
SIP::discard
}
}
when SIP_REQUEST {
set localAddr [IP::local_addr]
set from [substr [SIP::header from] 0 ";"]
set to [substr [SIP::header to] 0 ";"]
if {[SIP::method] == "INVITE" && $from equals $to} {
SIP::respond 400 "Bad Request"
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_in_rule } }
2)below Irule would drop all inbound calls.
ltm rule sip_drop_rule {
when MR_INGRESS {
if { [MR::transport] contains "_$" } {
MR::message drop
}
}
(tmos)# modify ltm virtual vs_alg_sip_private { rules { sip_drop_rule } }
Fix:
BIG-IP will drop the messages in the following cases.
a)If From and To headers are the same in the sip INVITE message.
b)If the SIP INVITE message To header is not registered and From is registered.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1167929-4 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167897-6 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167889 : PEM classification signature scheduled updates do not complete
Links to More Info: BT1167889
Component: Traffic Classification Engine
Symptoms:
After configuring PEM classification signature updates to run at an defined interval, the updates may not actually occur.
Via tmsh:
ltm classification auto-update settings { }
via GUI:
Traffic Intelligence -> Applications -> Signature Update -> Automatic Update Settings
In the /var/log/ltm log, the following message may be seen
mcpd[xxxx]: 01070827:3: User login disallowed: User (guest) is not an administrator, does not have a UID of zero, and has not been assigned a role on a partition.
Conditions:
Automatic updates for classification signatures is configured and enabled.
Impact:
The classification updates do not occur.
Workaround:
Run the classification update manually.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1166449-2 : APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list
Links to More Info: BT1166449
Component: Access Policy Manager
Symptoms:
NTLM authentication will stop working.
Conditions:
If any of the DC FQDN is not resolvable in the configured NTLM Auth Config DC list during below scenarios:
- Create/Modify NTLM Auth Configuration
- Restart ECA/NTLM service
- Restart, Power cycle or after upgrade
- Active/Stand by switch over.
Impact:
NTLM authentications targeted towards this NTLM Auth Config will start to fail.
Workaround:
User need to remove the non-resolvable DC FQDN from the NTLM Auth configuration's DC list.
Fix:
Fix will be provided to try FQDN resolution for all entries in the NTLM Auth configuration's DC list, NTLM Auth will proceed if at least one of the DC is resolvable and reachable.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1166329-2 : The mcpd process fails on secondary blades, if the predefined classification applications are updated.
Links to More Info: BT1166329
Component: TMOS
Symptoms:
If a user installs and deploys a classification update (classification-update-*.im) the predefined classification applications are changed to "user modified".
This change causes the mcpd process to fail and restart on secondary blades during startup.
Conditions:
- Multi-slot VIPRION or vcmp guest
- PEM provisioned
- Classification applications updated either with tmsh load sys config merge or by using the Signature Update option in the Traffic Intelligence tab from the GUI or tmsh
Impact:
No impact
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4
1162081-6 : Upgrade the bind package to fix security vulnerabilities
Component: Global Traffic Manager (DNS)
Symptoms:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Conditions:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Impact:
Upgrade the bind package to fix the following security vulnerabilities:
- CVE-2022-2795
- CVE-2022-2881
- CVE-2022-3080
- CVE-2022-38177
- CVE-2022-38178
Workaround:
None
Fix:
Upgraded the bind package to 9.16.33.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1161965-3 : File descriptor(fd) and shared memory leak in wr_urldbd
Links to More Info: BT1161965
Component: Traffic Classification Engine
Symptoms:
When updating the customdb, fd and shared memory leaks were observed in wr_urldbd.
Conditions:
The issue happens when a urldb feed list is modified multiple times in a loop.
Impact:
Updating customdb will not work.
Workaround:
No
Fix:
Handled the updating of the customdb more efficiently to prevent any fd or shared memory leaks.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1161913-1 : Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE★
Links to More Info: BT1161913
Component: TMOS
Symptoms:
The loading configuration process fails after an upgrade from 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to any 16.x (prior to 16.1.4), or to any 17.0.x release. Upgrades to 16.1.4 or 17.1.x are not affected.
The system posts errors similar to the following:
-- crit tmsh[16188]: 01420001:2: Can't load keyword definition (vlan.dag_adjustment) : framework/SchemaCmd.cpp, line 825
-- crit tmsh[25644]: 01420001:2: Can't load keyword definition (vlan.nti) : framework/SchemaCmd.cpp, line 825
-- Can't find matched schema tag for association's attribute fw_zone_log_profile.pzname during loading cli version syntax: 15.1.8
-- Can't find matched schema tag for association's attribute fw_protected_zone.pzname during loading cli version syntax: 15.1.8
-- Unexpected Error: "Can't load keyword definition (vlan.dag_adjustment)"
-- fatal: (Can't load keyword definition (vlan.nti)) (framework/SchemaCmd.cpp, line 825), exiting...
-- emerg load_config_files[16186]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.8
-- err mcpd[10702]: 01070422:3: Base configuration load failed.
Conditions:
The issue occurs when an upgrade happens from one of the following releases:
-- BIG-IP version 15.1.8 or later in the v15.1.x branch.
to any of the following releases:
-- BIG-IP version 16.0 through v16.1.3.4
-- BIG-IP version 17.0 through v17.0.0.2
Impact:
After the upgrade, the configuration does not load. The system hangs at the base configuration load failure status and leaves the system inoperative.
Workaround:
It is not possible to avoid running into a config load failure when attempting the upgrade or restoring a UCS archive from v15.1.8 or v15.1.8.1 or v15.1.8.2 or v15.1.9 on one of the listed versions. However, as long as the system is not using the zone-based DDoS AFM functionality, it is possible to load the configuration after the upgrade via the manual workaround shown below. If upgrading to 16.1.4 or a later version there is no need to use this workaround, and it should not be used.
1. While the system is inoperative, log into the system as root or an administrative user and launch bash.
2. Copy and paste the following series of commands and run them in bash
### BEGIN COMMANDS
(shopt -s nullglob; sed -E -i.workaround.bak -e '/dag-adjustment /d' /config/bigip_base.conf /config/partitions/*/bigip_base.conf)
(shopt -s nullglob; sed -E -i -e '/^KEYWORD dag-adjustment/d' -e '/^KEYWORD nti/d' /var/libdata/tmsh/syntax/15.1.{8,9,10}*/auto_schema_data_net_cli.dat)
for dir in /var/libdata/tmsh/syntax/15.1.{8,9,10}*; do
[ -d "$dir" ] || continue
/bin/mv "$dir"/auto_schema_data_security_cli.dat{,.workaround.bak}
awk '
/^<REF_CMD fw-protected-zone / { refcmd=1; depth=1; next }
/^<CMD fw-protected-zone/ { cmd=1; depth=1; next }
/^<ASSOCIATION.*fw-protected-zone/ { depth=depth+1; next }
/^>/ {
if (refcmd || cmd) {
if (!--depth) {
refcmd = 0;
cmd = 0;
}
next;
}
}
/.?/ {
if (refcmd || cmd) next
print
}' < "$dir"/auto_schema_data_security_cli.dat.workaround.bak > "$dir"/auto_schema_data_security_cli.dat
/bin/rm "$dir"/auto_schema_data_security_cli.dat.workaround.bak
done
### END COMMANDS
3. Load the configuration again:
tmsh load sys config
4. If the config loads successfully, save it once:
tmsh save sys config
Fix:
None
Fixed Versions:
16.1.4
1161733-4 : Enabling client-side TCP Verified Accept can cause excessive memory consumption
Links to More Info: K000134652, BT1161733
1160805-2 : The scp-checkfp fail to cat scp.whitelist for remote admin
Links to More Info: BT1160805
Component: TMOS
Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
sinkhole3:~$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed
Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.
Impact:
SCP command is not working for the remote admin users.
Workaround:
None
Fix:
Issue is with the Internal Field Separation (IFS) environment variable from /bin/scp-checkfp file. Following is an example for IFS:
IFS=$"\n" -->
This means, it expects a string character.
It should expect a character value to read the paths from the SCP files.
IFS=$'\n' -->
This means, it expects a character.
Fixed Versions:
16.1.4, 15.1.9
1159569-2 : Persistence cache records may accumulate over time
Links to More Info: BT1159569
Component: Local Traffic Manager
Symptoms:
The persistence cache records accumulate over time if the expiration process does not work reliably. The 'persist' memory type grows over time when multiple TMMs are sharing the records.
Conditions:
- Non-cookie, persistence configured.
- Multi TMM box
- Traffic that activates persistence is occurring.
Impact:
Memory pressure eventually impacts servicing of traffic in multiple ways. Aggressive mode sweeper runs and terminates active connections. TMM may restart. Traffic is disrupted while TMM restarts.
Workaround:
None
Fix:
Persistence records are now reliably expired at the appropriate time.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1159397-1 : The high utilization of memory when blade turns offline results in core
Links to More Info: BT1159397
Component: Policy Enforcement Manager
Symptoms:
The TMM memory utilization continue to increase after a blade turns offline.
Conditions:
Blade turns offline.
Impact:
The TMM memory utilization will finally cause out-of-memory errors or cores and TMM processes will restart. The service will be interrupted.
Workaround:
None
Fix:
Error code ERR_MEM will be handled successfully.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1156889-3 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1156697-3 : Translucent VLAN groups may pass some packets without changing the locally administered bit
Links to More Info: BT1156697
Component: Local Traffic Manager
Symptoms:
Translucent VLAN groups may pass some packets without changing the locally administered bit.
Conditions:
The destination mac address of the ingress packet does not match the nexthop.
Impact:
Connections may fail, packet captures show the packets being egressed the VLAN group with the locally administered bit set.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1156105-2 : Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition
Links to More Info: BT1156105
Component: Local Traffic Manager
Symptoms:
Unable to add IP apart from /Common to Proxy Exclusion List.
Conditions:
- Route-Domain is created with default-route-domain in same partition.
#tmsh create auth partition part5
#tmsh create net route-domain /part5/rd5 id 5
#tmsh modify auth partition part5 default-route-domain 5
Impact:
The following command fails:
tmsh modify net vlan-group /part5/RD5-VLAN-GRP proxy-excludes add { 10.10.20.196 }
Workaround:
- The following command is used to create route-domain in /Commom:
#tmsh create net route-domain /part5/rd5 id 5
Modify this command as following:
#tmsh create net route-domain rd5 id 5
- Manually edit the bigip.conf file in partitions and add IP address manually, and then reload the config.
Fix:
IP can be added to Proxy Exclusion List.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1155733-1 : NULL bytes are clipped from the end of buffer
Links to More Info: BT1155733
Component: TMOS
Symptoms:
In logs the key length is less then the actual key length.
Conditions:
- Establish IPSec tunnel.
- Check the logs.
Impact:
Incomplete information in the logs.
Workaround:
None
Fix:
Printing all bytes in the buffer irrespective of NULL bytes.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1155393-2 : Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression
Links to More Info: BT1155393
Component: Local Traffic Manager
Symptoms:
The BIG-IP fails to remove chunk headers when compressing a chunked response from a pool member.
The chunk headers are compressed and delivered to the client as part of the payload.
Conditions:
-- Version with the fix for ID902377
-- Rewrite/HTML profile
-- Compression profile
-- Chunked response from pool member (With "Transfer-Encoding: Chunked" header)
-- HTTP response eligible for compression
Impact:
Chunk header and terminating 0 length chunk are compressed and delivered to the client as part of the payload, resulting in broken application functionality.
Workaround:
One of the following:
- Change HTTP response-chunking to either 'unchunk' or 'rechunk' in the HTTP profile for the virtual server.
- Remove the compression profile.
- Modify the compression profile to ensure the response in question is no longer eligible for compression.
Fix:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1154933-4 : Improper permissions handling in REST SNMP endpoint
Component: TMOS
Symptoms:
Certain requests to the REST SNMP endpoint improperly handle user permissions.
Conditions:
Not specified
Impact:
Security best practices are not followed
Workaround:
Only allow trusted users to have access to the REST interface.
Fix:
User permissions work as expected.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1153969-2 : Excessive resource consumption when processing LDAP and CRLDP auth traffic
Links to More Info: K000134516, BT1153969
1153865-4 : Restjavad OutOfMemoryError errors and restarts after upgrade★
Links to More Info: BT1153865
Component: TMOS
Symptoms:
After upgrade to an affected version, restjavad restarts intermittently or frequently, and/or may use high CPU.
The restjavad logs, /var/log/restjavad.X.log, may report the following errors:
java.lang.OutOfMemoryError: Java heap space
restjavad may instead, or as well, run many full garbage collection cycles one after another, causing high CPU. This will be shown by frequent logs with [FullGC] in /var/log/restjavad-gc.log.X.current
Conditions:
- Update to affected version: 14.1.5.1-, 15.1.7-15.1.8.2, 16.1.3.1-16.1.3.5, 17.0.0.1-17.0.0.2
- Value of sys db restjavad.useextramb is true.
- Value of sys db provision.restjavad.extramb is 192 or lower than previous restjavad heap size.
- Use of REST API calls that need a lot of memory. Heavy users of REST API, such as SSL Orchestrator, may be very affected.
Impact:
May have problems in the GUI with certain pages or tabs, such as network map with very large config or SSL Orchestrator or iLX related tabs.
Other services that use REST API, internal and external to BIG-IP, may be impacted with low performance or service instability
Workaround:
Before upgrade to an affected version - if you set sys db restjavad.useextramb to value false before install of new version you will have more restjavad memory, the default 384MB, after upgrade.
tmsh modify sys db restjavad.useextramb value false
If you restart restjavad you can see if that value works before upgrade. If you don't restart then it will come into effect after reboot.
If that no longer has issues after update then leave that setting at false. Otherwise set back to true (no restart) and increase provision.restjavad.extramb as in After upgrade section below.
After upgrade:
Set sys db provision.restjavad.extramb to an appropriate value and restart restjavad.
Run the following command:
tmsh modify sys db provision.restjavad.extramb value X
bigstart restart restjavad
Iterate as necessary.
The value of X is derived by using one of the following formulae:
- When updating from versions before 14.1.4 and 15.1.3, to affected versions, a value that preserves the maximum previous restjavad heap size is:
192MB + 80% of MIN(provision.extramb|2500)
the minimum possible heap size was:
192MB + 20% of MIN(provision.extramb|2500)
The actual restjavad heap size would be between those extremes. SSL Orchestrator systems would typically need the maximum.
- When updating from 14.1.4-14.1.5, from 15.1.3-15.1.6.1 or from 16.0.x to affected versions:
384MB + 80% of MIN(provision.extramb|2500)
- When updating from 16.1.0-16.1.3 or from 17.0.0.0 to affected versions:
384MB + 90% of MIN(provision.extramb|4000)
Fix:
After upgrade, the system now sets the default value for provision.restjavad.extramb variable to 384MB. This sets the maximum heap size to 384MB. For values of provision.restjavad.extramb of 384 and lower the starting heap size is set at 96MB. For values above 384MB the starting heap size is set to the same value as maximum heap size.
When upgrading from a version that has provision.restjavad.extramb and it is explicitly set to a value*, rather than just takes default value, that value will be preserved and take affect in the new version. This will happen even if restjavad.useextramb had been set to false.
Where sys db restjavad.useextramb was set to value true in the previously used version, and provision.restjavad.extramb doesn't already exist, the value for provision.restjavad.extramb is based on a calculation of the maximum restjavad heap size that could have been used.
Usually this maintains the same or very similar restjavad heap size as used previously with more ability to fine tune it. The default size works in a wider range of settings.
When upgrading from a version that had a smaller starting heap size than maximum heap size, so before 14.1.4 or 15.1.3, and restjavad.useextramb set to true, it's possible that restjavad will use more memory than required. That's because for values above the default size of 384MB for provision.restjavad.extramb starting heap size is set the same as maximum heap size to lower performance issues when large memory sizes are required. You can lower restjavad memory use by lowering the value of provision.restjavad.extramb and restarting it if needed.
Note: This fix also removes the db variable restjavad.useextramb as it is no longer needed.
*Note: The command 'tmsh list sys db X' will return the value for DB key where set, or the default value for X otherwise. printdb can be used to display both value and default.
eg
printdb -n provision.restjavad.extramb
Name: Provision.Restjavad.extraMB
Realm: common
Type: integer
Default: 384
Value: 600
SCF_Config: true
Min: 192
Max: 8192
shows a default of 384 and an explicitly set value of 600 that would override the default. Where the value hadn't been set the 'Value:' line will not be present.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1148009-2 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1146377-2 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1146241-2 : FastL4 virtual server may egress packets with unexpected and erratic TTL values
Links to More Info: BT1146241
Component: Local Traffic Manager
Symptoms:
A FastL4 virtual server may egress (either towards the client or the server) IP packets with unexpected and erratic TTL values. The same also applies to IPv6, where the TTL field is known as Hop Limit.
Conditions:
- The BIG-IP system is a Virtual Edition (VE).
- The Large Receive Offload (LRO) is enabled on the system (which it is by default), and is operating in software mode. You can determine whether LRO is enabled on the system by inspecting the tm.tcplargereceiveoffload DB key, and you can determine whether LRO is operating in software mode by trying to query the tcp_lro tmstat table (tmctl -d blade tcp_lro). If the table exists, LRO will be operating in software mode.
- The FastL4 profile is configured to decrement the TTL (this is the default mode).
- The virtual server uses mismatched IP versions on each side of the proxy (for example, an IPv6 client and an IPv4 server).
Impact:
Depending on the actual TTL values that will be sent out on the wire (which can be random and anything within the allowed range for the field) traffic can be dropped by routers on the way to the packet's destination.
This will happen if there are more routers (hops) on the way to the packet's destination than the value specified in the TTL field.
Ultimately, this will lead to retransmissions and possibly application failures.
Workaround:
You can work around this issue by doing either of the following things:
- Disable LRO on the BIG-IP system by setting DB key tm.tcplargereceiveoffload to disable.
- Use a TTL mode for the FastL4 profile other than decrement (for example, use proxy or set).
Fix:
The TTL decrement mode now works as expected under the conditions specified above.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1146037-1 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade
Links to More Info: BT1146037
Component: Local Traffic Manager
Symptoms:
In this release, FIPS HSM SDK and Driver version upgraded to 1.1-6.
Conditions:
This applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.
Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.
Workaround:
None
Fix:
The FIPS device firmware need to be manually upgraded to version 1.1-5. For more information, refer to the article https://support.f5.com/csp/article/K26061560.
Fixed Versions:
17.1.0, 16.1.4
1146017-1 : WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile
Links to More Info: BT1146017
Component: TMOS
Symptoms:
WebUI does not show error when parent profile is empty.
Conditions:
1) Navigate to Access > Connectivity/VPN > Portal Access > Rewrite.
2) Enter the details, do not assign any parent rewrite profile.
3) Click Create.
Impact:
No webUI error is seen as parent profile is not assigned to user defined rewrite profile.
Workaround:
Enter details in the parent profile field and click Create.
Fix:
WebUI error is displayed when the parent profile filed is empty and clicked on Create button.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1145361 : When JWT is cached the error "JWT Expired and cannot be used" is observed
Links to More Info: BT1145361
Component: Access Policy Manager
Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.
Conditions:
WebSSO is used with bearer option to generate JWT tokens.
Impact:
No impact.
Workaround:
None
Fix:
Removed the lee way default configured static value internally.
Proper fix would be to provide a leeway configuration option.
Fixed Versions:
17.1.1, 16.1.4
1144497-2 : Base64 encoded metachars are not detected on HTTP headers
Links to More Info: BT1144497
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1144477-1 : IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted
Links to More Info: BT1144477
Component: TMOS
Symptoms:
The new IPsec tunnel IKE INIT exchange source port is 500, and the destination port is 4500, but the destination port should be 500.
Conditions:
This issue is observed after deleting IKE SA from tmsh.
Impact:
Interoperability issue, tunnel will not get established with other devices.
Workaround:
None
Fix:
Default configuration was overwritten after tunnel establishment, added valid conditions before overwriting the configuration.
Fixed Versions:
17.1.0, 16.1.4
1144373-4 : BIG-IP SFTP hardening
Links to More Info: BT1144373
Component: TMOS
Symptoms:
Under certain conditions SFTP does not follow current best practices.
Conditions:
- Authenticated high-privilege user
- SFTP file transfer
Impact:
BIG-IP does not follow current best practices for filesystem protection.
Workaround:
None
Fix:
All filesystem protections now follow best practices.
Behavior Change:
When you are using SFTP to transfer the files from BIG-IP to remote-machine and vice versa,
1. filename should have absolute file paths.
2. un-encrypted files cannot be transferred when fips/cc-mode is enabled.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1144117-3 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
Links to More Info: BT1144117
Component: Local Traffic Manager
Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.
Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Impact:
Some HTTP transactions might fail.
Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1141853-2 : SIP MRF ALG can lead to a TMM core
Links to More Info: BT1141853
Component: Service Provider
Symptoms:
SIP MRF ALG can lead to a TMM core
Conditions:
SIP MRF ALG in use
Impact:
TMM core
Workaround:
None
Fix:
TMM does not core anymore when SIP MRF ALG is in use.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1141845-4 : RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP.
Links to More Info: BT1141845
Component: Local Traffic Manager
Symptoms:
If a RULE_INIT contains an extra colon character (:)
when RULE_INIT {
catch { call sv::hsl:open "/Common/publisher-syslog_server_pool" }
}
It will crash instead of reporting the error.
In this example, the extra : before 'open' is an error. Instead of logging the error, it crashes the process.
Conditions:
RULE_INIT contains more than 2 colon characters (:) on a rule.
Impact:
The tmm process crashes.
Workaround:
Avoid creating a RULE_INIT containing a third colon character(:).
Fix:
Correctly log an error instead of trying to process it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1141665-2 : Significant slowness in policy creation following Threat Campaign LU installation
Links to More Info: BT1141665
Component: Application Security Manager
Symptoms:
Significant and consistent slowness in policy creation in Layered Policies suites in BVT (asmdp).
Conditions:
Slowness was triggered by installing a Threat Campaign LU.
Impact:
Slow policy creation when we have Threat Campaign LU.
Workaround:
None
Fix:
Optimized policy creation following Threat Campaign LU installation.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1137993-2 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1137717-2 : There are no dynconfd logs during early initialization
Links to More Info: BT1137717
Component: Local Traffic Manager
Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
Missing some informational logging from dynconfd during startup.
Workaround:
None
Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1137485-2 : Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly
Links to More Info: BT1137485
Component: Global Traffic Manager (DNS)
Symptoms:
1. --An excessive number log lines are seen in /var/log/gtm, which indicate a state change even though a state change has not occurred (eg, blue --> blue, green --> green), for example:
/var/log/gtm:
alert gtmd[13612]: 011a6006:1: SNMP_TRAP: virtual server ltm1 (ip:port=192.168.0.1:0) (Server /Common/vs1) state change blue --> blue ()
2. If, on affected version, the GTM configuration contains virtual servers with a depends-on clause, the gtmd process can exit abnormally ("crash") and produce a gtmd core file. The process restarts immediately automatically, but may then exit and restart again every few seconds or minutes, and continues to do this indefinitely.
In /var/log/user.log, many messages similar to the following may be seen
notice logger[26789]: Started writing core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
notice logger[26800]: Finished writing 35032053 bytes for core file: /var/core/gtmd.bld0.0.6.core.gz for PID 26739
Conditions:
- For the excessive logging issue: A GTM server object exists with one or more virtual servers configured under it
- For the gtmd crashing issue: One or more GTM server object's virtual-servers has a depends-on clause referring to another virtual-server.
Impact:
- Flood of SNMP trap logs are seen
- gtmd process exits abnormally, bringing down iquery connection and potentially impacting GTM monitoring
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1137037 : System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x★
Links to More Info: BT1137037
Component: Local Traffic Manager
Symptoms:
The BIG-IP persistently starts in an inoperative state after installing an engineering hotfix with a console error similar to the following:
- FIPS or Common Criteria power-up self-test failure.
- This system has been placed in an error state.
- To recover return to the grub menu and select another volume or reinstall the system.
- On many devices pressing the escape key followed by the key will bring up a menu which allows the system to be restarted.
Power-up self-test failures: <number>
Unmounting file systems
System halting.
Conditions:
- First boot after installing an engineering hotfix.
- FIPS 140-2 or FIPS 140-3 license.
- Running BIG-IP version 16.1.x releases or later, for example 16.1.3.1.
Impact:
Unable to boot the BIG-IP system into an operational state after applying an engineering hotfix, and required to boot to a known good volume. For more information about FIPS mode preventing system boot, see https://support.f5.com/csp/article/K52534643
Workaround:
None
Fix:
The BIG-IP system successfully boots after installing an Engineering hotfix on a system with a FIPS 140-2 or FIPS 140-3 license.
Fixed Versions:
16.1.3.2
1136921-4 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1136917-1 : TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server.
Links to More Info: BT1136917
Component: Advanced Firewall Manager
Symptoms:
This happens only if the specific sequence of events occur. The reason for TMM crash is accessing a Dangling Pointer memory.
Conditions:
This issue only happens if the following sequence of events occur:
1) Attach dos-profile to a Virtual Server (VS) (The dos-profile should be enabled with White-list and BDOS).
2) There should be active connections on the VS.
3) Disable BDOS from the dos-profile while it is still attached to the VS.
4) Detach the dos-profile from the VS.
5) While processing the incoming traffic, TMM will crash.
Impact:
TMM Cores.
Workaround:
This only happens if the sequence mentioned in Conditions are followed.
Modify the profile and add to the virtual server to avoid TMM crash.
Fix:
The Dangling pointer will not be available when the actual memory is freed.
Fixed Versions:
17.1.0, 16.1.4
1136429-4 : Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group
Links to More Info: BT1136429
Component: TMOS
Symptoms:
MCPD can send an unexpected (another request group) result response message to a current processing request group in the middle of a transaction
Conditions:
While MCPD processing multiple request groups.
Impact:
MCPD closes the connection of the current request group and
subscriber of that particular request group never get requested data.
Workaround:
Restart the subscriber daemon.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1135313-4 : Pool member current connection counts are incremented and not decremented
Links to More Info: BT1135313
Component: Local Traffic Manager
Symptoms:
With a certain configuration the connection counts on a gateway pool may increment and not be decremented.
Conditions:
- A gateway pool with more than one member.
- Autolasthop disabled.
- A pool monitor with a TCP monitor where the pool member responds to the TCP handshake with data. Common services that do this are SSH, SMTP, and FTP.
Impact:
The connection counts are inflated.
Workaround:
- Configure autolasthop.
- Configure a receive string on the TCP monitor.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1135073-3 : IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled
Links to More Info: BT1135073
Component: Protocol Inspection
Symptoms:
Following warning message is displayed on BIG-IP webUI in Security ›› Protocol Security: Inspection Updates:
"An active subscription is required to access certain inspections"
Conditions:
If the BIG-IP has AFM and IPS subscription license, then this warning message on webUI should not be displayed.
Impact:
There is no impact if AFM and IPS subscription license are installed on BIG-IP. All the IPS signatures and compliances will work as usual.
Workaround:
None
Fix:
Based on the IPS full subscription flag in the license the warning message is displayed. Earlier, it was verified on the wrong feature flag.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1134301-3 : IPsec interface mode may stop sending packets over tunnel after configuration update
Links to More Info: BT1134301
Component: TMOS
Symptoms:
An interface mode IPsec policy handles traffic through a route-domain to send over the IPsec tunnel. When the traffic-selector is updated, the static default route for the route-domain no longer works. Even if the tunnel is functional, traffic is not sent over it.
Conditions:
- IPsec tunnel with ipsec-policy in interface mode.
- The sys db ipsec.if.checkpolicy is disabled (by default it is enabled).
- Static routes pointing to the IPsec interface.
- Tunnel configuration updated.
Other unknown conditions could trigger the behavior, but updating the tunnel configuration is a confirmed condition.
Impact:
The tunnel is functional but the BIG-IP does not send packets into it. No ESP packets related to that tunnel will be seen leaving the BIG-IP.
Workaround:
There are two similar workaround options for when the issue is observed:
Option 1: Delete the route to the remote network that points to the IPsec interface and create the route again.
Option 2: Alternatively, leave the existing route in place and create a similar specific route that points to the same IPsec interface. The issue should be immediately resolved and so the new route can be immediately deleted.
Fix:
Traffic can pass over the IPsec tunnel after a configuration update.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1134085-2 : Intermittent TMM core when iRule is configured with SSL persistence
Links to More Info: BT1134085
Component: Local Traffic Manager
Symptoms:
The TMM core file is observed.
Conditions:
Under certain conditions, the TMM core file is observed with iRule and SSL persistence.
Impact:
TMM core file is observed.
Workaround:
Perform either of the following tasks:
- Disable SSL persistence
- Disable iRule
Fix:
Added fix to handle cases which can lead to the TMM core file generation.
Fixed Versions:
17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1
1133997-3 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import
Links to More Info: BT1133997
Component: Application Security Manager
Symptoms:
A duplicate user-defined Signature Set is created upon policy import or cloning when the Set has a filter using untagged signatures.
Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.
Impact:
A duplicate user-defined Signature Set is created upon policy import or cloning.
Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.
Fixed Versions:
17.1.1, 16.1.4
1133881-2 : Errors in attaching port lists to virtual server when TMC is used with same sources
Links to More Info: BT1133881
Component: Local Traffic Manager
Symptoms:
When creating a virtual server that has identical traffic matching criteria with another virtual server, but uses a source address defined same as configured in TMC object, and when we try to attach the port-list it fails, with an error similar to the following:
01b90011:3: Virtual Server /Common/vs2-443's Traffic Matching Criteria /Common/vs2-443_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs1-443 destination address, source address, service port.
Conditions:
- Port lists are used.
- The first virtual server uses a wildcard source, for example, 0.0.0.0/0.
- The second virtual server uses an identical destination, protocol, and port, with the same source address configured in TMC object.
Impact:
Inability to utilize 'port lists' to configure the virtual server.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1133625-2 : The HTTP2 protocol is not working when SSL persistence and session ticket are enabled
Links to More Info: BT1133625
Component: Local Traffic Manager
Symptoms:
Connection gets dropped when SSL persistence is enabled with session ticket and HTTP2 protocol.
Conditions:
When SSL persistence is enabled with session ticket and HTTP2 protocol.
Impact:
Connection will get dropped.
Workaround:
-- Disable SSL persistence OR
-- Disable session ticket.
Fix:
Provided fix to handle this defect.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1133557-2 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name
Links to More Info: BT1133557
Component: Local Traffic Manager
Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.
Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).
Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1132981-2 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132925-3 : Bot defense does not work with DNS Resolvers configured under non-zero route domains
Links to More Info: BT1132925
Component: Application Security Manager
Symptoms:
When a DNS Resolver is configured under a non-zero route domain, the bot defense does not use the DNS resolver to perform DNS queries, resulting in some bots not being detected.
Conditions:
DNS Resolver is configured under non-zero route domain.
Impact:
Some bots are not detected by bot defense mechanism.
Workaround:
Configure DNS Resolver under route domain 0.
Fix:
Enhanced bot defense to use resolvers from any corresponding route domain. However, bot defense does not support route domain modification of DNS resolvers. Resolvers must be deleted and created again in the correct route domain.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1132765-4 : Virtual server matching might fail in rare cases when using virtual server chaining.
Links to More Info: BT1132765
Component: Local Traffic Manager
Symptoms:
When using virtual server chaining (for example iRule 'virtual' command sending traffic to another virtual server explicitly), a small percentage of packets might be dropped.
Conditions:
- Virtual server chaining.
- virtual servers have the vlan_enabled feature configured.
- DatagramLB or idle-timeout = 0 configured on protocol profile.
- High packet rate of incoming traffic.
Impact:
Some packets fail to match a virtual server and get dropped.
Workaround:
- Remove vlan_enabled feature
- OR remove datagramLB/set idle-timoeut > 0 on protocol profile.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1132741-2 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
Fix:
Break from html parser early stage for long html tags
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132697-3 : Use of proactive bot defense profile can trigger TMM crash
Links to More Info: BT1132697
Component: Application Security Manager
Symptoms:
TMM crash is triggered.
Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.
Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.
Workaround:
Remove all proactive bot defense profiles from virtuals.
Fix:
TMM no longer crashes in the scenario.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132405-4 : TMM does not process BFD echo pkts with src.addr == dst.addr
Links to More Info: BT1132405
Component: Local Traffic Manager
Symptoms:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Conditions:
- TMM does not process BFD echo pkts with src.addr == dst.addr.
Impact:
TMM does not process BFD echo pkts with src.addr == dst.addr.
Workaround:
None
Fix:
TMM now processes BFD echo pkts with src.addr == dst.addr.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1128721-2 : L2 wire support on vCMP architecture platform
Links to More Info: BT1128721
Component: Local Traffic Manager
Symptoms:
L2 wire works on BIG-IP, virtual-wire on vCMP architecture platform will be based on Network Tenant Interface (NTI) objects.
Tenant related data path and control plane changes.
Conditions:
- vCMP architecture based on NTI.
- F5OS is completely responsible to create/modify/delete NTI objects and synchronizing it to the tenants.
Impact:
The virtual-wire is one of the most important features used under operating in L2 domain. This mode of operation involves very little changes to topology and configuration and thereby can easily plug in a BIG-IP device with virtual-wire configuration.
Workaround:
None
Fix:
Tenant (data/control) plane changes for virtual-wire support on vCMP architecture.
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1128689-2 : Performance improvement in signature engine
Links to More Info: BT1128689
Component: Application Security Manager
Symptoms:
The signature engine in BD uses more CPU cycles than it actually needs to complete the task.
Conditions:
ASM provisioned and in use
Impact:
Slower system performance
High CPU utilization with BD
Workaround:
For header-based signatures that appear on the top in ACY_PERF, the header exclusions can be added only on explicit headers. This should decrease the CPU usage.
Fix:
Some modifications are done to the signature engine to improve performance.
Fixed Versions:
16.1.4, 15.1.9
1128629 : Neurond crash observed during live install through test script
Links to More Info: BT1128629
Component: TMOS
Symptoms:
Neurond core is observed during live install followed by FPGA firmware upgrade through the test script.
Conditions:
Live install through the test script
Impact:
No functional impact
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1128505-2 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy
Links to More Info: BT1128505
Component: Local Traffic Manager
Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.
When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.
Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE
Impact:
Connection is reset with "Address in use" reset cause.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4
1128169-1 : TMM core when IPsec tunnel object is reconfigured
Links to More Info: BT1128169
Component: TMOS
Symptoms:
TMM may core when a "tunnel tunnels" object related to an IPsec interface is reconfigured.
For example, a command that changes the IP address of the object may lead to a core:
# tmsh modify net tunnels tunnel my-ipsec-tunnel remote-address 1.2.3.4
Conditions:
-- IPsec IKEv1 or IKEv2.
-- Tunnel is in "interface" mode.
-- Tunnel object is reconfigured while the tunnel is up.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Ensure the tunnel is down before reconfiguring it.
-- Set the IKE-Peer config state to disabled.
-- Delete an established IKE SA and IPsec SA related to that peer.
For example:
# tmsh modify net ipsec ike-peer <Name> state disabled
# tmsh delete net ipsec ike-sa peer-ip <IP>
# tmsh delete net ipsec ipsec-sa dst-addr <IP>
"Name" is the specific name given to the ike-peer config object.
"IP" is the address configured to use for the remote peer.
Then make the desired changes and enable the IKE-Peer.
# tmsh modify net ipsec ike-peer <name> state enabled
Fixed Versions:
17.1.0, 16.1.4
1127809-2 : Due to incorrect URI parsing, the system does not extract the expected domain name
Links to More Info: BT1127809
Component: Application Security Manager
Symptoms:
The system will fail to send webhook requests to the server.
Conditions:
Add webhook to the policy and execute Apply policy on BIG-IP.
Impact:
Webhook requests will fail
Fix:
After the fix, BIG-IP will send webhook requests to the server.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1127445-3 : Performance degradation after Bug ID 1019853
Links to More Info: BT1127445
Component: Performance
Symptoms:
Performance degradation is observed with BD in TPS in the versions that have the fix for Bug ID 1019853.
Conditions:
Versions that have the fix for Bug ID 1019853.
Impact:
Lower TPS performance with BD.
Workaround:
None
Fix:
The part of the change for Bug ID 1019853 has been reverted while still addressing the problem reported in ID1019853.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1127169 : The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG
Links to More Info: BT1127169
Component: TMOS
Symptoms:
There is a possibility that BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG.
Conditions:
- BIG-IP versions 16.1.3 and above.
- FIPS 140-3 license is installed on BIG-IP or it is a FullBoxFIPS device.
- Establish multiple SSL/TLS connections.
Impact:
The BIG-IP device reboots randomly.
Workaround:
None
Fix:
Updated serialization to use RDTSC instruction to read CPU time stamp in jitterentropy-lib to generate random numbers.
Fixed Versions:
17.1.0, 16.1.4
1127117-1 : High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes
Links to More Info: BT1127117
Component: Advanced Firewall Manager
Symptoms:
Memory consumption increases with the number of connections.
Conditions:
1. Configure LSN Pool in CGNAT with Persistence mode with Address and Port.
OR
1. Configure AFM NAT source Translations with DPAT and PBA with End Point Independent Mode
Impact:
Memory keeps increasing and eventually might reach 100% utilization.
Sample Comparison table below:
Connection_Count: 30M
Memory_Usage_on_14.x_Version: ~3GB
Memory_usage_on_15+_Version: ~30GB
Workaround:
-- Increase the available RAM if possible
OR
-- Reduce the connection timeout interval
OR
-- Try using other options like Address Pooling Paired Mode in PBA
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126841-3 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1126805-3 : TMM CPU usage statistics may show a lower than expected value on Virtual Edition
Links to More Info: BT1126805
Component: TMOS
Symptoms:
The self-reported CPU statistics of TMM may show a usage value that is lower than the expected number. Some TMM threads may show lower CPU usage than others even if the threads are processing the same amount of traffic. When this issue occurs, a high number of idle polls are observed in the tmm_stat table for the affected TMM.
Conditions:
Virtual Edition
Impact:
TMM CPU stats may not be accurate.
Fix:
The cpu stats are now accurate.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126409-3 : BD process crash
Links to More Info: BT1126409
Component: Application Security Manager
Symptoms:
BD process restarts with a core file.
Conditions:
Unknown
Impact:
The unit goes offline for a short period of time.
Workaround:
None
Fix:
A sanity check has been added in order to avoid possible crash.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126329-2 : SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★
Links to More Info: BT1126329
Component: Local Traffic Manager
Symptoms:
SSL Orchestrator sends a TLS client hello instead of the expected HTTP CONNECT, leading to a failure in the client environment after an upgrade.
Conditions:
SSL Orchestrator in explicit proxy mode with proxy chaining enabled
Impact:
The exit proxy gives an HTTP 5xx error in response to the unexpected TLS Client Hello.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1126285-1 : TMM might crash with certain HTTP traffic
Links to More Info: K000135873, BT1126285
1126093 : DNSSEC Key creation failure with internal FIPS card.
Links to More Info: BT1126093
Component: Local Traffic Manager
Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.
When this issue happens the following error messages appear in /var/log/gtm
Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.
Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.
Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.
Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips
Fixed Versions:
17.1.1, 16.1.4
1124209-3 : Duplicate key objects when renewing certificate using pkcs12 bundle
Links to More Info: BT1124209
Component: TMOS
Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.
Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.
Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.
2) Duplicate key objects are getting created.
Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.
Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1124149-2 : Increase the configuration for the PCCD Max Blob size from 4GB to 8GB
Links to More Info: BT1124149
Component: Advanced Firewall Manager
Symptoms:
There was a limit of 4GB for the firewall rules prior to this change being checked in. The user could configure a blob size of 4GB only.
Conditions:
PCCD rules provisioning with an AFM license.
Impact:
Provisioning firewall rules. The PCCD blob size was restricted to 4GB.
Workaround:
None
Fix:
With these changes, the user will now be able to provision FW rules with a blob size of 8G.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1124109-2 : Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS
Component: Access Policy Manager
Symptoms:
The "typ":"JWT" is missing in the JWT header.
Conditions:
The JWT token is generated from OAuth Authorization Server (AS).
Impact:
The "typ":"JWT" is missing.
Workaround:
None
Fix:
The "typ":"JWT" is added in the header, it is available whenever JWT token is generated from OAuth AS.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
1123885-2 : A specific type of software installation may fail to carry forward the management port's default gateway.
Links to More Info: BT1123885
Component: TMOS
Symptoms:
After performing a specific type of software installation, the unit returns on-line without the management port's default gateway.
Conditions:
-- A software installation that does not carry forward the entirety of the BIG-IP system's configuration is performed. For example, this is achieved by running "image2disk --format=volumes <...>", or by using the live-install subsystem after disabling the liveinstall.saveconfig and liveinstall.moveconfig db keys. This type of installation, however, does carry forward the management port's configuration (IP address, subnet mask, and default gateway).
-- In addition to the default gateway, the management port is configured with additional static routes (for example, to a log server, dns server, etc.).
-- When mcpd is queried for the management routes, the default gateway is not the first entry in mcpd's reply (this is something outside of your control that entirely depends on the name of the objects and how the config was loaded).
Impact:
On Virtual Edition systems, this issue coupled with the removal of autolasthop from the management port means you will not be able to connect to the BIG-IP system's management port from non-directly connected clients after the installation.
On all systems, this issue means the BIG-IP system will not be able to initiate connections to non-directly connected systems over the management port after the installation.
Note: If the system is configured for dual-stack (IPv4 and IPv6) this issue can affect either (or both) stack.
Workaround:
After the issue has occurred, you can connect to the affected BIG-IP system by means of serial console or video console and apply the default gateway again.
If you are trying to prevent this issue, you can remove all management routes except the default one before performing this type of installation.
Fix:
The issue has been corrected; this specific type of software installation now correctly carries forward the management port's default gateway.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1123169-1 : Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event
Links to More Info: BT1123169
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from HTML_TAG_MATCHED event, an error occurs.
Conditions:
-- configure an iRule with event HTML_TAG_MATCHED
-- The event calls a procedure
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(CLIENTSIDE)": no such element in array
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1123153-3 : "Such URL does not exist in policy" error in the GUI
Links to More Info: BT1123153
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
Fix:
Resolved non-existent URL error during Parameter creation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1123149 : Sys-icheck fail for /etc/security/opasswd
Links to More Info: BT1123149
Component: TMOS
Symptoms:
In common criteria mode, when password-memory is set to > 0 and create the user and login from CLI causes the system integrity check to failed
An error message may be logged "ERROR: S.5...... c /etc/security/opasswd (no backup)"
Conditions:
--- common criteria mode enabled
--- password-memory set to > 0 in password-policy configuration
--- create a new user and login first time using CLI
--- run sys-icheck
Impact:
System integrity check failure when common criteria mode is enabled
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1
1122497-4 : Rapid response not functioning after configuration changes
Links to More Info: BT1122497
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Rapid Response is not functioning and stats are not present and/or not changing as requests are being sent to the virtual server.
Conditions:
- DNS Rapid Response is set on the virtual.
- Rapid response is toggled off and back on in the DNS profile.
Impact:
DNS rapid response remains disabled.
Workaround:
Restarting services will allow rapid-response to begin functioning again.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1122473-4 : TMM panic while initializing URL DB
Links to More Info: BT1122473
Component: Access Policy Manager
Symptoms:
TMM panic because of a race condition which prevents the TMM from accessing files related to the URL database.
Conditions:
While the BIG-IP system is rebooting, if an infrequent timing delay occurs, one or more files related to the URL database may be created in the wrong order of sequence.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None. Repeated attempts at rebooting may eventually succeed.
Fixed Versions:
17.1.0, 16.1.3.3, 15.1.9
1122377-2 : If-Modified-Since always returns 304 response if there is no last-modified header in the server response
Links to More Info: BT1122377
Component: Local Traffic Manager
Symptoms:
Requests sent with an If-Modified-Since header always return a 304 Not Modified response
Conditions:
The Last Modified header is not included in the origin server response headers.
Impact:
When the Last Modified header is not present in the response, its default value i.e., Thu, 01 Jan 1970 00:00:00 GMT, is used and 304 Not Modified is sent to the client.
Workaround:
Add the Last-Modified header to the response headers using iRule
when HTTP_RESPONSE priority 1 {
set time [clock format [clock seconds] -gmt 1 -format "%a, %d %b %Y %H:%M:%S %Z"]
HTTP::header insert Last-Modified $time
log local0.debug "Inserting Last-Modified header as $time"
}
Fix:
Use date header value when Last-Modified is not present in Response headers
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1122205-1 : The 'action' value changes when loading protocol-inspection profile config
Links to More Info: BT1122205
Component: Protocol Inspection
Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.
Conditions:
Use case 1:
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security : Inspection Profiles
-> Click "Add" >> "New"
1. Fill in the Profile Name field (pi_diameter in my example).
2. Services: pick "DIAMETER".
3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
7. Click "Commit Changes to System".
b) Check the current config via tmsh. Confirm there is no line with "action".
# tmsh list security protocol-inspection profile pi_diameter
c) Copy the result of the command in step b.
d). Delete the profile.
# tmsh delete security protocol-inspection profile pi_diameter
e). Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh. The action value has changed.
(tmos) # list security protocol-inspection profile pi_diameter
Use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.
Use case 3: Restore configuration by loading UCS/SCF after RMA.
Use case 4: Perform mcpd forceload for some purpose.
Use case 5: Change VM memory size or number of core on hypervisor.
Use case 6: System upgrade
Impact:
Some of the signatures and compliance action values are changed
Following commands output lists affected signatures and compliances.
## Signatures ##
tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
## Compliances ##
tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security: Inspection Profiles
-> Click "Add" >> "New" >> ips_testing
b) Check the current config via tmsh.
# tmsh list security protocol-inspection profile ips_testing all-properties
c) Copy the result of the command in step b.
d) Delete the profile.
# tmsh delete security protocol-inspection profile ips_testing
e) Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh using all-properties
(tmos) # list security protocol-inspection profile ips_testing all-properties
Workaround for use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 3:
a) Load the ucs/scf config file twice.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 4, 5, 6:
a) Before performing any of the operations of Use case 4, 5, 6, save the config.
tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
b) Once the operation in use cases are done then perform the load operation.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1121661-2 : TMM may core while processing HTTP/2 requests
Links to More Info: K000133467, BT1121661
1121521-2 : Libssh upgrade from v0.7.7 to v0.9.6
Links to More Info: BT1121521
Component: Advanced Firewall Manager
Symptoms:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Conditions:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Impact:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Workaround:
NA
Fix:
For Detailed Information :
https://www.libssh.org/ and https://www.libssh.org/features/
Fixed Versions:
17.1.0, 16.1.4, 15.1.8
1121517-2 : Interrupts on Hyper-V are pinned on CPU 0
Links to More Info: BT1121517
Component: TMOS
Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.
Conditions:
BIG-IP is deployed on a Hyper-V platform.
Impact:
Performance is degraded.
Fix:
Interrupts are balanced across all CPUs.
Fixed Versions:
16.1.4, 15.1.10
1120685 : Unable to update the password in the CLI when password-memory is set to > 0
Links to More Info: BT1120685
Component: TMOS
Symptoms:
A BIG-IP system with password-memory enabled will fail to update the user password in the first login using the CLI
Conditions:
Password-memory set to > 0 in password-policy configuration
Impact:
Not able to update the user password in the first login using the CLI.
Workaround:
Create the user using the GUI and log in from the GUI.
Fixed Versions:
17.1.0, 16.1.3.1
1120433-2 : Removed gtmd and big3d daemon from the FIPS-compliant list
Links to More Info: BT1120433
Component: TMOS
Symptoms:
The gtmd is not able to establish a secure connection to big3d due to failure in handshake because no common ciphers were found between big3d and gtmd in FIPS mode.
Conditions:
-- BIG-IP versions 16.1.2.2 and above
-- FIPS 140-3 license is installed on the BIG-IP or its a FullBoxFIPS device.
-- Connections are established between big3d and gtmd in FIPS mode.
Impact:
SSL handshakes fail between big3d and gtmd because no common ciphers are present.
Workaround:
None
Fix:
Gtmd and big3d can now communicate when FIPS mode is enabled.
Fixed Versions:
17.1.0, 16.1.3.1
1117609-2 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
Links to More Info: BT1117609
Component: Local Traffic Manager
Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).
Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.
Impact:
Host-side tagging is required.
Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.
If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.
echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl
CPU utilization may increase as a result of switching to the sock driver.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117305-6 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1117297-1 : Wr_urldbd continuously crashes and restarts★
Links to More Info: BT1117297
Component: Traffic Classification Engine
Symptoms:
Malloc failed while wr_urldb is started
Conditions:
Intermittently reproduced when rebooting to a new version or after restarting wr_urldbd
Impact:
Wr_urldbd crashes.
Workaround:
- Stop the wr_urldbd to stabilize(#bigstart stop wr_urldbd)
-- Update the customdb(i.e. delete or add custom urls) on the backend server
-- Start wr_urldbd to download and load the new DB(#bigstart start wr_urldbd)
Fix:
After the fix, malloc is properly done and no crash
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
1117245-2 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
Fixed Versions:
17.1.1, 16.1.4, 15.1.10