Applies To:
Show VersionsBIG-IP APM
- 16.1.5
BIG-IP Analytics
- 16.1.5
BIG-IP Link Controller
- 16.1.5
BIG-IP LTM
- 16.1.5
BIG-IP PEM
- 16.1.5
BIG-IP AFM
- 16.1.5
BIG-IP DNS
- 16.1.5
BIG-IP FPS
- 16.1.5
BIG-IP ASM
- 16.1.5
BIG-IP Release Information
Version: 16.1.5.1.0.13.7
Build: 7.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v16.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Known Issues in BIG-IP v16.1.x
Cumulative fixes from BIG-IP v16.1.5.1.0.13.7 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1622609-1 | 2024-3596 | K000141008 | Blast-RADIUS CVE-2024-3596 | 16.1.5.1.0.13.7 |
1621249-2 | 2024-3596 | K000141008 | CVE-2024-3596: Blast Radius | 16.1.5.1.0.13.7 |
1678649-2 | 2024-3596 | K000141008 | Radius client configuration option for CVE-2024-3596 | 16.1.5.1.0.13.7 |
Cumulative fixes from BIG-IP v16.1.5.1 that are included in this release
Vulnerability Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1615861-2 | 3-Major | TMUI hardening | 16.1.5.1, 15.1.10.5 |
Cumulative fixes from BIG-IP v16.1.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
983073-3 | CVE-2024-41727 | K000138833 | Certain traffic to ixlv & iavf can cause memory leak. | 17.1.0, 16.1.5 |
1507913-2 | CVE-2023-50868 | K000139084, BT1507913 | CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources | 16.1.5 |
1507569-2 | CVE-2023-50387 | K000139092, BT1507569 | KeyTrap: Extreme CPU consumption in DNSSEC validator | 16.1.5 |
1506049-2 | CVE-2023-4408 | K000138990, BT1506049 | Parsing large DNS messages may cause excessive CPU load | 16.1.5 |
1105589-2 | CVE-2024-39778 | K05710614, BT1105589 | HSB lockup using stateless virtual server | 17.1.1, 16.1.5 |
989373-7 | CVE-2020-14314 | K67830124, BT989373 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | 16.1.5, 15.1.9 |
948725-7 | CVE-2024-41723 | K10438187, BT948725 | An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users | 17.1.1, 16.1.5 |
1308269 | CVE-2022-4304 | K000132943, BT1308269 | OpenSSL vulnerability CVE-2022-4304 | 17.1.1, 16.1.5 |
1295017-4 | CVE-2024-41164 | K000138477, BT1295017 | TMM crash when using MPTCP | 17.1.1, 16.1.5, 15.1.10 |
1026873-7 | CVE-2020-27618 | K08641512, BT1026873 | CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets | 16.1.5, 15.1.9 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
737692-5 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 17.1.1, 16.1.5, 15.1.3.1 |
1069441-3 | 3-Major | BT1069441 | Cookie without '=' sign does not generate rfc violation | 17.1.1, 16.1.5, 15.1.10 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1395081-2 | 1-Blocking | K000137514, BT1395081 | Remote users are unable to generate authentication tokens | 17.1.1.1, 16.1.5 |
1147633-2 | 1-Blocking | Hardening of token creation by users with an administrative role | 17.1.1, 16.1.5 | |
997793-3 | 2-Critical | K34172543, BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd★ | 16.1.5 |
776117-1 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type | 17.1.1, 16.1.5, 15.1.10 |
1593681-2 | 2-Critical | Monitor validation improvements | 16.1.5, 15.1.10.5 | |
1410953-2 | 2-Critical | BT1410953 | Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path. | 16.1.5 |
1394445-2 | 2-Critical | BT1394445 | Password-memory is not remembering passwords to prevent them from being used again | 16.1.5 |
1378329-2 | 2-Critical | K000137353 | Secure internal communication between Tomcat and Apache | 16.1.5, 15.1.10.5 |
1366089 | 2-Critical | BT1366089 | HSB firmware version 2.12.4.0 bitstream release for VIPRION B2250 blade | 16.1.5 |
1360757 | 2-Critical | BT1360757 | The OWASP compliance score generation failing with error 501 "Invalid Path" | 16.1.5 |
1295481-2 | 2-Critical | BT1295481 | FIPS keys are not restored when BIG-IP license is renewed after it expires | 17.1.1, 16.1.5 |
1269593-2 | 2-Critical | K000137127, BT1269593 | SSH client fails to connect using host key type ssh-rsa | 16.1.5 |
1191137-3 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations | 17.1.1, 16.1.5, 15.1.9 |
1113609-2 | 2-Critical | BT1113609 | GUI unable to load Bot Profiles and tmsh is unable to list them as well. | 17.1.1, 16.1.5 |
1075681-1 | 2-Critical | CVE-2020-17541 - Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component | 16.1.5 | |
1004929-1 | 2-Critical | BT1004929 | During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. | 17.0.0, 16.1.5, 15.1.5, 14.1.4.5, 13.1.5 |
998957-1 | 3-Major | BT998957 | MCPD consumes excessive CPU while collecting statistics | 17.1.0, 16.1.5 |
997561-5 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | 17.1.1, 16.1.5, 15.1.10 |
969345-1 | 3-Major | BT969345 | Temporary TMSH files not always removed after session termination | 16.1.5 |
955953-5 | 3-Major | BT955953 | iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' | 17.0.0, 16.1.5, 15.1.10 |
950153-3 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned | 17.1.1, 16.1.5, 15.1.10 |
942217-6 | 3-Major | BT942217 | Virtual server rejects connections even though the virtual status is 'available' | 16.1.5 |
715748-7 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits | 17.1.1, 16.1.5, 15.1.10 |
673952-6 | 3-Major | BT673952 | 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot | 17.0.0, 16.1.5 |
605966-9 | 3-Major | BT605966 | BGP route-map changes may not immediately trigger route updates | 16.1.5 |
586948-2 | 3-Major | BT586948 | Dynamic toggling for HSB hardware checksum validation | 17.1.0, 16.1.5 |
1496269-2 | 3-Major | BT1496269 | VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★ | 16.1.5 |
1491165-1 | 3-Major | BT1491165 | TMM crashes when saving DAG setting and there are 7 or more blades | 16.1.5 |
1472853-2 | 3-Major | BT1472853 | PVA may not fully come up on large platforms with many tmms | 16.1.5 |
1398229-1 | 3-Major | BT1398229 | Enabling support for SSH-RSA in Non FIPS mode | 16.1.5 |
1353957-2 | 3-Major | K000137505, BT1353957 | The message "Error getting auth token from login provider" is displayed in the GUI★ | 17.1.1.2, 16.1.5 |
1350717-3 | 3-Major | BT1350717 | When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off' | 16.1.5 |
1350693-2 | 3-Major | BT1350693 | Log publisher using replicated destination with unreliable destination servers may leak xfrags | 16.1.5 |
1345989 | 3-Major | BT1345989 | "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page | 16.1.5 |
1338993-2 | 3-Major | BT1338993 | Failing to fetch the installed RPM, throwing an error Object contains no token child value | 17.1.1, 16.1.5 |
1326501-2 | 3-Major | BT1326501 | Configure DAG fold_bits to improve connection distribution | 16.1.5 |
1322701-3 | 3-Major | Vulnerability scanner reports BIG-IP is disclosing sensitive information | 16.1.5 | |
1320389-1 | 3-Major | BT1320389 | vCMP guest loses connectivity because of bad interface mapping | 16.1.5 |
1312225-2 | 3-Major | BT1312225 | System Integrity Status: Invalid with some Engineering Hotfixes | 16.1.5 |
1311125-3 | 3-Major | BT1311125 | DDM Receive Power value reported in ltm log is ten times too high | 17.1.1, 16.1.5 |
1305125-2 | 3-Major | BT1305125 | Ssh to localhost not working with ssh-rsa | 17.1.1, 16.1.5 |
1298133-3 | 3-Major | BT1298133 | BFD sessions using floating self IP do not work well on multi-blade chassis | 16.1.5 |
1297257-2 | 3-Major | BT1297257 | Pool member Forced Offline then Enabled is marked down on peer after Incremental sync | 16.1.5 |
1296553-1 | 3-Major | BT1296553 | Include RQM Debug registers in hsb_snapshot for B2250 blade | 16.1.5 |
1294109-3 | 3-Major | BT1294109 | MCP does not properly read certificates with empty subject name | 16.1.5 |
1293193-2 | 3-Major | BT1293193 | Missing MAC filters for IPv6 multicast | 17.1.1, 16.1.5, 15.1.10 |
1291217-1 | 3-Major | BT1291217 | EasySoap++-0.6.2 is not coded to add an SNI | 16.1.5 |
1186649 | 3-Major | BT1186649 | TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2★ | 16.1.5 |
1181757-4 | 3-Major | BT1181757 | BGPD assert when sending an update | 16.1.5 |
1154381-4 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol | 17.1.1, 16.1.5, 15.1.10 |
1147849-4 | 3-Major | Rest token creation does not follow all best practices | 16.1.5 | |
1135961-7 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption | 17.1.1, 16.1.5, 15.1.9 |
1134509-4 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. | 17.1.1, 16.1.5, 15.1.10 |
1134057-4 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart | 17.1.1, 16.1.5, 15.1.9 |
1125733-3 | 3-Major | BT1125733 | Wrong server-side window scale used in hardware SYN cookie mode | 17.1.0, 16.1.5, 15.1.9 |
1113693-3 | 3-Major | BT1113693 | SSL Certificate List GUI page takes a long time to load | 16.1.5 |
1111993-2 | 3-Major | BT1111993 | HSB tool utility does not display PHY settings for HiGig interfaces | 17.1.0, 16.1.5, 15.1.10 |
1104773-6 | 3-Major | REST API Access hardening | 17.1.1, 16.1.5 | |
1102837-2 | 3-Major | BT1102837 | Use native driver for e810 instead of sock | 17.1.0, 16.1.5, 15.1.7 |
1093973-7 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. | 16.1.5 |
1086393-1 | 3-Major | BT1086393 | Sint Maarten and Curacao are missing in the GTM region list | 17.1.1, 16.1.5 |
1064893-1 | 3-Major | BT1064893 | Keymgmtd memory leak occurs while configuring ca-bundle-manager. | 17.0.0, 16.1.5 |
1042589-1 | 3-Major | BT1042589 | Wrong trunk_id is associated in bcm56xxd. | 17.0.0, 16.1.5, 15.1.10 |
1040573-4 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel | 16.1.5 |
1040117-2 | 3-Major | BT1040117 | BIG-IP Virtual Edition drops UDP packets | 17.1.1, 16.1.5, 15.1.10 |
1035661-4 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth | 16.1.5 |
1020129-2 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error★ | 17.1.1, 16.1.5, 15.1.10 |
1019429-1 | 3-Major | BT1019429 | CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated | 17.0.0, 16.1.5, 15.1.4.1 |
1009793-2 | 3-Major | BT1009793 | Tmm crash when using ipsec | 16.1.5 |
857045-4 | 4-Minor | BT857045 | LDAP system authentication may stop working | 16.1.5 |
1355149-3 | 4-Minor | BT1355149 | The icrd_child might block signals to child processes | 16.1.5 |
1320889-3 | 4-Minor | BT1320889 | Sock interface driver might fail to forward some packets. | 17.1.1, 16.1.5 |
1292493 | 4-Minor | BT1292493 | Enforcement of non-approved algorithms in FIPS or Common Criteria mode. | 16.1.5 |
1280281-1 | 4-Minor | BT1280281 | SCP allow list may have issues with file paths that have spaces in them | 17.1.1, 16.1.5, 15.1.10 |
1145729-3 | 4-Minor | BT1145729 | Partition description between GUI and REST API/TMSH does not match | 17.1.1, 16.1.5 |
1136837-4 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization | 17.1.1, 16.1.5, 15.1.10 |
1089005-4 | 4-Minor | BT1089005 | Dynamic routes might be missing in the kernel on secondary blades. | 16.1.5 |
1064753-4 | 4-Minor | BT1064753 | OSPF LSAs are dropped/rate limited incorrectly. | 16.1.5, 15.1.10 |
1046025-3 | 4-Minor | BT1046025 | The iavf and ixlv drivers have incorrect VHO flag for all packets | 17.1.0, 16.1.5 |
1044893 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 | 17.1.1, 16.1.5, 15.1.10 |
1003081-3 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. | 17.1.1, 16.1.5, 15.1.10 |
997269-1 | 5-Cosmetic | BT997269 | The management-dhcp contextual help for supersede-options is not available | 17.0.0, 16.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
994973-1 | 2-Critical | BT994973 | TMM crash with do_drivers_probe() | 16.1.5 |
965897-4 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync | 17.1.1, 16.1.5, 15.1.10 |
927633-4 | 2-Critical | BT927633 | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic | 16.1.5 |
1496457-2 | 2-Critical | TMM crash under certain traffic patterns when an HTTP/2 profile is applied. | 16.1.5 | |
1346101-1 | 2-Critical | BT1346101 | SSL Orchestrator can crash TMM | 16.1.5 |
1322973-2 | 2-Critical | A particular sequence of HTTP packets may cause TMM to crash | 16.1.5 | |
1319365-2 | 2-Critical | BT1319365 | Policy with external data group may crash TMM or return nothing with search contains | 17.1.1, 16.1.5 |
1305697-3 | 2-Critical | BT1305697 | TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed | 17.1.1, 16.1.5 |
1298029-3 | 2-Critical | BT1298029 | DB_monitor may end the wrong processes | 17.1.1, 16.1.5 |
1209197-1 | 2-Critical | BT1209197 | Gtmd crash with SIGSEGV while importing or exporting a key or certificate to the BIG-IP | 17.1.0, 16.1.5 |
1105145-2 | 2-Critical | BT1105145 | Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response. | 17.1.0, 16.1.5 |
1078741-2 | 2-Critical | BT1078741 | Tmm crash | 17.0.0, 16.1.5 |
1072377-3 | 2-Critical | BT1072377 | TMM crash in rare circumstances during route changes | 17.1.0, 16.1.5, 15.1.10 |
996649-6 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections | 17.1.1, 16.1.5, 15.1.10 |
874877-4 | 3-Major | BT874877 | The bigd monitor reports misleading error messages | 16.1.5 |
1505753-1 | 3-Major | BT1505753 | Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello | 16.1.5 |
1494293-4 | 3-Major | BT1494293 | BIG-IP might fail to forward server-side traffic after a routing disruption occurs. | 16.1.5 |
1494137-1 | 3-Major | BT1494137 | Translucent mode vlan-group uses wrong MAC when sending ICMP to client | 16.1.5 |
1429897 | 3-Major | BT1429897 | NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60 | 16.1.5 |
1400317-2 | 3-Major | BT1400317 | TMM crash when using internal datagroup | 16.1.5 |
1399645-2 | 3-Major | BT1399645 | iRule event BOTDEFENSE_ACTION validation failing a subroutine call | 16.1.5 |
1399241-2 | 3-Major | BT1399241 | QUIC occasionally erroneously sends connection close with QPACK decoder stream error | 16.1.5 |
1391081-2 | 3-Major | BT1391081 | TMM crash when running HTTP/3 and persist record | 16.1.5 |
1389225-2 | 3-Major | BT1389225 | For certain iRules, TCP::close does not close the TCP connection | 16.1.5 |
1389033-2 | 3-Major | K000137430, BT1389033 | In an iRule SSL::sessionid returns an empty value★ | 16.1.5 |
1388621-2 | 3-Major | BT1388621 | Database monitor with no password marks pool member down | 16.1.5 |
1369673-2 | 3-Major | BT1369673 | OCSP unable to staple certificate chain | 16.1.5 |
1366593-2 | 3-Major | BT1366593 | HTTPS monitors can fail when multiple bigd processes use the same netHSM | 16.1.5 |
1366217-2 | 3-Major | BT1366217 | The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator | 16.1.5 |
1347569-1 | 3-Major | BT1347569 | TCL iRule not triggered due to handshake state exceeding trigger point | 16.1.5 |
1312041 | 3-Major | BT1312041 | Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x★ | 16.1.5 |
1311053-2 | 3-Major | BT1311053 | Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server | 16.1.5 |
1306249-1 | 3-Major | BT1306249 | Hourly spike in the CPU usage causing delay in TLS connections★ | 16.1.5 |
1305361-2 | 3-Major | BT1305361 | Flows that are terminated by an ILX streaming plugin may not expire immediately | 17.1.1, 16.1.5 |
1305329 | 3-Major | BT1305329 | HTTP iRule event HTTP_REQUEST_DATA is triggered even though there is no data collected via HTTP::collect command. | 16.1.5 |
1304189-3 | 3-Major | BT1304189 | Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures | 17.1.1, 16.1.5 |
1302077-4 | 3-Major | BT1302077 | Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server | 17.1.1, 16.1.5 |
1300925-3 | 3-Major | BT1300925 | Shared memory race may cause TMM to core | 17.1.1, 16.1.5 |
1294289-2 | 3-Major | BT1294289 | SSL Persist leaks memory on when client and server hello exceeds MSS | 16.1.5 |
1284413 | 3-Major | BT1284413 | After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used★ | 16.1.5 |
1284261-3 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. | 17.1.1, 16.1.5, 15.1.10 |
1272501 | 3-Major | BT1272501 | Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure" | 17.1.1, 16.1.5 |
1238529-2 | 3-Major | BT1238529 | TMM might crash when modifying a virtual server in low memory conditions | 17.1.1, 16.1.5 |
1132105-2 | 3-Major | Database monitor daemon (DBDaemon) uses unsupported Java version | 16.1.5 | |
1112385-3 | 3-Major | BT1112385 | Traffic classes match when they shouldn't | 17.1.1, 16.1.5, 15.1.10 |
1088597-2 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances | 17.1.1, 16.1.5, 15.1.10 |
1084965-3 | 3-Major | BT1084965 | Low visibility of attack vector | 17.1.1, 16.1.5 |
1083621-1 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length | 17.1.1, 16.1.5, 15.1.9 |
1059573-4 | 3-Major | BT1059573 | Variation in a case insensitive value of an operand in LTM policy may fail in some rules. | 17.0.0, 16.1.5, 15.1.10 |
1036873-2 | 3-Major | BT1036873 | Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3 | 17.0.0, 16.1.5 |
1025089-1 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections | 16.1.5 |
1017421-4 | 3-Major | BT1017421 | SASP Monitor does not log significant error conditions at default logging level | 16.1.5 |
929429-8 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed | 17.1.1, 16.1.5, 15.1.10 |
1489657-3 | 4-Minor | BT1489657 | HTTP/2 MRF incorrectly end stream for 100 Continue | 16.1.5 |
1462885-2 | 4-Minor | BT1462885 | LTM should send ICMP port unreachable upon unsuccessful port selection. | 16.1.5 |
1348841 | 4-Minor | BT1348841 | TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag. | 16.1.5 |
1312105-2 | 4-Minor | BT1312105 | The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented | 16.1.5 |
1304289-2 | 4-Minor | BT1304289 | Pool member monitored by both GTM and LTM monitors may be erroneously marked Down | 17.1.1, 16.1.5 |
1269773-3 | 4-Minor | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request | 17.1.1, 16.1.5, 15.1.10 |
1121349-2 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition | 17.1.1, 16.1.5 |
1103117-2 | 4-Minor | BT1103117 | iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. | 16.1.5 |
991457-1 | 5-Cosmetic | BT991457 | The mpidump should show sequence number and higher precision date/time | 16.1.5 |
979213-1 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | 17.1.1, 16.1.5, 15.1.10 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1322497-2 | 2-Critical | BT1322497 | GTM monitor recv string with special characters causes frequent iquery reconnects | 16.1.5 |
1225061-3 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers | 16.1.5 |
1212081-2 | 2-Critical | BT1212081 | The zxfrd segfault and restart loop due to incorrect packet processing | 16.1.5 |
1081473-5 | 2-Critical | BT1081473 | GTM/DNS installations may observe the mcpd process crashing | 17.1.1, 16.1.5 |
1410989-3 | 3-Major | BT1410989 | DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section. | 16.1.5 |
1399809-3 | 3-Major | BT1399809 | DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile. | 16.1.5 |
1313369-3 | 3-Major | BT1313369 | Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status | 17.1.1, 16.1.5 |
1302825-3 | 3-Major | BT1302825 | Allow configuration of the number of times the CNAME chase is performed | 17.1.1, 16.1.5 |
1137569-3 | 3-Major | BT1137569 | Set nShield HSM environment variable. | 16.1.5, 15.1.10 |
1137217-2 | 3-Major | BT1137217 | DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13 | 16.1.5 |
1133201-1 | 3-Major | BT1133201 | Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools | 17.1.1, 16.1.5 |
1128369-1 | 3-Major | BT1128369 | GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state | 16.1.5 |
1100197-2 | 3-Major | BT1100197 | Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm | 16.1.5 |
1100169-1 | 3-Major | BT1100169 | GTM iQuery connections may be reset after SSL key renegotiation. | 16.1.5 |
1094069-1 | 3-Major | BT1094069 | iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM | 16.1.5 |
1085377-2 | 3-Major | BT1085377 | BIND9 upgrade from version 9.11 to 9.16 | 17.1.0, 16.1.5 |
1311169-3 | 4-Minor | BT1311169 | DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned | 17.1.1, 16.1.5 |
1295565-3 | 4-Minor | BT1295565 | BIG-IP DNS not identified in show gtm iquery for local IP | 17.1.1, 16.1.5 |
1186789-2 | 4-Minor | BT1186789 | DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x | 17.1.1, 16.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
890037-3 | 2-Critical | BT890037 | Rare BD process core | 16.1.5 |
1490765-2 | 2-Critical | BT1490765 | Request body can be unordered by bot-defense | 16.1.5 |
1366445-3 | 2-Critical | BT1366445 | [CORS] "Replace with" and "Remove header" CORS functionalities does not work | 16.1.5 |
1282281-3 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns | 17.1.1, 16.1.5, 15.1.10 |
939097-5 | 3-Major | BT939097 | Error messages related to long request allocation appear in the bd.log incase of big chunked requests | 17.1.1, 16.1.5 |
852613-4 | 3-Major | BT852613 | Connection Mirroring and ASM Policy not supported on the same virtual server | 16.1.5, 14.1.2.7 |
1468809-2 | 3-Major | BT1468809 | Attack signature "Staged Since" timestamp is not accurate | 16.1.5 |
1462797-2 | 3-Major | BT1462797 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent | 16.1.5 |
1359281-2 | 3-Major | BT1359281 | Attack signature is not detected when the value does not have '=' | 16.1.5 |
1350141-1 | 3-Major | BT1350141 | Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★ | 16.1.5 |
1348425-3 | 3-Major | BT1348425 | Header name or parameter name is configured with space. | 16.1.5 |
1346461-3 | 3-Major | BT1346461 | Bd crash at some cases | 16.1.5 |
1332769-2 | 3-Major | BT1332769 | Wildcard order incorrect for JSON Policy Import | 16.1.5 |
1330473-2 | 3-Major | BT1330473 | Response_log_rate_limit is not applied | 16.1.5 |
1329893-1 | 3-Major | BT1329893 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent | 16.1.5 |
1329065-1 | 3-Major | BT1329065 | Hostname violation when hostname starts with multiple 0's | 16.1.5 |
1316529-3 | 3-Major | BT1316529 | Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS | 17.1.1, 16.1.5 |
1302689-3 | 3-Major | BT1302689 | ASM requests to rechunk payload | 17.1.1, 16.1.5, 15.1.10 |
1301197-3 | 3-Major | BT1301197 | Bot Profile screen does not load and display large number of pools/members | 17.1.1, 16.1.5, 15.1.10 |
1298161-2 | 3-Major | BT1298161 | Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute | 16.1.5 |
1295057-3 | 3-Major | BT1295057 | Installation of Attack Signatures file reported as fail after 1 hour | 16.1.5 |
1295009-1 | 3-Major | BT1295009 | "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data | 17.1.1, 16.1.5, 15.1.10 |
1292685-2 | 3-Major | BT1292685 | The date-time RegExp pattern through swagger would not cover all valid options | 17.1.1, 16.1.5, 15.1.10 |
1292645-2 | 3-Major | BT1292645 | False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★ | 17.1.1, 16.1.5 |
1288517-2 | 3-Major | BT1288517 | Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/ | 16.1.5 |
1284097-2 | 3-Major | BT1284097 | False positive 'Illegal cross-origin request' violation | 17.1.1, 16.1.5 |
1284073-3 | 3-Major | BT1284073 | Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies" | 17.1.1, 16.1.5 |
1281397-1 | 3-Major | BT1281397 | SMTP requests are dropped by ASM under certain conditions | 17.1.1, 16.1.5 |
1281389-1 | 3-Major | BT1281389 | Bot Defense can crash when using SMTP security profile | 16.1.5 |
1270133-3 | 3-Major | BT1270133 | bd crash during configuration update | 17.1.1, 16.1.5 |
1231137-3 | 3-Major | BT1231137 | During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition | 16.1.5 |
1229813-2 | 3-Major | BT1229813 | The ref schema handling fails with oneOf/anyOf | 17.1.1, 16.1.5, 15.1.10 |
1211905-2 | 3-Major | BT1211905 | Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" | 16.1.5 |
1210321-1 | 3-Major | BT1210321 | Parameters are not created for properties defined in multipart request body when URL include path parameter | 16.1.5 |
1207793-1 | 3-Major | BT1207793 | Bracket expression in JSON schema pattern does not work with non basic latin characters | 17.1.1, 16.1.5, 15.1.10 |
1168157-2 | 3-Major | BT1168157 | OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8 | 16.1.5 |
1081285-1 | 3-Major | BT1081285 | ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled | 16.1.5 |
1038689-3 | 3-Major | BT1038689 | "Mandatory request body is missing" violation should trigger for "act as a POST" methods only | 17.1.1, 16.1.5 |
1004793-1 | 3-Major | BT1004793 | If there is an additional CSRT token, it triggers a No Max Parameter Protocol Compliance violation . | 17.0.0, 16.1.5 |
987977-3 | 4-Minor | BT987977 | VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation | 17.1.1, 16.1.5 |
911729-4 | 4-Minor | BT911729 | Redundant learning suggestion to set a Maximum Length when parameter is already at that value | 17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2 |
1399289-1 | 4-Minor | BT1399289 | "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1 | 16.1.5 |
1366229-5 | 4-Minor | BT1366229 | Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import | 16.1.5 |
1311253-3 | 4-Minor | BT1311253 | Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies | 16.1.5 |
1186661-2 | 4-Minor | BT1186661 | The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes | 16.1.5 |
1181833-2 | 4-Minor | BT1181833 | Content is not updating under respective tab of webUI when CSRF enabled | 17.1.0, 16.1.5 |
1137245-1 | 4-Minor | BT1137245 | Issue with injected javascript can cause an error in the browser. | 16.1.5 |
1084157-3 | 4-Minor | BT1084157 | Possible captcha loop when using Single Page Application | 16.1.5 |
1016033-4 | 4-Minor | BT1016033 | Remote logging of WS/WSS shows date_time equal to Unix epoch start time | 17.0.0, 16.1.5, 15.1.5 |
1030129-4 | 5-Cosmetic | BT1030129 | iHealth unnecessarily flags qkview for H701182 with mcp_module.xml | 16.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
915005-3 | 4-Minor | BT915005 | AVR core files have unclear names | 16.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1505789-2 | 1-Blocking | K000138683, BT1505789 | VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★ | 16.1.5 |
1146341-2 | 1-Blocking | BT1146341 | TMM crashes while processing traffic on virtual server | 17.1.0, 16.1.5, 15.1.10 |
831737-3 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile | 17.1.1, 16.1.5, 15.1.6.1 |
1552685-5 | 2-Critical | K000138771, BT1552685 | Issues are observed with APM Portal Access on Chrome browser version 122 or later | 16.1.5 |
1455677-2 | 2-Critical | ACCESS Policy hardening | 16.1.5 | |
1398401-1 | 2-Critical | K000135607, BT1398401 | Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★ | 16.1.5 |
1366401 | 2-Critical | BT1366401 | [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation | 16.1.5 |
1355377-2 | 2-Critical | BT1355377 | Subroutine gating criteria utilizing TCL may cause TMM to restart | 16.1.5 |
1355117-2 | 2-Critical | K000137374, BT1355117 | TMM core due to extensive memory usage★ | 17.1.1, 16.1.5, 15.1.10.3 |
1321713-2 | 2-Critical | K000135858, BT1321713 | BIG-IP Rewrite Profile GUI and URI Validation is inconsistent | 16.1.5 |
1104517-2 | 2-Critical | BT1104517 | In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map | 17.1.1, 16.1.5, 15.1.10 |
1063261-4 | 2-Critical | BT1063261 | TMM crash is seen due to sso_config objects. | 17.0.0, 16.1.5, 15.1.10 |
1020881-1 | 2-Critical | BT1020881 | TMM crashes while passing APM traffic. | 16.1.5 |
738716-1 | 3-Major | BT738716 | Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients | 17.1.1, 16.1.5 |
634576-3 | 3-Major | K48181045, BT634576 | TMM core in per-request policy | 16.1.5, 13.1.0 |
1506009-1 | 3-Major | BT1506009 | Oauth core | 16.1.5 |
1506005-2 | 3-Major | BT1506005 | TMM core occurs due to OAuth invalid number of keys or credential block size | 16.1.5 |
1491481-2 | 3-Major | BT1491481 | Server changes to support QT upgrade of Mac Clients | 16.1.5 |
1490833-1 | 3-Major | BT1490833 | OAuth agent gets misconfigured when adding a new Scope/Claim in VPE | 16.1.5 |
1473701 | 3-Major | BT1473701 | Oauth Discovery task is struck at "SAVE_AND_APPLY" state | 16.1.5 |
1472609 | 3-Major | BT1472609 | [APM]Some user roles unable view Access config GUI, getting 403 error | 16.1.5 |
1409453 | 3-Major | BT1409453 | [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config | 16.1.5 |
1402421 | 3-Major | BT1402421 | Virtual Servers haviing adfs proxy configuration might have all traffic blocked | 16.1.5 |
1359245 | 3-Major | BT1359245 | Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html | 16.1.5 |
1352945-1 | 3-Major | BT1352945 | Rewrite plugin memory leak | 16.1.5 |
1350273-2 | 3-Major | BT1350273 | Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★ | 16.1.5 |
1348153 | 3-Major | BT1348153 | Assigned IP Address session variable always as IPv6 Address | 16.1.5 |
1345997-2 | 3-Major | BT1345997 | Very large number of custom URLs in SWG can impact performance. | 16.1.5 |
1341849 | 3-Major | BT1341849 | APM- tmm core SIGSEGV in saml artifact usage | 16.1.5 |
1338837 | 3-Major | BT1338837 | [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message | 16.1.5 |
1328433 | 3-Major | BT1328433 | TMM cores while using VPN with ipv6 configured | 16.1.5 |
1292141-1 | 3-Major | BT1292141 | TMM crash while processing myvpn request | 17.1.1, 16.1.5 |
1273881-4 | 3-Major | BT1273881 | TMM crashes while processing traffic on the virtual server | 16.1.5 |
1269709-1 | 3-Major | BT1269709 | GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles | 16.1.5 |
1251157-3 | 3-Major | BT1251157 | Ping Access filter can accumulate connections increasing the memory use | 17.1.1, 16.1.5, 15.1.10 |
1238329 | 3-Major | BT1238329 | Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND | 16.1.5 |
1207821-3 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions | 17.1.1, 16.1.5, 15.1.10 |
1190025-2 | 3-Major | BT1190025 | The OAuth process crash | 16.1.5 |
1188417-2 | 3-Major | BT1188417 | Failure in the SelfTest/Integrity test triggers a reboot action. | 16.1.5 |
1147621-2 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used | 17.1.1, 16.1.5, 15.1.9 |
1145989-2 | 3-Major | BT1145989 | ID token sub-session variables are not populated | 16.1.5 |
1099833-5 | 3-Major | Add additional server side support for f5-epi links. | 16.1.5 | |
1044457-3 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. | 17.1.1, 16.1.5, 15.1.10 |
1006509-1 | 3-Major | BT1006509 | TMM memory leak★ | 16.1.5, 15.1.7 |
1505413 | 4-Minor | BT1505413 | Error in Wrapper for Array.slice Method When F5_window_link is Undefined | 16.1.5 |
1468589 | 4-Minor | BT1468589 | TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions | 16.1.5 |
1382329 | 4-Minor | BT1382329 | Handling 'active' attribute in introspection response | 16.1.5 |
1381065-1 | 4-Minor | BT1381065 | Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property. | 16.1.5 |
1351493 | 4-Minor | BT1351493 | Invalid JSON node type while support-introspection enabled | 16.1.5 |
1350997-1 | 4-Minor | BT1350997 | Changes to support pre-logon when secondary logon service is disabled on windows edge client | 16.1.5 |
1294993 | 4-Minor | BT1294993 | URL Database download logs are not visible | 17.1.1, 16.1.5 |
1218813-4 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag | 17.1.1, 16.1.5, 15.1.9 |
1142389-3 | 4-Minor | BT1142389 | APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request | 17.1.1, 16.1.5, 15.1.10 |
1100561 | 4-Minor | BT1100561 | AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth | 17.1.1, 16.1.5 |
504374-1 | 5-Cosmetic | BT504374 | Cannot search Citrix Applications inside folders | 16.1.5 |
427094-1 | 5-Cosmetic | BT427094 | Accept-language is not respected if there is no session context for page requested. | 17.1.1, 16.1.5, 15.1.10 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1391161-2 | 2-Critical | sipmsg_parse_sdp crashes when SIP receives certain traffic pattern. | 16.1.5 | |
1304297-2 | 2-Critical | A certain client sequence via MRF passthrough may cause TMM to core | 16.1.5 | |
1270497-2 | 2-Critical | BT1270497 | MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method | 16.1.5 |
1466293-2 | 3-Major | SIP MRF over TCP might cause excessive memory buffering | 16.1.5 | |
1466289-3 | 3-Major | SIP MRF might leave orphaned connections | 16.1.5 | |
1307517-2 | 3-Major | BT1307517 | Allow SIP reply with missing FROM | 17.1.1, 16.1.5 |
1395281-2 | 4-Minor | BT1395281 | UDP payloads not ending with CRLF are being treated as BAD messages. | 16.1.5 |
1329477-2 | 4-Minor | BT1329477 | Auto-initialization does not work with certain MRF connection-mode | 17.1.1, 16.1.5 |
1251013-2 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters | 17.1.1, 16.1.5, 15.1.10 |
1225797-4 | 4-Minor | BT1225797 | SIP alg inbound_media_reinvite test fails | 17.1.1, 16.1.5 |
1184629-2 | 4-Minor | BT1184629 | Validate content length with respective to SIP header offset instead of parser offset | 17.1.0, 16.1.5, 15.1.9 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
984965-4 | 3-Major | BT984965 | While intentionally exiting, sshplugin may invoke functions out of sequence and crash | 16.1.5 |
915221-6 | 3-Major | BT915221 | DoS unconditionally logs MCP messages to /var/tmp/mcpd.out | 16.1.5 |
844597-6 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query | 17.1.1, 16.1.5, 15.1.10 |
1560497 | 3-Major | BT1560497 | Host is unreachable, vector is not mitigated by HW at profile level. | 16.1.5 |
1388985-2 | 3-Major | BT1388985 | The daemon dwbld uses 100% CPU when max port value configured in TMC port list | 16.1.5 |
1311561-1 | 3-Major | BT1311561 | Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding | 17.1.1, 16.1.5 |
1196053-3 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates | 17.1.1, 16.1.5, 15.1.10 |
1067393-2 | 3-Major | BT1067393 | MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool.★ | 17.0.0, 16.1.5, 15.1.5.1 |
1047933-1 | 3-Major | BT1047933 | Virtual server security policy - An error has occurred while trying to process your request | 17.0.0, 16.1.5 |
1042153-2 | 3-Major | BT1042153 | AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN. | 17.1.1, 17.0.0, 16.1.5, 15.1.10 |
1032329-1 | 3-Major | BT1032329 | A user with low privileges cannot open the Rule List editor. | 16.1.5, 15.1.4.1 |
1019557-1 | 3-Major | BT1019557 | Bdosd does not create /var/bdosd/*.json | 17.0.0, 16.1.5 |
928653-1 | 4-Minor | BT928653 | [tmsh]:list security nat policy rules showing automap though the value set is None | 16.1.5 |
1302869 | 4-Minor | BT1302869 | AFM is not accounting Nxdomain attack for TCP query | 16.1.5 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1496701-1 | 2-Critical | BT1496701 | PEM CPPE reporting buffer overflow resulting in core | 16.1.5 |
1312145-1 | 2-Critical | BT1312145 | Bcdatabase file gets truncated, deleted and re-downloaded in a loop | 16.1.5 |
1470329-2 | 3-Major | BT1470329 | PEM: Multiple layers of callback cookies need input validation in order to prevent crashes. | 16.1.5 |
1462393 | 3-Major | BT1462393 | Quota is not getting updated from the PEM side | 16.1.5 |
1394601-1 | 3-Major | BT1394601 | PEM AVR onbox reporting stall | 16.1.5 |
1389049-1 | 3-Major | BT1389049 | Frequent instances of provisioning-pending count spiking on various PEM devices | 16.1.5 |
1302677-4 | 3-Major | BT1302677 | Memory leak in PEM when Policy is queried via TCL | 17.1.1, 16.1.5, 15.1.10 |
1277381-3 | 3-Major | PEM resource leak in MW layer leads to crash of Diameter interface | 16.1.5 | |
1231001-2 | 3-Major | BT1231001 | PEM flow-term-on-sess-delete can cause cores | 16.1.5 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060393-1 | 3-Major | K24102225, BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. | 16.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1538173-3 | 3-Major | BT1538173 | Bados TLS fingerprints works incorrectly with chrome's new versions | 16.1.5 |
1408381 | 3-Major | BT1408381 | BADOS signals might no sync on HA setups | 16.1.5 |
1388341-2 | 3-Major | BT1388341 | tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN) | 16.1.5 |
1381565-2 | 3-Major | ADMD stability improvements when configured with TLS signatures | 16.1.5 | |
1046469-1 | 3-Major | BT1046469 | Memory leak during large attack | 16.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
984657 | 3-Major | BT984657 | Sysdb variable not working from tmsh | 16.1.5, 16.0.1.2, 15.1.4.1 |
1472685-2 | 3-Major | BT1472685 | Add support for 4 new Webroot Categories | 16.1.5 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985329-2 | 3-Major | BT985329 | Saving UCS takes longer when iControl LX extension is installed | 16.1.5 |
943257-3 | 3-Major | BT943257 | REST framework support for IPv6 ConfigSync addresses | 17.1.1, 16.1.5 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
989529-1 | 3-Major | BT989529 | AFM IPS engine takes action on unspecified services | 16.1.5 |
1461597-2 | 3-Major | BT1461597 | IPS IM upgrade is taking more time | 16.1.5 |
1269845-2 | 3-Major | BT1269845 | When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id' | 16.1.5 |
1075001-2 | 3-Major | BT1075001 | Types 64-65 in IPS Compliance 'Unknown Resource Record Type' | 16.1.5 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1289845-3 | 3-Major | BT1289845 | Pool member marked as offline while matching both receive string and receive disable strings | 16.1.5 |
1287045-3 | 3-Major | BT1287045 | In-TMM monitor may mark pool member offline despite its response matches Receive Disable String | 16.1.5 |
1211985-4 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring | 17.1.1, 16.1.5, 15.1.10 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1303185-4 | 3-Major | BT1303185 | Large numbers of URLs in url-db can cause TMM to restart | 17.1.1, 16.1.5, 15.1.10 |
1289417 | 3-Major | BT1289417 | SSL Orchestrator SEGV TMM core | 17.1.1, 16.1.5 |
Cumulative fixes from BIG-IP v16.1.4.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1495217-3 | CVE-2024-31156 | K000138636, BT1495217 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1492361-2 | CVE-2024-33604 | K000138894, BT1492361 | TMUI Security Hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1449709-2 | CVE-2024-28889 | K000138912, BT1449709 | Possible TMM core under certain Client-SSL profile configurations | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1366025-2 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1360917-4 | CVE-2024-27202 | K000138520, BT1360917 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Functional Change Fixes
None
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1494833-3 | 2-Critical | K000138898, BT1494833 | A single signature does not match when exceeding 65535 states | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1361169-2 | CVE-2023-40534 | K000133467, BT1361169 | Connections may persist after processing HTTP/2 requests | 17.1.1.1, 16.1.4.2 |
1117229-1 | CVE-2022-26377 | K26314875, BT1117229 | CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1391357-1 | CVE-2023-43125 | K000136909, BT1391357 | Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1381357-2 | CVE-2023-46748 | K000137365, BT1381357 | CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1304957-6 | CVE-2023-5450 | K000135040, BT1304957 | BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1240121-1 | CVE-2022-36760 | K000132643, BT1240121 | CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1354253-2 | 3-Major | K000137322, BT1354253 | HTTP Request smuggling with redirect iRule | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1316277-2 | 3-Major | K000137796, BT1316277 | Large CRL files may only be partially uploaded | 17.1.1, 16.1.4.2, 15.1.10.3 |
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1324745-2 | CVE-2023-41373 | K000135689, BT1324745 | An undisclosed TMUI endpoint may allow unexpected behavior | 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1167897-6 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1121661-2 | CVE-2023-40534 | K000133467, BT1121661 | TMM may core while processing HTTP/2 requests | 17.1.0, 16.1.4 |
981917-4 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 17.1.1, 16.1.4, 15.1.10 |
949857-7 | CVE-2024-22389 | K32544615, BT949857 | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 17.1.1, 16.1.4, 15.1.9 |
884541-9 | CVE-2023-40537 | K29141800, BT884541 | Improper handling of cookies on VIPRION platforms | 17.1.0, 16.1.4, 15.1.9 |
1317705-2 | CVE-2024-25560 | K000139037, BT1317705 | TMM may restart on certain DNS traffic | 17.1.1, 16.1.4 |
1315193-1 | CVE-2024-33608 | K000138728, BT1315193 | TMM Crash in certain condition when processing IPSec traffic | 17.1.1, 16.1.4 |
1314301-2 | CVE-2024-23805 | K000137334, BT1314301 | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 17.1.1, 16.1.4, 15.1.10 |
1295661-2 | CVE-2023-38418 | K000134746, BT1295661 | BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 | 17.1.1, 16.1.4 |
1289189-3 | CVE-2024-24775 | K000137333, BT1289189 | In certain traffic patterns, TMM crash | 17.1.1, 16.1.4, 15.1.10 |
1271349-3 | CVE-2023-25690 | K000133098, BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 17.1.1, 16.1.4, 15.1.9 |
1238629-1 | CVE-2024-21763 | K000137521, BT1238629 | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 17.1.1, 16.1.4, 15.1.10 |
1220629-3 | CVE-2024-23314 | K000137675, BT1220629 | TMM may crash on response from certain backend traffic | 17.1.1, 16.1.4, 15.1.9 |
1208529-4 | CVE-2023-41085 | K000132420, BT1208529 | TMM crash when handling IPSEC traffic | 17.1.0, 16.1.4, 15.1.9 |
1195489-2 | CVE-2024-22093 | K000137522, BT1195489 | iControl REST input sanitization | 17.1.1, 16.1.4, 15.1.9 |
1189465-3 | CVE-2023-24461 | K000132539, BT1189465 | Edge Client allows connections to untrusted APM Virtual Servers | 17.1.0.3, 16.1.4, 15.1.9 |
1189461-3 | CVE-2023-36858 | K000132563, BT1189461 | BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 | 17.1.1, 16.1.4 |
1183453-1 | CVE-2022-31676 | K87046687 | Local privilege escalation vulnerability (CVE-2022-31676) | 17.1.0, 16.1.4, 15.1.9 |
1167929-4 | CVE-2022-40674 | K44454157, BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1161733-4 | CVE-2023-40542 | K000134652, BT1161733 | Enabling client-side TCP Verified Accept can cause excessive memory consumption | 17.1.0, 16.1.4, 15.1.9 |
1153969-2 | CVE-2024-23979 | K000134516, BT1153969 | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 17.1.1, 16.1.4, 15.1.9 |
1133013-3 | CVE-2023-43746 | K41072952, BT1133013 | Appliance mode hardening | 17.1.0, 16.1.4, 15.1.9 |
1126285-1 | CVE-2024-21849 | K000135873, BT1126285 | TMM might crash with certain HTTP traffic | 17.1.0, 16.1.4 |
1122441-5 | CVE-2015-1283, CVE-2021-45960,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143 | K19473898, BT1122441 | Upgrading the libexpat library | 17.1.0, 16.1.4, 15.1.9 |
1111097-6 | CVE-2022-1271 | K000130546, BT1111097 | gzip arbitrary-file-write vulnerability CVE-2022-1271 | 17.1.0, 16.1.4, 15.1.9 |
1107293-7 | CVE-2021-22555 | K06524534, BT1107293 | CVE-2021-22555: Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.8 |
1102881-4 | CVE-2021-25217 | K08832573, BT1102881 | dhclient/dhcpd vulnerability CVE-2021-25217 | 17.1.0, 16.1.4, 15.1.9 |
1098829-6 | CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 | K19473898, BT1098829 | Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 | 17.1.0, 16.1.4, 15.1.9 |
1093813-2 | CVE-2002-20001, CVE-2022-40735, CVE-2024-41996 | K83120834, BT1093813 | DH Key Agreement vulnerability in APM server side components | 17.1.0, 16.1.4 |
1093253-8 | CVE-2021-3999 | K24207649 | CVE-2021-3999 Glibc Vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1091601-9 | CVE-2022-23218, CVE-2022-23219 | K52308021, BT1091601 | Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 | 17.1.0, 16.1.4, 15.1.9 |
1091453-6 | CVE-2022-23308 | K32760744, BT1091453 | libxml2 vulnerability CVE-2022-23308 | 17.1.0, 16.1.4, 15.1.8 |
1089225-4 | CVE-2021-4034 | K46015513, BT1089225 | Polkit pkexec vulnerability CVE-2021-4034 | 17.1.0, 16.1.4, 15.1.8 |
1077301-4 | CVE-2021-23133 | K67416037, BT1077301 | CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del | 17.1.0, 16.1.4, 15.1.8 |
1075733-3 | CVE-2018-14348 | K26890535, BT1075733 | Updated libcgroup library to fix CVE-2018-14348 | 17.1.0, 16.1.4, 15.1.9 |
1075689-3 | CVE-2020-25692,CVE-2020-25709,CVE-2020-12243,CVE-2019-13565,CVE-2020-25710,CVE-2020-36222,CVE-2020-36226,CVE-2020-36228,CVE-2020-36227,CVE-2021-27212,CVE-2020-36223,CVE-2020-36221,CVE-2020-36225,CVE-2020-36224,CVE-2019-13057 | K56241216, BT1075689 | Multiple CVE fixes for OpenLDAP library | 17.1.0, 16.1.4, 15.1.8 |
1075657-3 | CVE-2020-12825 | K01074825, BT1075657 | CVE-2020-12825 - libcroco vulnerability | 17.1.1, 16.1.4, 15.1.10 |
1070753-4 | CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065, BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 17.1.1, 16.1.4, 15.1.9 |
1061977-3 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390, BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 17.1.1, 16.1.4, 15.1.10 |
1057393-3 | CVE-2019-18197 | K10812540, BT1057393 | CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText | 17.0.0, 16.1.4, 15.1.8 |
1051305-4 | CVE-2021-34798 | K72382141, BT1051305 | CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests | 17.0.0, 16.1.4, 15.1.7 |
1043821-1 | CVE-2023-42768 | K26910459, BT1043821 | Inconsistent user role handling across configuration UIs | 17.1.0, 16.1.4, 15.1.9 |
972545-7 | CVE-2024-23976 | K91054692, BT972545 | iApps LX does not follow best practices in appliance mode | 17.1.1, 16.1.4, 15.1.9 |
966541-1 | CVE-2023-43485 | K06110200, BT966541 | Improper data logged in plaintext | 17.1.0, 16.1.4, 15.1.9 |
950605-6 | CVE-2020-14145 | K48050136, BT950605 | Openssh insecure client negotiation CVE-2020-14145 | 17.1.0, 16.1.4, 15.1.9 |
905937-8 | CVE-2023-41253 | K98334513, BT905937 | TSIG key value logged in plaintext in log | 17.1.0, 16.1.4, 15.1.9 |
785197-5 | CVE-2019-9075 | K42059040, BT785197 | binutils vulnerability CVE-2019-9075 | 17.1.0, 16.1.4, 15.1.9 |
651029-12 | CVE-2023-45219 | K20307245, BT651029 | Sensitive information exposed during incremental sync | 17.1.0, 16.1.4, 15.1.9 |
1238321-4 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1, 16.1.4, 15.1.10 |
1235813-9 | CVE-2023-0215 | K000132946, BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 17.1.0.1, 16.1.4, 15.1.10 |
1235801-4 | CVE-2023-0286 | K000132941, BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 17.1.1, 16.1.4, 15.1.10 |
1189457-3 | CVE-2023-22372 | K000132522, BT1189457 | Hardening of client connection handling from Edge client. | 16.1.4, 15.1.9 |
1123537-9 | CVE-2022-28615 | K40582331, BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 17.1.1, 16.1.4, 15.1.9 |
1121965-2 | CVE-2022-28614 | K58003591, BT1121965 | CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() | 17.1.0, 16.1.4, 15.1.9 |
1099341-4 | CVE-2018-25032 | K21548854 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 17.1.1, 16.1.4, 15.1.9 |
1089921-6 | CVE-2022-0359 | K08827426, BT1089921 | Vim vulnerability CVE-2022-0359 | 17.1.0, 16.1.4, 15.1.9 |
1089233-4 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | 17.1.0, 16.1.4, 15.1.9 |
1088445-7 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 17.1.1, 16.1.4, 15.1.9 |
1070905-4 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 17.1.1, 16.1.4, 15.1.9 |
1041577-4 | CVE-2024-21782 | K98606833, BT1041577 | SCP file transfer system, completing fix for 994801 | 17.1.1, 16.1.4, 15.1.9 |
1021245-3 | CVE-2019-20907 | K78284681, BT1021245 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | 17.1.0, 16.1.4, 15.1.9 |
1018997-1 | CVE-2023-41964 | K20850144, BT1018997 | Improper logging of sensitive DB variables | 17.1.0, 16.1.4, 15.1.9 |
1009157-1 | CVE-2023-39447 | K47756555, BT1009157 | AGC hardening | 16.1.4, 15.1.8 |
1296489-3 | CVE-2024-23603 | K000138047, BT1296489 | ASM UI hardening | 17.1.1, 16.1.4, 15.1.10 |
1057445-3 | CVE-2019-13118 | K96300145, BT1057445 | CVE-2019-13118 libxslt vulnerability: uninitialized stack data | 17.0.0, 16.1.4, 15.1.8 |
1057437-3 | CVE-2019-13117 | K96300145, BT1057437 | CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers | 17.0.0, 16.1.4, 15.1.8 |
1057149-3 | CVE-2019-11068 | K30444545, BT1057149 | CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite | 17.0.0, 16.1.4, 15.1.8 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1088037-3 | 1-Blocking | BT1088037 | VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers | 17.1.0, 16.1.4, 15.1.8 |
1053589-1 | 1-Blocking | BT1053589 | DDoS functionality cannot be configured at a Zone level | 16.1.4, 15.1.8 |
1282181-1 | 3-Major | High CPU or increased translation errors following upgrade or restart when DAG distribution changes | 16.1.4 | |
1211513-2 | 3-Major | BT1211513 | Data payload validation is added to HSB validation loopback packets | 17.1.1, 16.1.4, 15.1.10 |
1144373-4 | 3-Major | BT1144373 | BIG-IP SFTP hardening | 17.1.0, 16.1.4, 15.1.9 |
1040609-1 | 3-Major | K21800102, BT1040609 | RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. | 17.1.0, 16.1.4, 15.1.9 |
1025497-1 | 4-Minor | BT1025497 | BIG-IP may accept and forward invalid DNS responses | 17.1.0, 16.1.4, 15.1.9 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1284969-1 | 1-Blocking | BT1284969 | Adding ssh-rsa key for passwordless authentication | 17.1.0.1, 16.1.4 |
1224125-1 | 1-Blocking | BT1224125 | When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used. | 17.1.0, 16.1.4 |
1173441-3 | 1-Blocking | BT1173441 | The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired | 17.1.0, 16.1.4, 15.1.9 |
1161913-1 | 1-Blocking | BT1161913 | Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE★ | 16.1.4 |
1116845-4 | 1-Blocking | BT1116845 | Interfaces using the xnet driver are not assigned a MAC address | 17.1.0, 16.1.4, 15.1.9 |
995849-1 | 2-Critical | BT995849 | Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c | 17.0.0, 16.1.4, 15.1.9 |
994033-3 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 17.1.1, 16.1.4, 15.1.9 |
993481-1 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 17.1.1, 16.1.4, 15.1.10 |
967905-5 | 2-Critical | BT967905 | Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1 |
950201-3 | 2-Critical | BT950201 | Tmm core on GCP | 17.1.1, 16.1.4, 15.1.9 |
888765-2 | 2-Critical | BT888765 | After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files★ | 16.1.4 |
723109-2 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 17.1.1, 16.1.4, 15.1.10 |
1290889-4 | 2-Critical | K000134792, BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 17.1.1, 16.1.4, 15.1.9 |
1256841-1 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 17.1.1, 16.1.4, 15.1.10 |
1232997-1 | 2-Critical | BT1232997 | IPSEC: The tmm process may exit with 'Invalid policy remote index' | 16.1.4, 15.1.10 |
1225789-2 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 17.1.1, 16.1.4, 15.1.9 |
1209709-4 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 17.1.1, 16.1.4, 15.1.9 |
1195377 | 2-Critical | BT1195377 | Getting Service Indicator log for disallowed RSA-1024 crypto algorithm | 17.1.0, 16.1.4 |
1181613-1 | 2-Critical | BT1181613 | IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete | 17.1.0, 16.1.4 |
1178221-3 | 2-Critical | BT1178221 | In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT | 17.1.0, 16.1.4, 15.1.9 |
1144477-1 | 2-Critical | BT1144477 | IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted | 17.1.0, 16.1.4 |
1136429-4 | 2-Critical | BT1136429 | Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group | 17.1.0, 16.1.4, 15.1.9 |
1134301-3 | 2-Critical | BT1134301 | IPsec interface mode may stop sending packets over tunnel after configuration update | 17.1.0, 16.1.4, 15.1.9 |
1128629 | 2-Critical | BT1128629 | Neurond crash observed during live install through test script | 17.1.0, 16.1.4, 15.1.9 |
1110893-4 | 2-Critical | BT1110893 | Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy | 17.1.0, 16.1.4, 15.1.9 |
1105901-2 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 17.1.1, 16.1.4, 15.1.10 |
1095217-1 | 2-Critical | BT1095217 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.1.0, 16.1.4, 15.1.9 |
1085805-2 | 2-Critical | BT1085805 | UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. | 17.1.0, 16.1.4 |
1085597-1 | 2-Critical | BT1085597 | IKEv1 IPsec peer cannot be created in config utility (web UI) | 17.1.0, 16.1.4 |
1082941-2 | 2-Critical | System account hardening | 17.1.0, 16.1.4, 15.1.9 | |
1076909-4 | 2-Critical | BT1076909 | Syslog-ng truncates the hostname at the first period. | 17.1.0, 16.1.4, 15.1.9 |
1075713-2 | 2-Critical | Multiple libtasn1 vulnuerabilities | 17.1.1, 16.1.4 | |
1075677-2 | 2-Critical | Multiple GnuTLS Mend findings | 17.1.1, 16.1.4, 15.1.10 | |
1035121-4 | 2-Critical | BT1035121 | Configsync syncs the node's monitor status | 17.0.0, 16.1.4, 15.1.9 |
1023829-2 | 2-Critical | BT1023829 | Security->Policies in Virtual Server web page spins mcpd 100%, which later cores | 17.0.0, 16.1.4, 15.1.9 |
998225-6 | 3-Major | BT998225 | TMM crash when disabling/re-enabling a blade that triggers a primary blade transition. | 17.0.0, 16.1.4, 15.1.9 |
995097-1 | 3-Major | BT995097 | Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. | 17.0.0, 16.1.4, 15.1.10 |
992813-7 | 3-Major | BT992813 | The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. | 17.0.0, 16.1.4, 15.1.10 |
989501-2 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 17.1.1, 16.1.4, 15.1.10 |
987301-3 | 3-Major | BT987301 | Software install on vCMP guest via block-device may fail with error 'reason unknown' | 17.0.0, 16.1.4, 15.1.9 |
966949-6 | 3-Major | BT966949 | Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node | 17.1.0, 16.1.4, 15.1.9 |
964125-6 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 17.1.1, 16.1.4, 15.1.10 |
936093-5 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 17.1.1, 16.1.4, 15.1.9 |
930393-2 | 3-Major | BT930393 | IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration | 17.1.0, 16.1.4, 15.1.10 |
925469-2 | 3-Major | BT925469 | SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo | 17.1.0, 16.1.4, 15.1.9 |
921149-6 | 3-Major | BT921149 | After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy | 17.1.0, 16.1.4, 15.1.9 |
906273-1 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 17.1.1, 16.1.4, 15.1.10 |
804529-1 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 17.1.1, 16.1.4, 15.1.10 |
662301-8 | 3-Major | BT662301 | 'Unlicensed objects' error message appears despite there being no unlicensed config | 17.1.0, 16.1.4, 15.1.9 |
1238693-2 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 | 17.1.0.1, 16.1.4 |
1232521-2 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 17.1.1, 16.1.4, 15.1.9 | |
1166329-2 | 3-Major | BT1166329 | The mcpd process fails on secondary blades, if the predefined classification applications are updated. | 17.1.0, 16.1.4 |
1160805-2 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin | 16.1.4, 15.1.9 |
1154933-4 | 3-Major | Improper permissions handling in REST SNMP endpoint | 17.1.0, 16.1.4, 15.1.9 | |
1153865-4 | 3-Major | BT1153865 | Restjavad OutOfMemoryError errors and restarts after upgrade★ | 17.1.0, 16.1.4, 15.1.9 |
1146017-1 | 3-Major | BT1146017 | WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile | 17.1.0, 16.1.4, 15.1.9 |
1136921-4 | 3-Major | BT1136921 | BGP might delay route updates after failover | 17.1.1, 16.1.4, 15.1.10 |
1128169-1 | 3-Major | BT1128169 | TMM core when IPsec tunnel object is reconfigured | 17.1.0, 16.1.4 |
1127169 | 3-Major | BT1127169 | The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG | 17.1.0, 16.1.4 |
1126805-3 | 3-Major | BT1126805 | TMM CPU usage statistics may show a lower than expected value on Virtual Edition | 17.1.0, 16.1.4, 15.1.9 |
1124209-3 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 17.1.1, 16.1.4, 15.1.9 |
1123885-2 | 3-Major | BT1123885 | A specific type of software installation may fail to carry forward the management port's default gateway. | 17.1.0, 16.1.4, 15.1.9 |
1121517-2 | 3-Major | BT1121517 | Interrupts on Hyper-V are pinned on CPU 0 | 16.1.4, 15.1.10 |
1113961-1 | 3-Major | K43391532, BT1113961 | BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China | 17.1.0, 16.1.4, 15.1.9 |
1112537-2 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 17.1.1, 16.1.4, 15.1.10 |
1112109-4 | 3-Major | K000134769, BT1112109 | Unable to retrieve SCP files using WinSCP or relative path name | 17.1.0, 16.1.4, 15.1.9 |
1111629-4 | 3-Major | BT1111629 | Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors | 17.1.0, 16.1.4, 15.1.9 |
1111421-1 | 3-Major | BT1111421 | IPsec SA info cannot be viewed in TMSH or the web UI | 17.1.0, 16.1.4 |
1106489-2 | 3-Major | BT1106489 | GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. | 16.1.4, 15.1.10 |
1102849-3 | 3-Major | BT1102849 | Less-privileged users (guest, operator, etc) are unable to run top level commands | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1101453-1 | 3-Major | BT1101453 | MCPD SIGABRT and core happened while deleting GTM pool member | 17.1.0, 16.1.4, 15.1.9 |
1100409-4 | 3-Major | BT1100409 | Valid connections may fail while a virtual server is in SYN cookie mode. | 17.1.0, 16.1.4, 15.1.9 |
1100321 | 3-Major | BT1100321 | MCPD memory leak | 17.1.0, 16.1.4, 15.1.10 |
1100125-4 | 3-Major | BT1100125 | Per virtual SYN cookie may not be activated on all HSB modules | 17.1.0, 16.1.4, 15.1.10 |
1091725-4 | 3-Major | BT1091725 | Memory leak in IPsec | 17.1.0, 16.1.4, 15.1.9 |
1088429-4 | 3-Major | BT1088429 | Kernel slab memory leak | 17.1.0, 16.1.4, 15.1.9 |
1086517-2 | 3-Major | BT1086517 | TMM may not properly exit hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1085837-2 | 3-Major | BT1085837 | Virtual server may not exit from hardware SYN cookie mode | 17.1.0, 16.1.4, 15.1.6.1 |
1084781-6 | 3-Major | Resource Admin permission modification | 17.1.0, 16.1.4, 15.1.9 | |
1081649-2 | 3-Major | BT1081649 | Remove the "F5 iApps and Resources" link from the iApps->Package Management | 17.1.0, 16.1.4, 15.1.9 |
1081641-4 | 3-Major | BT1081641 | Remove Hyperlink to Legal Statement from Login Page | 17.1.0, 16.1.4, 15.1.10 |
1080297-1 | 3-Major | BT1080297 | ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration | 17.1.0, 16.1.4, 15.1.9 |
1077533-1 | 3-Major | BT1077533 | Status is showing INOPERATIVE after an upgrade and reboot★ | 17.1.1, 16.1.4, 15.1.10 |
1077405-2 | 3-Major | BT1077405 | Ephemeral pool members may not be created with autopopulate enabled. | 17.1.0, 16.1.4, 15.1.9 |
1076785-2 | 3-Major | BT1076785 | Virtual server may not properly exit from hardware SYN Cookie mode | 17.1.0, 16.1.4, 15.1.5.1 |
1069337-2 | 3-Major | CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument | 17.1.0, 16.1.4, 15.1.9 | |
1063237-4 | 3-Major | BT1063237 | Stats are incorrect when the management interface is not eth0 | 16.1.4, 15.1.9 |
1062953-1 | 3-Major | BT1062953 | Unable to save configuration via tmsh or the GUI. | 17.0.0, 16.1.4 |
1053557-2 | 3-Major | BT1053557 | Support for Mellanox CX-6 | 17.1.0, 16.1.4, 15.1.9 |
1048709-2 | 3-Major | BT1048709 | FCS errors between the switch and HSB | 17.1.0, 16.1.4, 15.1.8 |
1044089-3 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 17.1.1, 16.1.4, 15.1.10 |
1032821-7 | 3-Major | BT1032821 | Syslog: invalid level/facility from /usr/libexec/smart_parse.pl | 17.0.0, 16.1.4, 15.1.9 |
1029105-1 | 3-Major | BT1029105 | Hardware SYN cookie mode state change logs bogus virtual server address | 17.1.0, 16.1.4, 15.1.4 |
1001069-5 | 3-Major | BT1001069 | VE CPU usage higher after upgrade, given same throughput | 17.1.0, 16.1.4, 15.1.9 |
964533-2 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 17.1.1, 16.1.4, 15.1.10 |
939757-8 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 17.1.1, 16.1.4, 15.1.10 |
904661-4 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition | 17.1.0, 16.1.4 |
889813-3 | 4-Minor | BT889813 | Show net bwc policy prints bytes-per-second instead of bits-per-second | 17.0.0, 16.1.4, 15.1.10, 14.1.4.5 |
838405-4 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 17.1.1, 16.1.4, 15.1.10 |
760496-4 | 4-Minor | BT760496 | Traffic processing interrupted by PF reset | 17.1.0, 16.1.4, 15.1.9 |
674026-6 | 4-Minor | BT674026 | iSeries AOM web UI update fails to complete.★ | 17.0.0, 16.1.4, 15.1.9 |
1256777-3 | 4-Minor | BT1256777 | In BGP, as-origination interval not persisting after restart when configured on a peer-group. | 17.1.1, 16.1.4 |
1252537-3 | 4-Minor | BT1252537 | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role | 17.1.1, 16.1.4 |
1185257-4 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 17.1.1, 16.1.4, 15.1.10 |
1155733-1 | 4-Minor | BT1155733 | NULL bytes are clipped from the end of buffer | 17.1.0, 16.1.4, 15.1.9 |
1117305-6 | 4-Minor | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 17.1.1, 16.1.4, 15.1.9 |
1106353-4 | 4-Minor | BT1106353 | [Zebos] Expand zebos/bgp commands in a qkview | 17.1.0, 16.1.4, 15.1.9 |
1090441-1 | 4-Minor | BT1090441 | IKEv2: Add algorithm info to SK_ logging | 17.1.0, 16.1.4 |
1076897-4 | 4-Minor | BT1076897 | OSPF default-information originate command options not working properly | 17.1.0, 16.1.4, 15.1.9 |
1076253-1 | 4-Minor | BT1076253 | IKE library memory leak | 17.0.0, 16.1.4, 15.1.9 |
1062385-4 | 4-Minor | BT1062385 | BIG-IP has an incorrect limit on the number of monitored HA-group entries. | 17.1.0, 16.1.4, 15.1.9 |
1057457-3 | 4-Minor | CVE-2015-9019: libxslt vulnerability: math.random() | 17.0.0, 16.1.4, 15.1.8 | |
1057449-3 | 4-Minor | CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS | 17.0.0, 16.1.4, 15.1.8 | |
1057441-3 | 4-Minor | An out-of-bounds access flawb in the libxslt component | 17.0.0, 16.1.4, 15.1.8 | |
1057433-3 | 4-Minor | Integer overflow in libxslt component | 17.0.0, 16.1.4, 15.1.8 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1112349-4 | 1-Blocking | BT1112349 | FIPS Card Cannot Initialize | 17.1.0, 16.1.4, 15.1.9 |
937649-4 | 2-Critical | BT937649 | Flow fwd broken with statemirror.verify enabled and source-port preserve strict | 17.1.0, 16.1.4, 15.1.9 |
935193-4 | 2-Critical | BT935193 | With APM and AFM provisioned, single logout ( SLO ) fails | 17.0.0, 16.1.4, 15.1.10 |
1282357-1 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 17.1.1, 16.1.4, 15.1.10 |
1205501-2 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 17.1.1, 16.1.4, 15.1.9 |
1186249-2 | 2-Critical | BT1186249 | TMM crashes on reject rule | 17.1.0, 16.1.4 |
1156697-3 | 2-Critical | BT1156697 | Translucent VLAN groups may pass some packets without changing the locally administered bit | 17.1.0, 16.1.4, 15.1.9 |
1146377-2 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 17.1.1, 16.1.4, 15.1.9 |
1132405-4 | 2-Critical | BT1132405 | TMM does not process BFD echo pkts with src.addr == dst.addr | 17.1.0, 16.1.4, 15.1.9 |
1126093 | 2-Critical | BT1126093 | DNSSEC Key creation failure with internal FIPS card. | 17.1.1, 16.1.4 |
1110813-3 | 2-Critical | BT1110813 | Improve MPTCP retransmission handling while aborting | 17.1.0, 16.1.4, 15.1.9 |
1099545-2 | 2-Critical | BT1099545 | Tmm may core when PEM virtual with a simple policy and iRule is being used | 17.1.0, 16.1.4, 15.1.9 |
1075073-2 | 2-Critical | BT1075073 | TMM Crash observed with Websocket and MQTT profile enabled | 17.0.0, 16.1.4, 15.1.9 |
1067669-1 | 2-Critical | BT1067669 | TCP/UDP virtual servers drop all incoming traffic. | 17.0.0, 16.1.4, 15.1.9 |
1030185-5 | 2-Critical | BT1030185 | TMM may crash when looking up a persistence record using "persist lookup" iRule commands | 17.0.0, 16.1.4, 15.1.9 |
1024241-1 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 17.1.1, 16.1.4, 15.1.9 |
985925-3 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 17.1.1, 16.1.4, 15.1.10 |
976525-5 | 3-Major | BT976525 | Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5 |
956133-2 | 3-Major | BT956133 | MAC address might be displayed as 'none' after upgrading.★ | 17.0.0, 16.1.4, 15.1.4, 14.1.4.4 |
948065-1 | 3-Major | BT948065 | DNS Responses egress with an incorrect source IP address. | 17.0.0, 16.1.4, 15.1.9 |
921541-6 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 17.1.1, 16.1.4, 15.1.10 |
878641-3 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 17.1.1, 16.1.4, 15.1.9 |
876569-2 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 17.1.1, 16.1.4, 15.1.10 |
851121-6 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 17.1.1, 16.1.4, 15.1.10 |
842425-6 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 17.1.1, 16.1.4, 15.1.10 |
693473-8 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 17.1.1, 16.1.4, 15.1.9 |
574762-4 | 3-Major | BT574762 | Forwarding flows leak when a routing update changes the egress vlan | 17.0.0, 16.1.4, 15.1.9 |
1292793-3 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 17.1.1, 16.1.4, 15.1.10 |
1291565-2 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 17.1.1, 16.1.4, 15.1.10 |
1284993-1 | 3-Major | BT1284993 | TLS extensions which are configured after session_ticket are not parsed from Client Hello messages | 17.1.1, 16.1.4 |
1284589-2 | 3-Major | BT1284589 | HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command | 16.1.4 |
1281637-1 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 17.1.1, 16.1.4, 15.1.9 |
1269733-3 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 17.1.1, 16.1.4, 15.1.10 |
1250085-3 | 3-Major | BT1250085 | BPDU is not processed with STP passthough mode enabled in BIG-IP | 17.1.1, 16.1.4 |
1238413-3 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 17.1.1, 16.1.4, 15.1.10 |
1229417-2 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 | |
1229369-3 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 17.1.1, 16.1.4, 15.1.10 |
1210469-3 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 17.1.1, 16.1.4, 15.1.9 |
1185133-2 | 3-Major | BT1185133 | ILX streaming plugins limited to MCP OIDs less than 10 million | 17.1.0, 16.1.4, 15.1.9 |
1184153-2 | 3-Major | BT1184153 | TMM crashes when you use the rateshaper with packetfilter enabled | 17.1.0, 16.1.4, 15.1.9 |
1159569-2 | 3-Major | BT1159569 | Persistence cache records may accumulate over time | 17.1.0, 16.1.4, 15.1.9 |
1155393-2 | 3-Major | BT1155393 | Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression | 17.1.0, 16.1.4, 15.1.9 |
1146241-2 | 3-Major | BT1146241 | FastL4 virtual server may egress packets with unexpected and erratic TTL values | 17.1.0, 16.1.4, 15.1.9 |
1146037-1 | 3-Major | BT1146037 | Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade | 17.1.0, 16.1.4 |
1144117-3 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 17.1.1, 16.1.4, 15.1.9 |
1141845-4 | 3-Major | BT1141845 | RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. | 17.1.0, 16.1.4, 15.1.9 |
1135313-4 | 3-Major | BT1135313 | Pool member current connection counts are incremented and not decremented | 17.1.0, 16.1.4, 15.1.9 |
1133881-2 | 3-Major | BT1133881 | Errors in attaching port lists to virtual server when TMC is used with same sources | 17.1.0, 16.1.4, 15.1.9 |
1133625-2 | 3-Major | BT1133625 | The HTTP2 protocol is not working when SSL persistence and session ticket are enabled | 17.1.0, 16.1.4, 15.1.9 |
1128721-2 | 3-Major | BT1128721 | L2 wire support on vCMP architecture platform | 17.1.0, 16.1.4, 15.1.8 |
1126841-3 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 17.1.1, 16.1.4, 15.1.10 |
1126329-2 | 3-Major | BT1126329 | SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT★ | 17.1.0, 16.1.4, 15.1.9 |
1123169-1 | 3-Major | BT1123169 | Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event | 17.1.0, 16.1.4, 15.1.9 |
1117609-2 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 17.1.1, 16.1.4, 15.1.10 |
1115041-1 | 3-Major | BT1115041 | BIG-IP does not forward the response received after GOAWAY, to the client. | 17.1.0, 16.1.4, 15.1.9 |
1113181-2 | 3-Major | BT1113181 | Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". | 16.1.4, 15.1.9 |
1112745-2 | 3-Major | BT1112745 | System CPU Usage detailed graph is not accessible on Cerebrus+ | 17.1.0, 16.1.4, 15.1.7 |
1111473-4 | 3-Major | BT1111473 | The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes | 17.1.0, 16.1.4, 15.1.9 |
1109953-4 | 3-Major | BT1109953 | TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry | 17.1.0, 16.1.4, 15.1.9 |
1107565 | 3-Major | BT1107565 | SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 | 17.1.1, 16.1.4 |
1102429-2 | 3-Major | BT1102429 | iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. | 17.1.0, 16.1.4, 15.1.9 |
1101697-2 | 3-Major | BT1101697 | TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). | 17.1.0, 16.1.4, 15.1.7 |
1101181-2 | 3-Major | BT1101181 | HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1099229-4 | 3-Major | BT1099229 | SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present | 17.1.0, 16.1.4, 15.1.9, 14.1.5.1 |
1096893-1 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 17.1.1, 16.1.4, 15.1.9 |
1091969-3 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. | 16.1.4, 15.1.9 |
1088173-2 | 3-Major | BT1088173 | With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile | 17.1.0, 16.1.4, 15.1.7 |
1080569-2 | 3-Major | BT1080569 | BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server | 17.1.0, 16.1.4, 15.1.9 |
1079769-1 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers | 17.0.0, 16.1.4, 15.1.9 |
1077553-3 | 3-Major | BT1077553 | Traffic matches the wrong virtual server after modifying the port matching configuration | 17.1.0, 16.1.4, 15.1.9 |
1076577-3 | 3-Major | BT1076577 | iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' | 17.1.0, 16.1.4, 15.1.7 |
1076573-3 | 3-Major | BT1076573 | MQTT profile addition is different in GUI and TMSH | 17.0.0, 16.1.4, 15.1.9 |
1074505-1 | 3-Major | BT1074505 | Traffic classes are not attached to virtual server at TMM start | 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1 |
1070389-4 | 3-Major | K000132430, BT1070389 | Tightening HTTP RFC enforcement | 17.1.0, 16.1.4, 15.1.9 |
1068673-3 | 3-Major | BT1068673 | SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. | 17.1.0, 16.1.4, 15.1.9 |
1060021-1 | 3-Major | BT1060021 | Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. | 17.1.0, 16.1.4, 15.1.9 |
1053741-4 | 3-Major | BT1053741 | Bigd may exit and restart abnormally without logging a reason | 17.1.0, 16.1.4, 15.1.8 |
1053173-1 | 3-Major | BT1053173 | Support for MQTT functionality over websockets. | 17.0.0, 16.1.4 |
1043009 | 3-Major | BT1043009 | TMM dump capture for compression engine hang | 17.1.0, 16.1.4, 15.1.9 |
1040017-5 | 3-Major | BT1040017 | Final ACK validation during flow accept might fail with hardware SYN Cookie | 17.0.0, 16.1.4, 15.1.7 |
1012813-1 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" | 17.1.1, 16.1.4 |
1000561-5 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 17.1.1, 16.1.4, 15.1.9 |
1000069-3 | 3-Major | BT1000069 | Virtual server does not create the listener | 17.1.0, 16.1.4, 15.1.9 |
962177-6 | 4-Minor | BT962177 | Results of POLICY::names and POLICY::rules commands may be incorrect | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1 |
960677-1 | 4-Minor | BT960677 | Improvement in handling accelerated TLS traffic | 17.1.1, 16.1.4, 15.1.9 |
1281709-3 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 17.1.1, 16.1.4, 15.1.10 |
1240937-3 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 17.1.1, 16.1.4, 15.1.10 |
1211189-3 | 4-Minor | BT1211189 | Stale connections observed and handshake failures observed with errors | 17.1.1, 16.1.4 |
1156105-2 | 4-Minor | BT1156105 | Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition | 17.1.0, 16.1.4, 15.1.9 |
1137717-2 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 17.1.1, 16.1.4, 15.1.10 |
1133557-2 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 17.1.1, 16.1.4, 15.1.10 |
1132765-4 | 4-Minor | BT1132765 | Virtual server matching might fail in rare cases when using virtual server chaining. | 17.1.0, 16.1.4, 15.1.9 |
1128505-2 | 4-Minor | BT1128505 | HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy | 17.1.1, 16.1.4 |
1122377-2 | 4-Minor | BT1122377 | If-Modified-Since always returns 304 response if there is no last-modified header in the server response | 17.1.0, 16.1.4, 15.1.9 |
1111981-3 | 4-Minor | BT1111981 | Decrement in MQTT current connections even if the connection was never active | 17.1.0, 16.1.4, 15.1.9 |
1103617-4 | 4-Minor | BT1103617 | 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. | 17.1.0, 16.1.4, 15.1.9 |
1101369-1 | 4-Minor | BT1101369 | MQTT connection stats are not updated properly | 17.1.0, 16.1.4, 15.1.9 |
1037265-2 | 4-Minor | K11453402, BT1037265 | Improper handling of multiple cookies with the same name. | 17.1.0, 16.1.4, 15.1.9 |
1034217-2 | 4-Minor | BT1034217 | Quic_update_rtt can leave ack_delay uninitialized. | 17.0.0, 16.1.4, 15.1.9 |
1030533-1 | 4-Minor | BT1030533 | The BIG-IP system may reject valid HTTP responses from OCSP servers. | 17.0.0, 16.1.4, 15.1.9 |
1027805-4 | 4-Minor | BT1027805 | DHCP flows crossing route-domain boundaries might fail. | 17.0.0, 16.1.4, 15.1.9 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1127445-3 | 2-Critical | BT1127445 | Performance degradation after Bug ID 1019853 | 17.1.0, 16.1.4, 15.1.9 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211341-4 | 1-Blocking | BT1211341 | Failed to delete custom monitor after dissociating from virtual server | 17.1.0, 16.1.4, 15.1.10 |
1137485-2 | 2-Critical | BT1137485 | Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly | 17.1.0, 16.1.4, 15.1.9 |
966461-7 | 3-Major | BT966461 | Tmm memory leak | 17.1.0, 16.1.4, 15.1.9 |
935945-2 | 3-Major | BT935945 | GTM HTTP/HTTPS monitors cannot be modified via GUI | 17.1.0, 16.1.4, 15.1.10 |
1230709-1 | 3-Major | BT1230709 | Remove unnecessary logging with nsec3_add_nonexist_proof | 16.1.4, 15.1.10 |
1200929-2 | 3-Major | BT1200929 | GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang | 17.1.0, 16.1.4, 15.1.10 |
1182353-3 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 17.1.1, 16.1.4, 15.1.9 |
1162081-6 | 3-Major | Upgrade the bind package to fix security vulnerabilities | 17.1.0, 16.1.4, 15.1.9 | |
1122497-4 | 3-Major | BT1122497 | Rapid response not functioning after configuration changes | 17.1.0, 16.1.4, 15.1.9 |
1108237-2 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. | 17.1.1, 16.1.4 |
1073677-1 | 3-Major | BT1073677 | Add a db variable to enable answering DNS requests before reqInitState Ready | 17.1.0, 16.1.4, 15.1.10 |
1060145-1 | 3-Major | BT1060145 | Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. | 17.1.0, 16.1.4, 15.1.9 |
1048077 | 3-Major | BT1048077 | SELinux errors with gtmd when using internal FIPS card | 17.1.0, 16.1.4 |
808913-1 | 4-Minor | BT808913 | Big3d cannot log the full XML buffer data | 17.0.0, 16.1.4, 15.1.9 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1105341-2 | 0-Unspecified | BT1105341 | Decode_application_payload can break exponent notation in JSON | 17.1.0, 16.1.4, 15.1.9 |
923821-1 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 17.1.1, 16.1.4, 15.1.9 |
884945-1 | 2-Critical | BT884945 | Latency reduce in case of empty parameters. | 17.0.0, 16.1.4, 15.1.9 |
850141-2 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 17.1.1, 16.1.4, 15.1.9 |
791669-5 | 2-Critical | BT791669 | TMM might crash when Bot Defense is configured for multiple domains | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3 |
1132697-3 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 17.1.1, 16.1.4, 15.1.9 |
1113161-2 | 2-Critical | BT1113161 | After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets★ | 17.1.0, 16.1.4, 15.1.9 |
1095185-2 | 2-Critical | BT1095185 | Failed Configuration Load on Secondary Slot After Device Group Sync | 17.1.0, 16.1.4, 15.1.9 |
1040757-1 | 2-Critical | BT1040757 | A BD memory leak was fixed | 17.0.0, 16.1.4 |
974985-6 | 3-Major | BT974985 | Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable | 17.0.0, 16.1.4, 15.1.9 |
956373-4 | 3-Major | BT956373 | ASM sync files not cleaned up immediately after processing | 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1 |
950917-4 | 3-Major | BT950917 | Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 | 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1 |
929077-4 | 3-Major | BT929077 | Bot Defense allow list does not apply when using default Route Domain and XFF header | 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4 |
928997-3 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 17.1.1, 16.1.4, 15.1.9 |
903313-4 | 3-Major | BT903313 | OWASP page: File Types score in Broken Access Control category is always 0. | 17.0.0, 16.1.4 |
890169-4 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 17.1.1, 16.1.4, 15.1.10 |
1312057-1 | 3-Major | bd instability when using many remote loggers with Arcsight format | 17.1.1, 16.1.4 | |
1297089-3 | 3-Major | BT1297089 | Support Dynamic Parameter Extractions in declarative policy | 17.1.1, 16.1.4 |
1296469-2 | 3-Major | ASM UI hardening | 17.1.1, 16.1.4 | |
1286101-1 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 17.1.1, 16.1.4, 15.1.10 |
1216297-1 | 3-Major | BT1216297 | TMM core occurs when using disabling ASM of request_send event | 17.1.1, 16.1.4 |
1196537-1 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 17.1.1, 16.1.4, 15.1.9 |
1195125 | 3-Major | BT1195125 | "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix | 16.1.4 |
1194173-2 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 17.1.1, 16.1.4, 15.1.9 |
1190365-3 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 17.1.1, 16.1.4, 15.1.10 |
1186437-1 | 3-Major | BT1186437 | Link to Server Technologies is not working | 16.1.4 |
1186401-2 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 17.1.1, 16.1.4, 15.1.9 |
1186385-1 | 3-Major | BT1186385 | Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page | 16.1.4 |
1184841-2 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 17.1.1, 16.1.4, 15.1.10 |
1173493-4 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 17.1.1, 16.1.4, 15.1.10 |
1156889-3 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 17.1.1, 16.1.4, 15.1.9 |
1148009-2 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 17.1.1, 16.1.4, 15.1.9 |
1144497-2 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 17.1.1, 16.1.4, 15.1.9 |
1141665-2 | 3-Major | BT1141665 | Significant slowness in policy creation following Threat Campaign LU installation | 17.1.0, 16.1.4, 15.1.9 |
1137993-2 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 17.1.1, 16.1.4, 15.1.9 |
1132981-2 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 17.1.1, 16.1.4, 15.1.9 |
1132741-2 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 17.1.1, 16.1.4, 15.1.9 |
1128689-2 | 3-Major | BT1128689 | High BD CPU utilization | 16.1.4, 15.1.9 |
1127809-2 | 3-Major | BT1127809 | Due to incorrect URI parsing, the system does not extract the expected domain name | 17.1.0, 16.1.4, 15.1.9 |
1126409-3 | 3-Major | BT1126409 | BD process crash | 17.1.0, 16.1.4, 15.1.9 |
1117245-2 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 17.1.1, 16.1.4, 15.1.10 |
1113881-2 | 3-Major | BT1113881 | Headers without a space after the colon, trigger an HTTP RFC violation | 17.1.0, 16.1.4, 15.1.9 |
1112805-4 | 3-Major | BT1112805 | ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 | 17.1.0, 16.1.4, 15.1.9 |
1110281-2 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 17.1.1, 16.1.4, 15.1.9 |
1106937-3 | 3-Major | BT1106937 | ASM may skip signature matching | 17.1.0, 16.1.4, 15.1.9 |
1102301-2 | 3-Major | BT1102301 | Content profiles created for types other than video and image allowing executable | 17.1.0, 16.1.4 |
1100669-3 | 3-Major | BT1100669 | Brute force captcha loop | 17.1.0, 16.1.4, 15.1.9 |
1100393-2 | 3-Major | BT1100393 | Multiple Referer header raise false positive evasion violation | 17.1.0, 16.1.4 |
1099193-2 | 3-Major | BT1099193 | Incorrect configuration for "Auto detect" parameter is shown after switching from other data types | 17.1.0, 16.1.4, 15.1.9 |
1098609-4 | 3-Major | BT1098609 | BD crash on specific scenario | 17.1.1, 16.1.4, 15.1.9 |
1095041-2 | 3-Major | BT1095041 | ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. | 17.1.0, 16.1.4, 15.1.10 |
1089853-2 | 3-Major | BT1089853 | "Virtual Server" or "Bot Defense Profile" links in Request Details are not working | 17.1.0, 16.1.4 |
1089345-1 | 3-Major | BT1089345 | BD crash when mcp is down, usually on startups | 17.1.0, 16.1.4 |
1085661-1 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 17.1.1, 16.1.4, 15.1.10 |
1084257-2 | 3-Major | K11342432, BT1084257 | New HTTP RFC Compliance check in headers | 17.1.0, 17.0.0.1, 16.1.4, 15.1.7 |
1080613-1 | 3-Major | BT1080613 | LU configurations revert to default and installations roll back to genesis files★ | 17.1.0, 16.1.4, 15.1.9 |
1078065-2 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 17.1.1, 16.1.4, 15.1.9 |
1072165-2 | 3-Major | BT1072165 | Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format | 17.1.0, 16.1.4, 15.1.9 |
1069729-3 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 17.1.1, 16.1.4, 15.1.9 |
1067589-3 | 3-Major | BT1067589 | Memory leak in nsyncd | 17.1.0, 16.1.4, 15.1.9 |
1067557-2 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 17.1.1, 16.1.4, 15.1.9 |
1059513-1 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 17.1.1, 16.1.4, 15.1.10 |
1058597-5 | 3-Major | BT1058597 | Bd crash on first request after system recovery. | 17.0.0, 16.1.4, 15.1.9 |
1048949-1 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 17.1.1, 16.1.4, 15.1.9 |
1029989-6 | 3-Major | BT1029989 | CORS : default port of origin header is set 80, even when the protocol in the header is https | 16.1.4, 15.1.10 |
1023889-3 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 17.1.1, 16.1.4, 15.1.10 |
1017557-1 | 3-Major | BT1017557 | ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN | 17.1.0, 16.1.4, 15.1.9 |
942617-2 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 17.1.1, 16.1.4, 15.1.10 |
810917-1 | 4-Minor | BT810917 | OWASP Compliance score is shown for parent and child policies that are not applicable. | 17.0.0, 16.1.4 |
1213333 | 4-Minor | BT1213333 | Check box to select all attack signatures does not work properly | 16.1.4 |
1189865-2 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 17.1.1, 16.1.4, 15.1.9 |
1184929-1 | 4-Minor | BT1184929 | GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled | 16.1.4 |
1133997-3 | 4-Minor | BT1133997 | Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import | 17.1.1, 16.1.4 |
1132925-3 | 4-Minor | BT1132925 | Bot defense does not work with DNS Resolvers configured under non-zero route domains | 17.1.0, 16.1.4, 15.1.9 |
1123153-3 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 17.1.1, 16.1.4, 15.1.9 |
1113753-2 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 17.1.1, 16.1.4, 15.1.10 |
1111793-2 | 4-Minor | BT1111793 | New HTTP RFC Compliance check for incorrect newline separators between request line and first header | 17.1.0, 16.1.4, 15.1.7 |
1108657-3 | 4-Minor | BT1108657 | No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" | 17.1.0, 16.1.4 |
1099765-3 | 4-Minor | BT1099765 | Inconsistent behavior in violation detection with maximum parameter enforcement | 17.1.1, 16.1.4, 15.1.10 |
1092965-2 | 4-Minor | BT1092965 | Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value | 17.1.0, 16.1.4, 15.1.9 |
1084857-2 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 17.1.1, 16.1.4, 15.1.10 |
1083513-1 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 17.1.1, 16.1.4, 15.1.10 |
1076825-1 | 4-Minor | BT1076825 | "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★ | 17.1.1, 16.1.4 |
1026277-6 | 4-Minor | BT1026277 | Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled | 17.0.0, 16.1.4 |
1003765-2 | 4-Minor | BT1003765 | Authorization header signature triggered even when explicitly disabled | 17.1.0, 16.1.4, 15.1.4.1 |
1113333-3 | 5-Cosmetic | BT1113333 | Change ArcSight Threat Campaign key names to be camelCase | 17.1.0, 16.1.4, 15.1.9 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932485-5 | 3-Major | BT932485 | Incorrect sum(hits_count) value in aggregate tables | 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1111189-2 | 3-Major | BT1111189 | Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. | 17.1.0, 16.1.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
965837-4 | 2-Critical | BT965837 | When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection | 17.0.0, 16.1.4, 15.1.9 |
1283645 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
1111149-2 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.1, 16.1.4, 15.1.9 |
1110489-3 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 17.1.1, 16.1.4, 15.1.9 |
1106757-3 | 2-Critical | BT1106757 | Horizon VDI clients are intermittently disconnected | 17.1.0, 16.1.4, 15.1.9 |
1082581-2 | 2-Critical | BT1082581 | Apmd sees large memory growth due to CRLDP Cache handling | 17.1.0, 16.1.4, 15.1.9, 14.1.5.3 |
1078829-1 | 2-Critical | BT1078829 | Login as current user fails in VMware | 17.0.0, 16.1.4, 15.1.10 |
1065501-2 | 2-Critical | BT1065501 | [API Protection]Per request policy is getting timed out | 17.0.0, 16.1.4, 15.1.9 |
1046633-1 | 2-Critical | BT1046633 | Rare tmm crash when sending packets to apmd fails | 17.0.0, 16.1.4, 15.1.9 |
957453-1 | 3-Major | BT957453 | Javascript parser incompatible with ECMAScript 6/7+ javascript versions | 17.1.0, 16.1.4, 15.1.9 |
956645-4 | 3-Major | BT956645 | Per-request policy execution may timeout. | 17.0.0, 16.1.4, 15.1.9, 14.1.4.5 |
819645-1 | 3-Major | BT819645 | Reset Horizon View application does not work when accessing through F5 APM | 17.1.0, 16.1.4, 15.1.9 |
796065-2 | 3-Major | BT796065 | PingAccess filter can accumulate connections increasing memory use. | 16.1.4 |
752077-4 | 3-Major | BT752077 | Kerberos replay cache leaks file descriptors | 17.0.0, 16.1.4, 15.1.9 |
490138-1 | 3-Major | BT490138 | Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers | 17.1.0, 16.1.4, 15.1.9 |
1268521 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop | 17.1.1, 16.1.4, 15.1.10 |
1232977-3 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists | 17.1.1, 16.1.4 |
1208949-1 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 17.1.1, 16.1.4, 15.1.10 |
1205029 | 3-Major | BT1205029 | WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application | 17.1.1, 16.1.4 |
1196401-2 | 3-Major | BT1196401 | Restarting TMM does not restart APM Daemon | 17.1.0, 16.1.4, 15.1.9 |
1180365-2 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 17.1.1, 16.1.4, 15.1.10 |
1173669-1 | 3-Major | BT1173669 | Unable to reach backend server with Per Request policy and Per Session together | 17.1.0, 16.1.4, 15.1.9 |
1167985-2 | 3-Major | BT1167985 | Network Access resource settings validation errors | 17.1.1, 16.1.4 |
1166449-2 | 3-Major | BT1166449 | APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list | 17.1.0, 16.1.4, 15.1.9 |
1145361 | 3-Major | BT1145361 | When JWT is cached the error "JWT Expired and cannot be used" is observed | 17.1.1, 16.1.4 |
1124109-2 | 3-Major | Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS | 17.1.0, 16.1.4, 15.1.10 | |
1113661-1 | 3-Major | BT1113661 | When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation | 17.1.0, 16.1.4 |
1111397-4 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 17.1.1, 16.1.4, 15.1.9 |
1108109-4 | 3-Major | BT1108109 | APM policy sync fails when access policy contains customization images★ | 17.1.0, 16.1.4, 15.1.9 |
1104409-1 | 3-Major | BT1104409 | Added Rewrite Control Lists builder to Admin UI | 17.1.0, 16.1.4, 15.1.9 |
1101321-3 | 3-Major | BT1101321 | APM log files are flooded after a client connection fails. | 17.1.0, 16.1.4, 15.1.9 |
1100549-3 | 3-Major | BT1100549 | "Resource Administrator" role cannot change ACL order | 17.1.0, 16.1.4, 15.1.9 |
1099305-2 | 3-Major | BT1099305 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.0, 16.1.4, 15.1.9 |
1089101-2 | 3-Major | BT1089101 | Apply Access Policy notification in UI after auto discovery | 17.1.0, 16.1.4, 15.1.9 |
1075849-5 | 3-Major | APM client hardening | 17.1.0, 16.1.4, 15.1.8.2 | |
1070029-1 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 17.1.1, 16.1.4, 15.1.10 |
1067609-2 | 3-Major | Static keys were used while generating UUIDs under OAuth module | 17.1.0, 16.1.4, 15.1.9 | |
1064001-1 | 3-Major | BT1064001 | POST request to a virtual server with stream profile and a access policy is aborted. | 17.0.0, 16.1.4, 15.1.9 |
1060477-1 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 17.1.1, 16.1.4, 15.1.9 |
1050165 | 3-Major | BT1050165 | APM SSO is disabled in the session of users and requires support of administrator for resolving | 17.1.0, 16.1.4, 15.1.9 |
1046401-2 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 17.1.1, 16.1.4, 15.1.10 |
1042505-1 | 3-Major | BT1042505 | Session variable "session.user.agent" does not get populated for edge clients | 17.0.0, 16.1.4, 15.1.9 |
1039941-3 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 17.1.1, 16.1.4, 15.1.10 |
1038753-4 | 3-Major | K75431121, BT1038753 | OAuth Bearer with SSO does not process headers as expected | 17.1.0, 16.1.4, 15.1.9 |
1037877-3 | 3-Major | BT1037877 | OAuth Claim display order incorrect in VPE | 17.1.0, 16.1.4, 15.1.9 |
1018877-2 | 3-Major | BT1018877 | Subsession variable values mixing between sessions | 17.0.0, 16.1.4, 15.1.9 |
1013729-2 | 3-Major | BT1013729 | Changing User login password using VMware View Horizon client results in “HTTP error 500” | 17.0.0, 16.1.4, 15.1.10 |
1010961-1 | 3-Major | BT1010961 | Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow | 17.1.0, 16.1.4 |
1010809-3 | 3-Major | BT1010809 | Connection is reset when sending a HTTP HEAD request to APM Virtual Server | 17.1.0, 16.1.4, 15.1.9 |
1002413-2 | 3-Major | BT1002413 | Websso puts quotation marks around non-string claim type 'custom' values | 17.0.0, 16.1.4 |
1000669-4 | 3-Major | BT1000669 | Tmm memory leak 'string cache' leading to SIGFPE | 17.0.0, 16.1.4, 15.1.9 |
1252005 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 17.1.1, 16.1.4, 15.1.10 |
1224409 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 17.1.1, 16.1.4, 15.1.10 |
1195385 | 4-Minor | BT1195385 | OAuth Scope Internal Validation fails upon multiple providers with same type | 17.1.1, 16.1.4 |
1088389-2 | 4-Minor | BT1088389 | Admin to define the AD Query/LDAP Query page-size globally | 17.1.0, 16.1.4, 15.1.9 |
1079441-2 | 4-Minor | BT1079441 | APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries | 17.1.0, 16.1.4, 15.1.9 |
1050009-2 | 4-Minor | BT1050009 | Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs | 17.1.0, 16.1.4, 15.1.9 |
1041985-1 | 4-Minor | BT1041985 | TMM memory utilization increases after upgrade★ | 17.1.1, 16.1.4, 15.1.9 |
1040829-4 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 17.1.1, 16.1.4, 15.1.10 |
1028081-1 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 17.1.1, 16.1.4, 15.1.9 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1269889-3 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 17.1.1, 16.1.4, 15.1.10 |
1239901-2 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 17.1.1, 16.1.4, 15.1.9 |
1141853-2 | 2-Critical | BT1141853 | SIP MRF ALG can lead to a TMM core | 17.1.0, 16.1.4, 15.1.9 |
1291149-3 | 3-Major | BT1291149 | Cores with fail over and message routing | 17.1.1, 16.1.4, 15.1.10 |
1287313-2 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 17.1.1, 16.1.4, 15.1.10 |
1189513-4 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 17.1.1, 16.1.4, 15.1.9 |
1167941-3 | 3-Major | BT1167941 | CGNAT SIP ALG INVITE loops between BIG-IP and Server | 17.1.0, 16.1.4, 15.1.9 |
1038057-4 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 17.1.1, 16.1.4, 15.1.9 |
1213469-1 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped | 17.1.1, 16.1.4 |
1116941-1 | 4-Minor | BT1116941 | Need larger Content-Length value supported for SIP | 17.1.0, 16.1.4, 15.1.9 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1013353-1 | 1-Blocking | BT1013353 | ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on VS | 16.1.4 |
1292093 | 2-Critical | BT1292093 | Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x | 16.1.4 |
1287425 | 2-Critical | BT1287425 | Observed crash while running sweep flood tests | 16.1.4 |
1136917-1 | 2-Critical | BT1136917 | TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server. | 17.1.0, 16.1.4 |
1106273-3 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 17.1.1, 16.1.4, 15.1.9 |
1069809 | 2-Critical | BT1069809 | AFM rules with ipi-category src do not match traffic after failover. | 16.1.4, 15.1.9 |
1048425-4 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled | 16.1.4 |
1040685-4 | 2-Critical | BT1040685 | Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) | 17.0.0, 16.1.4, 15.1.10 |
1038549-1 | 2-Critical | BT1038549 | TMM core when BDoS is enabled for an extended time | 16.1.4 |
997429-1 | 3-Major | BT997429 | When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled | 17.1.0, 16.1.4, 15.1.9 |
993269-3 | 3-Major | BT993269 | DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option | 17.0.0, 16.1.4, 15.1.9 |
952521-1 | 3-Major | BT952521 | Memory allocation error while creating an address list with a large range of IPv6 addresses★ | 17.0.0, 16.1.4, 15.1.9 |
929913-3 | 3-Major | BT929913 | External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events | 17.0.0, 16.1.4, 15.1.9 |
1287873 | 3-Major | BT1287873 | Hardware mitigation is not working for a few SIP vectors | 16.1.4 |
1216573-1 | 3-Major | BT1216573 | AFM Learning Domain issue when trying with many valid domains | 16.1.4 |
1209409-3 | 3-Major | BT1209409 | Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU | 16.1.4 |
1127117-1 | 3-Major | BT1127117 | High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes | 17.1.0, 16.1.4, 15.1.9 |
1124149-2 | 3-Major | BT1124149 | Increase the configuration for the PCCD Max Blob size from 4GB to 8GB | 17.1.0, 16.1.4, 15.1.9 |
1121521-2 | 3-Major | BT1121521 | Libssh upgrade from v0.7.7 to v0.9.6 | 17.1.0, 16.1.4, 15.1.8 |
1112781 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 17.1.1, 16.1.4, 15.1.9 |
1078625 | 3-Major | BT1078625 | TMM crashes during DoS processing | 17.1.1, 16.1.4 |
1070033-2 | 3-Major | BT1070033 | Virtual server may not fully enter hardware SYN Cookie mode. | 17.0.0, 16.1.4, 14.1.4.6 |
1020061-3 | 3-Major | BT1020061 | Nested address lists can increase configuration load time | 17.0.0, 16.1.4, 15.1.9 |
760355-4 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1 |
1215401-1 | 4-Minor | BT1215401 | Under Shared Objects, some country names are not available to select in the Address List | 16.1.4, 15.1.9 |
1211021-4 | 4-Minor | BT1211021 | Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues | 17.1.0, 16.1.4, 15.1.10 |
1069265-3 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 17.1.1, 16.1.4, 15.1.10 |
1003377-3 | 4-Minor | BT1003377 | Disabling DoS TCP SYN-ACK does not clear suspicious event count option | 16.1.4, 15.1.9 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1159397-1 | 1-Blocking | BT1159397 | The high utilization of memory when blade turns offline results in core | 17.1.0, 16.1.4, 15.1.9 |
1186925-4 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 17.1.1, 16.1.4, 15.1.9 |
1095989-1 | 2-Critical | BT1095989 | PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface | 17.1.0, 16.1.4 |
829653-1 | 3-Major | BT829653 | Memory leak due to session context not freed | 17.0.0, 16.1.4 |
1259489-3 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 17.1.1, 16.1.4, 15.1.10 |
1238249-1 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 17.1.1, 16.1.4, 15.1.10 |
1226121-2 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 17.1.1, 16.1.4, 15.1.9 |
1207381-3 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 17.1.1, 16.1.4, 15.1.9 |
1190353-3 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 17.1.1, 16.1.4, 15.1.10 |
1174085-1 | 3-Major | BT1174085 | Spmdb_session_hash_entry_delete releases the hash's reference | 17.1.1, 16.1.4, 15.1.9 |
1174033-2 | 3-Major | BT1174033 | The UPDATE EVENT is triggered with faulty session_info and resulting in core | 17.1.0, 16.1.4, 15.1.9 |
1108681-4 | 3-Major | BT1108681 | PEM queries with filters return error message when a blade is offline | 17.1.0, 16.1.4, 15.1.9 |
1093357-4 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 17.1.1, 16.1.4, 15.1.10 |
1089829-3 | 3-Major | BT1089829 | PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers | 17.1.0, 16.1.4, 15.1.9 |
1020041-3 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 17.1.1, 16.1.4, 15.1.10 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1016045-4 | 4-Minor | BT1016045 | OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. | 16.1.4, 15.1.9 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211297-3 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 17.1.1, 16.1.4, 15.1.9 |
1060057-2 | 3-Major | BT1060057 | Enable or Disable APM dynamically with Bados generates APM error | 17.1.0, 16.1.4, 15.1.9 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1161965-3 | 3-Major | BT1161965 | File descriptor(fd) and shared memory leak in wr_urldbd | 17.1.0, 16.1.4, 15.1.9 |
974205-5 | 4-Minor | BT974205 | Unconstrained wr_urldbd size causing box to OOM | 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6 |
1168137-3 | 4-Minor | BT1168137 | PEM Classification Auto-Update for month is working as hourly | 17.1.0, 16.1.4, 15.1.9 |
1167889 | 4-Minor | BT1167889 | PEM classification signature scheduled updates do not complete | 17.1.0, 16.1.4, 15.1.9 |
1117297-1 | 4-Minor | BT1117297 | Wr_urldbd continuously crashes and restarts★ | 17.1.0, 16.1.4, 15.1.9 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
954001-7 | 3-Major | REST File Upload hardening | 17.1.1, 16.1.4, 15.1.10 | |
1196477-3 | 3-Major | BT1196477 | Request timeout in restnoded | 17.1.1, 16.1.4, 15.1.9 |
1049237-1 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 17.1.1, 16.1.4, 15.1.10 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
889605-2 | 3-Major | BT889605 | iApp with Bot profile is unavailable if application folder includes a subpath | 17.1.0, 16.1.4, 15.1.9 |
1004697-3 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space | 16.1.4, 15.1.10 |
1093933-3 | 4-Minor | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1122205-1 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 17.1.1, 16.1.4, 15.1.10 |
1098837-1 | 4-Minor | BT1098837 | Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables | 17.1.0, 16.1.4, 15.1.9 |
1135073-3 | 5-Cosmetic | BT1135073 | IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled | 17.1.0, 16.1.4, 15.1.9 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1107549-2 | 2-Critical | BT1107549 | In-TMM TCP monitor memory leak | 17.1.0, 16.1.4, 15.1.8 |
1110241-2 | 3-Major | BT1110241 | in-tmm http(s) monitor accumulates unchecked memory | 17.1.0, 16.1.4, 15.1.9 |
1046917-4 | 3-Major | BT1046917 | In-TMM monitors do not work after TMM crashes | 17.1.0, 16.1.4, 15.1.8 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
922737-1 | 2-Critical | BT922737 | TMM crashes with a sigsegv while passing traffic | 17.1.0, 16.1.4, 15.1.10 |
1104037-2 | 2-Critical | BT1104037 | Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire | 17.1.0, 16.1.4, 15.1.10 |
1289365-1 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★ | 17.1.1, 16.1.4, 15.1.10 |
1095145-3 | 4-Minor | BT1095145 | Virtual server responding with ICMP unreachable after using /Common/service | 17.1.0, 16.1.4 |
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1285173-3 | CVE-2023-38138 | K000133474, BT1285173 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1265425-2 | CVE-2023-38423 | K000134535, BT1265425 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1185421-4 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1223369-3 | CVE-2024-23982 | K000135946, BT1223369 | Classification of certain UDP traffic may cause crash | 17.1.1, 16.1.3.4, 15.1.10 |
1213305-3 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208989-3 | CVE-2023-27378 | K000132726, BT1208989 | Improper value handling in DOS Profile properties page | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1208001-1 | CVE-2023-22374 | K000130415, BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961-4 | CVE-2023-27378 | K000132726, BT1204961 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793-4 | CVE-2023-27378 | K000132726, BT1204793 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1196033-2 | CVE-2023-27378 | K000132726, BT1196033 | Improper value handling in DataSafe UI | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1106989-3 | CVE-2023-29163 | K20145107, BT1106989 | Certain configuration settings may lead to memory accumulation | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086293-4 | CVE-2023-22358 | K76964818, BT1086293 | Untrusted search path vulnerability in APM Windows Client installer processes | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1086289-4 | CVE-2023-22358 | K76964818, BT1086289 | BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 | 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1207661-4 | CVE-2023-28406 | K000132768, BT1207661 | Datasafe UI hardening | 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1096373-2 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982785-2 | CVE-2022-25946 | K52322100 | Guided Configuration hardening | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
890917-8 | CVE-2023-22323 | K56412001, BT890917 | Performance may be reduced while processing SSL traffic | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1143073-4 | CVE-2022-41622 | K94221585, BT1143073 | iControl SOAP vulnerability CVE-2022-41622 | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1107437-3 | CVE-2023-22839 | K37708118, BT1107437 | TMM may crash when enable-rapid-response is enabled on a DNS profile | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1106161-2 | CVE-2022-41800 | K13325942, BT1106161 | Securing iControlRest API for appliance mode | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1105389-4 | CVE-2023-23552 | K17542533, BT1105389 | Incorrect HTTP request handling may lead to resource leak | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1093821-4 | CVE-2023-22422 | K43881487, BT1093821 | TMM may behave unexpectedly while processing HTTP traffic | 17.1.0, 17.0.0.2, 16.1.3.3 |
1085077-4 | CVE-2023-22340 | K34525368, BT1085077 | TMM may crash while processing SIP-ALG traffic | 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3 |
1083225-2 | CVE-2023-22842 | K08182564, BT1083225 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1062569-1 | CVE-2023-22664 | K56676554, BT1062569 | HTTP/2 stream bottom filter leaks memory at teardown under certain conditions | 17.1.0, 17.0.0.2, 16.1.3.3 |
1032553-5 | CVE-2023-22281 | K46048342, BT1032553 | Core when virtual server with destination NATing receives multicast | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3 |
1112445-2 | CVE-2023-22302 | K58550078, BT1112445 | Fix to avoid zombie node on the chain | 17.1.0, 17.0.0.2, 16.1.3.3 |
1073005-2 | CVE-2023-22326 | K83284425, BT1073005 | iControl REST use of the dig command does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1065917-2 | CVE-2023-22418 | K95503300, BT1065917 | BIG-IP APM Virtual Server does not follow security best practices | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1113385-4 | 3-Major | BT1113385 | Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
1103369-2 | 3-Major | BT1103369 | DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1134085-2 | 2-Critical | BT1134085 | Intermittent TMM core when iRule is configured with SSL persistence | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1122473-4 | 2-Critical | BT1122473 | TMM panic while initializing URL DB | 17.1.0, 16.1.3.3, 15.1.9 |
1174873-3 | 3-Major | BT1174873 | Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" | 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3 |
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
982777-9 | CVE-2022-27230 | K21317311, BT982777 | APM hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982769-12 | CVE-2022-27806 | K68647001, BT982769 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982753-2 | CVE-2022-27806 | K68647001, BT982753 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
982745-5 | CVE-2022-27806 | K68647001, BT982745 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
963625-3 | CVE-2022-27806 | K68647001, BT963625 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
959153-3 | CVE-2022-27806 | K68647001, BT959153 | Appliance mode hardening | 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3 |
1106289-2 | CVE-2022-41624 | K43024307, BT1106289 | TMM may leak memory when processing sideband connections. | 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1 |
1068821 | CVE-2022-41806 | K00721320, BT1068821 | TMM may crash when processing AFM NAT64 policy | 16.1.3.2 |
1004881-5 | CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 | K12492858, BT1004881 | Update angular, jquery, moment, axios, and lodash libraries in AGC | 17.0.0, 16.1.3.2, 15.1.8 |
Functional Change Fixes
None
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1137037 | 2-Critical | BT1137037 | System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x★ | 16.1.3.2 |
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
972517-7 | CVE-2023-43746 | K41072952, BT972517 | Appliance mode hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1104493-1 | CVE-2022-35272 | K90024104, BT1104493 | Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy | 17.1.0, 17.0.0.1, 16.1.3.1 |
1093621-2 | CVE-2022-41832 | K10347453 | Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1 |
1085729-2 | CVE-2022-41836 | K47204506, BT1085729 | bd may crash while processing specific request | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1076397-1 | CVE-2022-35735 | K13213418, BT1076397 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1073841-1 | CVE-2022-34862 | K66510514, BT1073841 | URI normalization does not function as expected | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073357-2 | CVE-2022-34862 | K66510514, BT1073357 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1067505-4 | CVE-2022-34651 | K59197053, BT1067505 | TMM may crash while processing TLS traffic with HTTP::respond | 17.0.0, 16.1.3.1, 15.1.6.1 |
1066673-1 | CVE-2022-35728 | K55580033, BT1066673 | BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1024029-2 | CVE-2022-35245 | K58235223, BT1024029 | TMM may crash when processing traffic with per-session APM Access Policy | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
919357-8 | CVE-2022-41770 | K22505850, BT919357 | iControl REST hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
881809-8 | CVE-2022-41983 | K31523465, BT881809 | Client SSL and Server SSL profile hardening | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
740321-1 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1084013-4 | CVE-2022-36795 | K52494562, BT1084013 | TMM does not follow TCP best practices | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1081153-2 | CVE-2022-41813 | K93723284, BT1081153 | TMM may crash while processing administrative requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1073549-1 | CVE-2022-35735 | K13213418, BT1073549 | TMSH hardening | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1055925-1 | CVE-2022-34844 | K34511555, BT1055925 | TMM may crash while processing traffic on AWS | 17.0.0, 16.1.3.1, 15.1.6.1 |
1043281-6 | CVE-2021-3712 | K19559038, BT1043281 | OpenSSL vulnerability CVE-2021-3712 | 17.0.0, 16.1.3.1, 15.1.6.1 |
1006921-1 | CVE-2022-33962 | K80970653, BT1006921 | iRules Hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063641-4 | CVE-2022-33968 | K23465404, BT1063641 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1063637-4 | CVE-2022-33968 | K23465404, BT1063637 | NTLM library hardening | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1036057-1 | 3-Major | BT1036057 | Add support for line folding in multipart parser. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1025261-3 | 3-Major | BT1025261 | Restjavad uses more resident memory in control plane after software upgrade | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1071621-1 | 4-Minor | BT1071621 | Increase the number of supported traffic selectors | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1120433-2 | 1-Blocking | BT1120433 | Removed gtmd and big3d daemon from the FIPS-compliant list | 17.1.0, 16.1.3.1 |
989517-3 | 2-Critical | BT989517 | Acceleration section of virtual server page not available in DHD | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
957637-1 | 2-Critical | BT957637 | The pfmand daemon can crash when it starts. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
936501-1 | 2-Critical | BT936501 | Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled | 17.1.0, 16.1.3.1, 15.1.9 |
759928-6 | 2-Critical | BT759928 | Engineering Hotfixes might not contain all required packages | 17.0.0, 16.1.3.1, 15.1.7 |
1097193-2 | 2-Critical | K000134769, BT1097193 | Unable to SCP files using WinSCP or relative path name | 17.1.0, 16.1.3.1, 15.1.9 |
1076921-1 | 2-Critical | BT1076921 | The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1048853-1 | 2-Critical | BT1048853 | TMM memory leak of "IKE VBUF" | 17.0.0, 16.1.3.1, 15.1.7 |
1041865-4 | 2-Critical | K16392416, BT1041865 | Correctable machine check errors [mce] should be suppressed | 17.0.0, 16.1.3.1, 15.1.7 |
992121-4 | 3-Major | BT992121 | REST "/mgmt/tm/services" endpoint is not accessible | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
720610-4 | 3-Major | BT720610 | Automatic Update Check logs false 'Update Server unavailable' message on every run | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3 |
1123149 | 3-Major | BT1123149 | Sys-icheck fail for /etc/security/opasswd | 17.1.0, 16.1.3.1 |
1120685 | 3-Major | BT1120685 | Unable to update the password in the CLI when password-memory is set to > 0 | 17.1.0, 16.1.3.1 |
1091345-2 | 3-Major | BT1091345 | The /root/.bash_history file is not carried forward by default during installations. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1087621-1 | 3-Major | BT1087621 | IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1048137-2 | 3-Major | BT1048137 | IPsec IKEv1 intermittent but consistent tunnel setup failures | 17.0.0, 16.1.3.1, 15.1.9 |
1042737-4 | 3-Major | BT1042737 | BGP sending malformed update missing Tot-attr-len of '0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1024661-3 | 3-Major | BT1024661 | SCTP forwarding flows based on VTAG for bigproto | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
756918-4 | 4-Minor | BT756918 | Engineering Hotfix ISOs may be nearly as large as full Release ISOs | 17.0.0, 16.1.3.1, 15.1.7 |
1090569-1 | 4-Minor | BT1090569 | After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1080317-3 | 4-Minor | BT1080317 | Hostname is getting truncated on some logs that are sourced from TMM | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1067105-2 | 4-Minor | BT1067105 | Racoon logging shows incorrect SA length. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944381-2 | 2-Critical | BT944381 | Dynamic CRL checking for client certificate is not working when TLS1.3 is used. | 17.0.0, 16.1.3.1, 15.1.6.1 |
780857-4 | 2-Critical | BT780857 | HA failover network disruption when cluster management IP is not in the list of unicast addresses | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1113549-3 | 2-Critical | BT1113549 | System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License★ | 17.1.0, 16.1.3.1 |
1110205-2 | 2-Critical | BT1110205 | SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown | 17.1.0, 16.1.3.1, 15.1.9 |
1087469-2 | 2-Critical | BT1087469 | iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. | 17.1.0, 16.1.3.1, 15.1.6.1 |
1087217-2 | 2-Critical | BT1087217 | TMM crash as part of the fix made for ID912209 | 17.1.0, 16.1.3.1 |
1086677-4 | 2-Critical | BT1086677 | TMM Crashes in xvprintf() because of NULL Flow Key | 17.0.0, 16.1.3.1, 15.1.7 |
1080581-1 | 2-Critical | BT1080581 | Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles.★ | 17.0.0, 16.1.3.1, 15.1.5.1 |
1074517-1 | 2-Critical | BT1074517 | Tmm may core while adding/modifying traffic-class attached to a virtual server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1073609-4 | 2-Critical | BT1073609 | Tmm may core while using reject iRule command in LB_SELECTED event. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1020645 | 2-Critical | BT1020645 | When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered | 17.1.0, 16.1.3.1, 15.1.4.1 |
999881-6 | 3-Major | BT999881 | Tcl command 'string first' not working if payload contains Unicode characters. | 17.0.0, 16.1.3.1, 15.1.7 |
948985-3 | 3-Major | BT948985 | Workaround to address Nitrox 3 compression engine hang | 17.0.0, 16.1.3.1, 15.1.6.1 |
922413-8 | 3-Major | BT922413 | Excessive memory consumption with ntlmconnpool configured | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
748886-4 | 3-Major | BT748886 | Virtual server stops passing traffic after modification | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1109833-1 | 3-Major | BT1109833 | HTTP2 monitors not sending request | 17.1.0, 16.1.3.1 |
1091761-1 | 3-Major | BT1091761 | Mqtt_message memory leaks when iRules are used | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1082225-4 | 3-Major | BT1082225 | Tmm may core while Adding/modifying traffic-class attached to a virtual server. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1070789 | 3-Major | BT1070789 | SSL fwd proxy invalidating certificate even through bundle has valid CA | 17.1.0, 16.1.3.1 |
1068445-1 | 3-Major | BT1068445 | TCP duplicate acks are observed in speed tests for larger requests | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1060989 | 3-Major | BT1060989 | Improper handling of HTTP::collect | 17.1.0, 16.1.3.1 |
1053149-1 | 3-Major | BT1053149 | A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1043805-3 | 3-Major | BT1043805 | ICMP traffic over NAT does not work properly. | 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1 |
1036169-4 | 3-Major | BT1036169 | VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1022453-4 | 3-Major | BT1022453 | IPv6 fragments are dropped when packet filtering is enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1006157-3 | 3-Major | BT1006157 | FQDN nodes not repopulated immediately after 'load sys config' | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
987885-6 | 4-Minor | BT987885 | Half-open unclean SSL termination might not close the connection properly | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1104073-2 | 4-Minor | BT1104073 | Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1077701-1 | 2-Critical | BT1077701 | GTM "require M from N" monitor rules do not report when the number of "up" responses change | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
984749-1 | 3-Major | BT984749 | Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." | 17.0.0, 16.1.3.1, 15.1.7 |
1091249-2 | 3-Major | BT1091249 | BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1078669-2 | 3-Major | BT1078669 | iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. | 17.0.0, 16.1.3.1, 15.1.7 |
1071301-1 | 3-Major | BT1071301 | GTM server does not get updated even when the virtual server status changes. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1071233-1 | 3-Major | BT1071233 | GTM Pool Members may not be updated accurately when multiple identical database monitors are configured | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
950069-1 | 4-Minor | BT950069 | Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" | 17.0.0, 16.1.3.1, 15.1.6.1 |
1084673-2 | 4-Minor | BT1084673 | GTM Monitor "require M from N" status change log message does not print pool name | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1048685-4 | 2-Critical | BT1048685 | Rare TMM crash when using Bot Defense Challenge | 17.0.0, 16.1.3.1, 15.1.7 |
1015881-4 | 2-Critical | BT1015881 | TMM might crash after configuration failure | 17.1.0, 16.1.3.1, 15.1.7 |
886533-5 | 3-Major | BT886533 | Icap server connection adjustments | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1083913-2 | 3-Major | BT1083913 | Missing error check in ICAP handling | 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1082461-2 | 3-Major | BT1082461 | The enforcer cores during a call to 'ASM::raise' from an active iRule | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1 |
1078765-1 | 3-Major | BT1078765 | Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1062493-1 | 3-Major | BT1062493 | BD crash close to it's startup | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1056957-1 | 3-Major | BT1056957 | An attack signature can be bypassed under some scenarios. | 17.1.0, 17.0.0.1, 16.1.3.1 |
1036305-5 | 3-Major | BT1036305 | "Mandatory request body is missing" violation in staging but request is unexpectedly blocked | 17.0.0, 16.1.3.1, 15.1.6.1 |
1030133-2 | 3-Major | BT1030133 | BD core on XML out of memory | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1014973-5 | 3-Major | BT1014973 | ASM changed cookie value. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
948241-4 | 4-Minor | BT948241 | Count Stateful anomalies based only on Device ID | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
947333-2 | 4-Minor | BT947333 | Irrelevant content profile diffs in Policy Diff | 17.1.0, 17.0.0.1, 16.1.3.1 |
1079721 | 4-Minor | BT1079721 | OWASP 2017 A2 Category - Login enforcement link is broken | 16.1.3.1 |
1073625-2 | 4-Minor | BT1073625 | Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1058297-2 | 4-Minor | BT1058297 | Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade★ | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
1046317-2 | 4-Minor | BT1046317 | Violation details are not populated with staged URLs for some violation types | 17.0.0, 16.1.3.1, 15.1.6.1 |
1040513-5 | 4-Minor | BT1040513 | The counter for "FTP commands" is always 0. | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1014573-1 | 4-Minor | BT1014573 | Several large arrays/objects in JSON payload may core the enforcer | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1029689-2 | 5-Cosmetic | BT1029689 | Incosnsitent username "SYSTEM" in Audit Log | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
926341-5 | 3-Major | BT926341 | RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★ | 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
987341-1 | 2-Critical | BT987341 | BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5 |
1071485-3 | 3-Major | BT1071485 | For IP based bypass, Response Analytics sends RST. | 17.0.0, 16.1.3.1, 15.1.10 |
1063345-5 | 3-Major | BT1063345 | Urldbmgrd may crash while downloading the database. | 17.0.0, 16.1.3.1, 15.1.9 |
1043217-1 | 3-Major | BT1043217 | NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
1039725-1 | 3-Major | BT1039725 | Reverse proxy traffic fails when a per-request policy is attached to a virtual server. | 17.0.0, 16.1.3.1, 15.1.9 |
1024437-6 | 3-Major | BT1024437 | Urldb index building fails to open index temp file | 17.0.0, 16.1.3.1, 15.1.9 |
1022493-4 | 3-Major | BT1022493 | Slow file descriptor leak in urldbmgrd (sockets open over time) | 17.0.0, 16.1.3.1, 15.1.10 |
1010597-1 | 3-Major | BT1010597 | Traffic disruption when virtual server is assigned to a non-default route domain★ | 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
921441-4 | 3-Major | BT921441 | MR_INGRESS iRules that change diameter messages corrupt diam_msg | 17.0.0, 16.1.3.1, 15.1.7 |
1103233-2 | 4-Minor | BT1103233 | Diameter in-tmm monitor is logging disconnect events unnecessarily | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
977153-3 | 3-Major | BT977153 | Packet with routing header IPv6 as next header in IP layer fails to be forwarded | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1091565-1 | 2-Critical | BT1091565 | Gy CCR AVP:Requested-Service-Unit is misformatted/NULL | 17.1.0, 16.1.3.1, 15.1.9 |
1090649-3 | 3-Major | BT1090649 | PEM errors when configuring IPv6 flow filter via GUI | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1 |
1084993 | 3-Major | BT1084993 | [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
911585-5 | 4-Minor | BT911585 | PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
815901-2 | 4-Minor | BT815901 | Add rule to the disabled pem policy is not allowed | 17.0.0, 16.1.3.1, 15.1.7 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
832133-7 | 3-Major | BT832133 | In-TMM monitors fail to match certain binary data in the response from the server | 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050273-1 | 3-Major | BT1050273 | ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator. | 17.0.0, 16.1.3.1, 15.1.5 |
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
996233-1 | CVE-2022-33947 | K38893457, BT996233 | Tomcat may crash while processing TMUI requests | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
972489-7 | CVE-2022-35243 | K11010341, BT972489 | BIG-IP Appliance Mode iControl hardening | 17.0.0, 16.1.3, 15.1.5.1, 14.1.5 |
1079505-4 | CVE-2022-33203 | K52534925, BT1079505 | TMM may consume excessive resources while processing SSL Orchestrator traffic | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1081201-1 | CVE-2022-41694 | K64829234, BT1081201 | MCPD certification import hardening | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1078821-1 | 2-Critical | BT1078821 | Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1036285-1 | 3-Major | BT1036285 | Enforce password expiry after local user creation | 17.0.0, 16.1.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
947905-4 | 1-Blocking | BT947905 | Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails★ | 16.1.3, 16.0.1 |
1101705-2 | 1-Blocking | BT1101705 | RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1083977-1 | 1-Blocking | BT1083977 | MCPD crashes when changing HTTPD configuration, all secondary blades of clustered system remain offline★ | 17.0.0, 16.1.3 |
943109-4 | 2-Critical | BT943109 | Mcpd crash when bulk deleting Bot Defense profiles | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
940225-4 | 2-Critical | BT940225 | Not able to add more than 6 NICs on VE running in Azure | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1108181-2 | 2-Critical | BT1108181 | iControl REST call with token fails with 401 Unauthorized | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
1079817-1 | 2-Critical | BT1079817 | Java null pointer exception when saving UCS with iAppsLX installed★ | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
950149 | 3-Major | BT950149 | Add configuration to ccmode for compliance with the Common Criteria STIP PPM. | 17.0.0, 16.1.3 |
896941 | 3-Major | BT896941 | Common Criteria ccmode script updated | 17.0.0, 16.1.3 |
886649-5 | 3-Major | BT886649 | Connections stall when dynamic BWC policy is changed via GUI and TMSH | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1 |
724653-5 | 3-Major | BT724653 | In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1106325 | 3-Major | BT1106325 | Upgrade from BIG-IP 16.1.3 to BIG-IP 17.0 does not work when FIPS mode is enabled★ | 16.1.3 |
1089849 | 3-Major | BT1089849 | NIST SP800-90B compliance | 17.1.0, 17.0.0.1, 16.1.3 |
1064357-1 | 3-Major | BT1064357 | execute_post_install: EPSEC: Installation of EPSEC package failed | 17.0.0, 16.1.3, 15.1.7 |
1061481-1 | 3-Major | BT1061481 | Denied strings were found in the /var/log/ folder after an update or reboot | 17.1.0, 17.0.0.1, 16.1.3 |
1004833 | 3-Major | BT1004833 | NIST SP800-90B compliance | 17.0.0, 16.1.3, 15.1.4, 14.1.4.2 |
1100609 | 4-Minor | BT1100609 | Length Mismatch in DNS/DHCP IPv6 address in logs and pcap | 17.1.0, 16.1.3 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071689-1 | 2-Critical | BT1071689 | SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout | 17.0.0, 16.1.3 |
987077-3 | 3-Major | BT987077 | TLS1.3 with client authentication handshake failure | 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6 |
945357 | 3-Major | BT945357 | BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH. | 17.0.0, 16.1.3 |
934697-5 | 3-Major | BT934697 | Route domain is not reachable (strict mode) | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
1082505 | 3-Major | BT1082505 | TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification | 17.1.0, 17.0.0.1, 16.1.3 |
1063977-3 | 3-Major | BT1063977 | Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. | 17.1.0, 16.1.3 |
1071269 | 4-Minor | BT1071269 | SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0.★ | 16.1.3 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1084173-1 | 3-Major | BT1084173 | Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). | 17.0.0, 16.1.3, 15.1.6.1 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1070833-2 | 3-Major | BT1070833 | False positives on FileUpload parameters due to default signature scanning | 17.1.0, 16.1.3, 15.1.6.1 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
849029-7 | 3-Major | BT849029 | No configurable setting for maximum entries in CRLDP cache | 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
1097821-2 | 3-Major | BT1097821 | Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified | 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5 |
1053309-1 | 3-Major | BT1053309 | Localdbmgr leaks memory while syncing data to sessiondb and mysql. | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
945853-4 | 2-Critical | BT945853 | Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession | 16.1.3, 15.1.3 |
990461-5 | 3-Major | BT990461 | Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★ | 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4 |
1079637-1 | 3-Major | BT1079637 | Incorrect Neuron rule order | 17.0.0, 16.1.3, 15.1.5.1 |
1012581-1 | 3-Major | BT1012581 | Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1094177-4 | 1-Blocking | BT1094177 | Analytics iApp installation fails | 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1 |
1023721 | 3-Major | BT1023721 | iapp_restricted_key not available on fresh installation and overwrites the peer device's master key during config sync | 17.0.0, 16.1.3 |
1004665 | 3-Major | BT1004665 | Secure iAppsLX Restricted Storage issues. | 17.0.0, 16.1.3 |
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
965853-6 | CVE-2022-28695 | K08510472, BT965853 | IM package file hardening★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
964489-7 | CVE-2022-28695 | K08510472, BT964489 | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1051561-7 | CVE-2022-1388 | K23605346, BT1051561 | BIG-IP iControl REST vulnerability CVE-2022-1388 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
993981-3 | CVE-2022-28705 | K52340447, BT993981 | TMM may crash when ePVA is enabled | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982697-7 | CVE-2022-26071 | K41440465, BT982697 | ICMP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
951257-5 | CVE-2022-26130 | K82034427, BT951257 | FTP active data channels are not established | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
946325-7 | CVE-2022-28716 | K25451853, BT946325 | PEM subscriber GUI hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
830361-9 | CVE-2012-6711 | K05122252, BT830361 | CVE-2012-6711 Bash Vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1087201-6 | CVE-2022-0778 | K31323265, BT1087201 | OpenSSL Vulnerability: CVE-2022-0778 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078721-1 | CVE-2022-27189 | K16187341, BT1078721 | TMM may consume excessive resources while processing ICAP traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1078053-1 | CVE-2022-28701 | K99123750, BT1078053 | TMM may consume excessive resources while processing STREAM traffic | 17.0.0, 16.1.2.2 |
1071593-4 | CVE-2022-32455 | K16852653, BT1071593 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1069629-4 | CVE-2022-32455 | K16852653, BT1069629 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1067993-4 | CVE-2022-28714 | K54460845, BT1067993 | APM Windows Client installer hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059185-1 | CVE-2022-26415 | K81952114, BT1059185 | iControl REST Hardening | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1057801-6 | CVE-2022-28707 | K70300233, BT1057801 | TMUI does not follow current best practices | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056933-3 | CVE-2022-26370 | K51539421, BT1056933 | TMM may crash while processing SIP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1055737-1 | CVE-2022-35236 | K79933541, BT1055737 | TMM may consume excessive resources while processing HTTP/2 traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1051797 | CVE-2018-18281 | K36462841, BT1051797 | Linux kernel vulnerability: CVE-2018-18281 | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047053-3 | CVE-2022-28691 | K37155600, BT1047053 | TMM may consume excessive resources while processing RTSP traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1032513-3 | CVE-2022-35240 | K28405643, BT1032513 | TMM may consume excessive resources while processing MRF traffic | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1002565-1 | CVE-2021-23840 | K24624116, BT1002565 | OpenSSL vulnerability CVE-2021-23840 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
992073-2 | CVE-2022-27181 | K93543114, BT992073 | APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982757-3 | CVE-2022-26835 | K53197140 | APM Access Guided Configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
982341-7 | CVE-2022-26835 | K53197140, BT982341 | iControl REST endpoint hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
915981-4 | CVE-2022-26340 | K38271531, BT915981 | BIG-IP SCP hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
823877-7 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1071365-5 | CVE-2022-29474 | K59904248, BT1071365 | iControl SOAP WSDL hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066729-1 | CVE-2022-28708 | K85054496, BT1066729 | TMM may crash while processing DNS traffic | 17.0.0, 16.1.2.2, 15.1.5.1 |
1057809-6 | CVE-2022-27659 | K41877405, BT1057809 | Saved dashboard hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047089-2 | CVE-2022-29491 | K14229426, BT1047089 | TMM may terminate while processing TLS/DTLS traffic | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1001937-1 | CVE-2022-27634 | K57555833, BT1001937 | APM configuration hardening | 17.0.0, 16.1.2.2, 15.1.5.1 |
1000021-7 | CVE-2022-27182 | K31856317, BT1000021 | TMM may consume excessive resources while processing packet filters | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
1020609-7 | CVE-2022-23032 | K30525503, BT1020609 | BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 | 16.1.2.2 |
713754-3 | CVE-2017-15715 | K27757011 | Apache vulnerability: CVE-2017-15715 | 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
435231 | 2-Critical | K79342815, BT435231 | Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters | 17.0.0, 16.1.2.2 |
1050537-1 | 2-Critical | BT1050537 | GTM pool member with none monitor will be part of load balancing decisions. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
882709-6 | 3-Major | BT882709 | Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
874941-4 | 3-Major | BT874941 | HTTP authentication in the access policy times out after 60 seconds | 16.1.2.2, 15.1.6.1, 14.1.5 |
669046-7 | 3-Major | BT669046 | Handling large replies to MCP audit_request messages | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1046669-1 | 3-Major | BT1046669 | The audit forwarders may prematurely time out waiting for TACACS responses | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033837-1 | 4-Minor | K23605346, BT1033837 | REST authentication tokens persist on reboot★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1070009 | 1-Blocking | BT1070009 | iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform | 17.0.0, 16.1.2.2 |
976669-5 | 2-Critical | BT976669 | FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade | 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6 |
935177-3 | 2-Critical | BT935177 | IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm | 17.0.0, 16.1.2.2, 15.1.6.1 |
1059165-1 | 2-Critical | BT1059165 | Multiple virtual server pages fail to load. | 17.0.0, 16.1.2.2 |
1048141-3 | 2-Critical | BT1048141 | Sorting pool members by 'Member' causes 'General database error' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1047213-1 | 2-Critical | BT1047213 | VPN Client to Client communication fails when clients are connected to different TMMs. | 17.0.0, 16.1.2.2 |
1007901-1 | 2-Critical | BT1007901 | Support for FIPS 140-3 Module identifier service. | 17.0.0, 16.1.2.2 |
999125-1 | 3-Major | BT999125 | After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
992865-3 | 3-Major | BT992865 | Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances | 17.1.0, 16.1.2.2, 15.1.4 |
988165-3 | 3-Major | BT988165 | VMware CPU reservation is now enforced. | 17.0.0, 16.1.2.2, 15.1.5.1 |
984585-3 | 3-Major | BT984585 | IP Reputation option not shown in GUI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
963541-1 | 3-Major | BT963541 | Net-snmp5.8 crash | 17.0.0, 16.1.2.2, 15.1.5.1 |
959985-3 | 3-Major | BT959985 | Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. | 17.0.0, 16.1.2.2, 15.1.6.1 |
943669-4 | 3-Major | BT943669 | B4450 blade reboot | 16.1.2.2, 15.1.2 |
943577-1 | 3-Major | BT943577 | Full sync failure for traffic-matching-criteria with port list under certain conditions | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
912253-2 | 3-Major | BT912253 | Non-admin users cannot run show running-config or list sys | 17.0.0, 16.1.2.2, 15.1.5.1 |
907549-6 | 3-Major | BT907549 | Memory leak in BWC::Measure | 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5 |
901669-6 | 3-Major | BT901669 | Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
755976-9 | 3-Major | BT755976 | ZebOS might miss kernel routes after mcpd deamon restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1083537 | 3-Major | BT1083537 | FIPS 140-3 Certification | 17.1.0, 17.0.0.1, 16.1.2.2 |
1076377-3 | 3-Major | BT1076377 | OSPF path calculation for IA and E routes is incorrect. | 17.0.0, 16.1.2.2, 15.1.9 |
1074113-1 | 3-Major | BT1074113 | IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer | 17.0.0, 16.1.2.2 |
1071609-2 | 3-Major | BT1071609 | IPsec IKEv1: Log Key Exchange payload in racoon.log. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1066285-4 | 3-Major | BT1066285 | Master Key decrypt failure - decrypt failure. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1065585-1 | 3-Major | BT1065585 | System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition | 17.0.0, 16.1.2.2 |
1064461-4 | 3-Major | BT1064461 | PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1060625-1 | 3-Major | BT1060625 | Wrong INTERNAL_IP6_DNS length. | 17.1.0, 17.0.0, 16.1.2.2 |
1060149-2 | 3-Major | BT1060149 | BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1059853 | 3-Major | BT1059853 | Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2.★ | 17.0.0, 16.1.2.2 |
1056993-2 | 3-Major | BT1056993 | 404 error is raised on GUI when clicking "App IQ." | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056741-2 | 3-Major | BT1056741 | ECDSA certificates signed by RSA CA are not selected based by SNI. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1052893-4 | 3-Major | BT1052893 | Configuration option to delay reboot if dataplane becomes inoperable | 17.1.1, 16.1.2.2 |
1048541-1 | 3-Major | BT1048541 | Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1047169-1 | 3-Major | BT1047169 | GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1022637-1 | 3-Major | BT1022637 | A partition other than /Common may fail to save the configuration to disk | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1020789-4 | 3-Major | BT1020789 | Cannot deploy a four-core vCMP guest if the remaining cores are in use. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1019357-2 | 3-Major | BT1019357 | Active fails to resend ipsec ikev2_message_id_sync if no response received | 17.0.0, 16.1.2.2, 15.1.6.1 |
1008837-1 | 3-Major | BT1008837 | Control plane is sluggish when mcpd processes a query for virtual server and address statistics | 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4 |
1008269-1 | 3-Major | BT1008269 | Error: out of stack space | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
976337-2 | 4-Minor | BT976337 | i40evf Requested 4 queues, but PF only gave us 16. | 16.1.2.2, 15.1.5.1 |
742753-8 | 4-Minor | BT742753 | Accessing the BIG-IP system's WebUI via special proxy solutions may fail | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
528894-5 | 4-Minor | BT528894 | Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5 |
1072237-1 | 4-Minor | BT1072237 | Retrieval of policy action stats causes memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067617-4 | 4-Minor | BT1067617 | BGP default route not advertised after mid-session OPEN. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1062333-6 | 4-Minor | Linux kernel vulnerability: CVE-2019-19523 | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1061797-1 | 4-Minor | BT1061797 | Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 | 17.0.0, 16.1.2.2, 15.1.5.1 |
1058677-2 | 4-Minor | BT1058677 | Not all SCTP connections are mirrored on the standby device when auto-init is enabled. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1046693-4 | 4-Minor | BT1046693 | TMM with BFD confgured might crash under significant memory pressure | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045549-4 | 4-Minor | BT1045549 | BFD sessions remain DOWN after graceful TMM restart | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1040821-4 | 4-Minor | BT1040821 | Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034589-1 | 4-Minor | BT1034589 | No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1034329-1 | 4-Minor | BT1034329 | SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1031425-3 | 4-Minor | BT1031425 | Provide a configuration flag to disable BGP peer-id check. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1030645-4 | 4-Minor | BT1030645 | BGP session resets during traffic-group failover | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1024621-4 | 4-Minor | BT1024621 | Re-establishing BFD session might take longer than expected. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1011217-5 | 4-Minor | BT1011217 | TurboFlex Profile setting reverts to turboflex-base after upgrade★ | 17.0.0, 16.1.2.2, 15.1.6.1 |
1002809-4 | 4-Minor | BT1002809 | OSPF vertex-threshold should be at least 100 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
968929-2 | 2-Critical | BT968929 | TMM may crash when resetting a connection on an APM virtual server | 17.0.0, 16.1.2.2 |
910213-7 | 2-Critical | BT910213 | LB::down iRule command is ineffective, and can lead to inconsistent pool member status | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1071449-4 | 2-Critical | BT1071449 | The statsd memory leak on platforms with license disabled processors. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1064617-1 | 2-Critical | BT1064617 | DBDaemon process may write to monitor log file indefinitely | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059053-2 | 2-Critical | BT1059053 | Tmm crash when passing traffic over some configurations with L2 virtual wire | 17.0.0, 16.1.2.2, 15.1.5.1 |
1047581-3 | 2-Critical | BT1047581 | Ramcache can crash when serving files from the hot cache | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
999901-1 | 3-Major | K68816502, BT999901 | Certain LTM policies may not execute correctly after a system reboot or TMM restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
993517-1 | 3-Major | BT993517 | Loading an upgraded config can result in a file object error in some cases | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
977761 | 3-Major | BT977761 | Connections are dropped if a certificate is revoked. | 17.1.0, 16.1.2.2 |
967101-1 | 3-Major | BT967101 | When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
955617-8 | 3-Major | BT955617 | Cannot modify properties of a monitor that is already in use by a pool | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
953601-4 | 3-Major | BT953601 | HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
936441-7 | 3-Major | BT936441 | Nitrox5 SDK driver logging messages | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
912517-7 | 3-Major | BT912517 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
902377-4 | 3-Major | BT902377 | HTML profile forces re-chunk even though HTML::disable | 17.0.0, 16.1.2.2, 15.1.5.1 |
883049-9 | 3-Major | BT883049 | Statsd can deadlock with rrdshim if an rrd file is invalid | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
803109-4 | 3-Major | BT803109 | Certain configuration may result in zombie forwarding flows | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
794385-6 | 3-Major | BT794385 | BGP sessions may be reset after CMP state change | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
672963-1 | 3-Major | BT672963 | MSSQL monitor fails against databases using non-native charset | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1083989-1 | 3-Major | BT1083989 | TMM may restart if abort arrives during MBLB iRule execution | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1073973-1 | 3-Major | BT1073973 | Gateway HTTP/2, response payload intermittently not forwarded to client. | 17.0.0, 16.1.2.2 |
1072953-2 | 3-Major | BT1072953 | Memory leak in traffic management interface. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1071585-1 | 3-Major | BT1071585 | BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode | 17.0.0, 16.1.2.2 |
1068561-1 | 3-Major | BT1068561 | Can't create key on the second netHSM partition. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1068353-1 | 3-Major | BT1068353 | Unexpected event sequence may cause HTTP/2 flow stall during shutdown | 16.1.2.2 |
1064157-1 | 3-Major | BT1064157 | Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows | 17.0.0, 16.1.2.2, 15.1.6.1 |
1063453-1 | 3-Major | BT1063453 | FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1058469-1 | 3-Major | BT1058469 | Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1056401-4 | 3-Major | BT1056401 | Valid clients connecting under active syncookie mode might experience latency. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1055097-1 | 3-Major | BT1055097 | TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow. | 17.0.0, 16.1.2.2 |
1052929-4 | 3-Major | BT1052929 | MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1043357-4 | 3-Major | BT1043357 | SSL handshake may fail when using remote crypto client | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043017-4 | 3-Major | BT1043017 | Virtual-wire with standard-virtual fragmentation | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1042913-2 | 3-Major | BT1042913 | Pkcs11d CPU utilization jumps to 100% | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1042509-1 | 3-Major | BT1042509 | On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request | 17.0.0, 16.1.2.2 |
1029897-1 | 3-Major | K63312282, BT1029897 | Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1024841-2 | 3-Major | BT1024841 | SSL connection mirroring with ocsp connection failure on standby | 17.0.0, 16.1.2.2, 15.1.5.1 |
1024225-3 | 3-Major | BT1024225 | BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1020549-1 | 3-Major | BT1020549 | Server-side connections stall with zero window with OneConnect profile | 17.0.0, 16.1.2.2 |
1017721-5 | 3-Major | BT1017721 | WebSocket does not close cleanly when SSL enabled. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1 |
1017533-3 | 3-Major | BT1017533 | Using TMC might cause virtual server vlans-enabled configuration to be ignored | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6 |
1016449-3 | 3-Major | BT1016449 | After certain configuration tasks are performed, TMM may run with stale Self IP parameters. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008501-1 | 3-Major | BT1008501 | TMM core | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1008009-3 | 3-Major | BT1008009 | SSL mirroring null hs during session sync state | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1006781-2 | 3-Major | BT1006781 | Server SYN is sent on VLAN 0 when destination MAC is multicast | 17.0.0, 16.1.2.2, 15.1.4.1 |
1004897-5 | 3-Major | BT1004897 | 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4 |
1004689-4 | 3-Major | BT1004689 | TMM might crash when pool routes with recursive nexthops and reselect option are used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
838305-9 | 4-Minor | BT838305 | BIG-IP may create multiple connections for packets that should belong to a single flow. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
717806-8 | 4-Minor | BT717806 | In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1080341-4 | 4-Minor | BT1080341 | Changing an L2-forward virtual to any other virtual type might not update the configuration. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1075205-1 | 4-Minor | BT1075205 | Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client. | 17.0.0, 16.1.2.2 |
1064669-1 | 4-Minor | BT1064669 | Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1026605-6 | 4-Minor | BT1026605 | When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1026005-1 | 4-Minor | BT1026005 | BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1016441-4 | 4-Minor | K11342432, BT1016441 | RFC Enforcement Hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1016049-6 | 4-Minor | BT1016049 | EDNS query with CSUBNET dropped by protocol inspection | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
968581-4 | 5-Cosmetic | BT968581 | TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1062513-4 | 2-Critical | BT1062513 | GUI returns 'no access' error message when modifying a GTM pool property. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1030881-1 | 2-Critical | BT1030881 | [GTM] Upgrade failure - 01070022:3: The monitor template min was not found.★ | 17.0.0, 16.1.2.2 |
1027657-4 | 2-Critical | BT1027657 | Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1011433-1 | 2-Critical | BT1011433 | TMM may crash under memory pressure when performing DNS resolution | 17.0.0, 16.1.2.2, 15.1.6.1 |
1010617-1 | 2-Critical | BT1010617 | String operation against DNS resource records cause tmm memory corruption | 17.0.0, 16.1.2.2, 15.1.5.1 |
876677-2 | 3-Major | BT876677 | When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1076401-5 | 3-Major | BT1076401 | Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1064189-1 | 3-Major | BT1064189 | DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning | 17.0.0, 16.1.2.2 |
1046785-1 | 3-Major | BT1046785 | Missing GTM probes when max synchronous probes are exceeded. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5 |
1044425-1 | 3-Major | K85021277, BT1044425 | NSEC3 record improvements for NXDOMAIN | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1020337-2 | 3-Major | BT1020337 | DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator | 17.0.0, 16.1.2.2, 15.1.5.1 |
1018613-1 | 3-Major | BT1018613 | Modify wideip pools with replace-all-with results pools with same order 0 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1079909-1 | 2-Critical | K82724554, BT1079909 | The bd generates a core file | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5 |
1069501-1 | 2-Critical | K22251611, BT1069501 | ASM may not match certain signatures | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1069449-1 | 2-Critical | K39002226, BT1069449 | ASM attack signatures may not match cookies as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1068237-1 | 2-Critical | BT1068237 | Some attack signatures added to policies are not used. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1000789-1 | 2-Critical | BT1000789 | ASM-related iRule keywords may not work as expected | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
965785-4 | 3-Major | BT965785 | Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
961509-5 | 3-Major | BT961509 | ASM blocks WebSocket frames with signature matched but Transparent policy | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
926845-7 | 3-Major | BT926845 | Inactive ASM policies are deleted upon upgrade | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
923221-8 | 3-Major | BT923221 | BD does not use all the CPU cores | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
818889-1 | 3-Major | BT818889 | False positive malformed json or xml violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1077281-2 | 3-Major | BT1077281 | Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages | 17.1.0, 16.1.2.2, 15.1.6.1 |
1072197-1 | 3-Major | K94142349, BT1072197 | Issue with input normalization in WebSocket. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1070273-1 | 3-Major | BT1070273 | OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. | 17.0.0, 16.1.2.2, 15.1.6.1 |
1069133-4 | 3-Major | BT1069133 | ASMConfig memory leak | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1067285-1 | 3-Major | BT1067285 | Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066829-1 | 3-Major | BT1066829 | Memory leak for xml/json auto-detected parameter with signature patterns. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1061617-4 | 3-Major | BT1061617 | Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1060933-1 | 3-Major | K49237345 | Issue with input normalization. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1059621-2 | 3-Major | BT1059621 | IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs. | 17.0.0, 16.1.2.2 |
1056365-1 | 3-Major | BT1056365 | Bot Defense injection does not follow best SOP practice. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1052173-1 | 3-Major | BT1052173 | For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation. | 17.0.0, 16.1.2.2 |
1052169 | 3-Major | BT1052169 | Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode | 16.1.2.2 |
1051213-1 | 3-Major | BT1051213 | Increase default value for violation 'Check maximum number of headers'. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1051209-1 | 3-Major | K53593534, BT1051209 | BD may not process certain HTTP payloads as expected | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1047389-4 | 3-Major | BT1047389 | Bot Defense challenge hardening | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1043533-3 | 3-Major | BT1043533 | Unable to pick up the properties of the parameters from audit reports. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1043385-4 | 3-Major | BT1043385 | No Signature detected If Authorization header is missing padding. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1042605-1 | 3-Major | BT1042605 | ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above★ | 17.0.0, 16.1.2.2, 15.1.5.1 |
1041149-1 | 3-Major | BT1041149 | Staging of URL does not affect apply value signatures | 17.0.0, 16.1.2.2, 15.1.5.1 |
1038733-4 | 3-Major | BT1038733 | Attack signature not detected for unsupported authorization types. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1037457-1 | 3-Major | BT1037457 | High CPU during specific dos mitigation | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1033017-1 | 3-Major | BT1033017 | Policy changes learning mode to automatic after upload and sync | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1030853-1 | 3-Major | BT1030853 | Route domain IP exception is being treated as trusted (for learning) after being deleted | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1028473-1 | 3-Major | BT1028473 | URL sent with trailing slash might not be matched in ASM policy | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
1023993-4 | 3-Major | BT1023993 | Brute Force is not blocking requests, even when auth failure happens multiple times | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1021521-1 | 3-Major | BT1021521 | JSON Schema is not enforced if OpenAPI media-type is wild card. | 17.0.0, 16.1.2.2 |
1019721-1 | 3-Major | BT1019721 | Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export | 17.0.0, 16.1.2.2 |
1012221-1 | 3-Major | BT1012221 | The childInheritanceStatus is not compatible with parentInheritanceStatus★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1011069-1 | 3-Major | BT1011069 | Group/User R/W permissions should be changed for .pid and .cfg files. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1008849-4 | 3-Major | BT1008849 | OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. | 17.0.0, 16.1.2.2, 15.1.5.1 |
844045-4 | 4-Minor | BT844045 | ASM Response event logging for "Illegal response" violations. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1066377-1 | 4-Minor | BT1066377 | OpenAPI - Content profile is not consistent with wildcard configuration | 17.0.0, 16.1.2.2 |
1050697-4 | 4-Minor | BT1050697 | Traffic learning page counts Disabled signatures when they are ready to be enforced | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1048445-1 | 4-Minor | BT1048445 | Accept Request button is clickable for unlearnable violation illegal host name | 17.1.0, 16.1.2.2, 15.1.6.1 |
1039245-2 | 4-Minor | BT1039245 | Policy Properties screen does not load and display | 17.0.0, 16.1.2.2 |
1038741-4 | 4-Minor | BT1038741 | NTLM type-1 message triggers "Unparsable request content" violation. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1036521-1 | 4-Minor | BT1036521 | TMM crash in certain cases | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1035361-4 | 4-Minor | BT1035361 | Illegal cross-origin after successful CAPTCHA | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
1034941-1 | 4-Minor | BT1034941 | Exporting and then re-importing "some" XML policy does not load the XML content-profile properly | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1021637-4 | 4-Minor | BT1021637 | In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs | 17.1.0, 16.1.2.2, 15.1.6.1 |
1020717-4 | 4-Minor | BT1020717 | Policy versions cleanup process sometimes removes newer versions | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038913-4 | 3-Major | BT1038913 | The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category | 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
858005-1 | 3-Major | BT858005 | When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
423519-5 | 3-Major | K74302282, BT423519 | Bypass disabling the redirection controls configuration of APM RDP Resource. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1045229-1 | 3-Major | BT1045229 | APMD leaks Tcl_Objs as part of the fix made for ID 1002557 | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1044121-3 | 3-Major | BT1044121 | APM logon page is not rendered if db variable "ipv6.enabled" is set to false | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1029397-4 | 2-Critical | BT1029397 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6 |
957905-1 | 3-Major | BT957905 | SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
1082885-1 | 3-Major | BT1082885 | MR::message route virtual asserts when configuration changes during ongoing traffic | 17.0.0, 16.1.2.2, 15.1.6, 14.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
964625-5 | 3-Major | BT964625 | Improper processing of firewall-rule metadata | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
959609-4 | 3-Major | BT959609 | Autodiscd daemon keeps crashing | 17.0.0, 16.1.2.2, 15.1.6.1 |
929909-3 | 3-Major | BT929909 | TCP Packets are not dropped in IP Intelligence | 17.0.0, 16.1.2.2, 15.1.5.1 |
1008265-1 | 3-Major | K92306170, BT1008265 | DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond★ | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1072057-1 | 4-Minor | BT1072057 | "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1086897-1 | 2-Critical | BT1086897 | PEM subcriber lookup can fail for internet side/subscriber side new connections | 17.0.0, 16.1.2.2 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1028269-2 | 2-Critical | BT1028269 | Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. | 17.0.0, 16.1.2.2, 15.1.5.1 |
1019613-5 | 2-Critical | BT1019613 | Unknown subscriber in PBA deployment may cause CPU spike | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
1064217-1 | 3-Major | BT1064217 | Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038445-1 | 2-Critical | BT1038445 | During upgrade to 16.1, the previous FPS Engine live update remains active★ | 17.0.0, 16.1.2.2 |
873617-1 | 3-Major | BT873617 | DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1071181-2 | 3-Major | BT1071181 | Improving Signature Detection Accuracy | 16.1.2.2, 15.1.6.1, 14.1.5 |
1060409-2 | 4-Minor | BT1060409 | Behavioral DoS enable checkbox is wrong. | 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1033829-3 | 2-Critical | BT1033829 | Unable to load Traffic Classification package | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5 |
1052153-2 | 3-Major | BT1052153 | Signature downloads for traffic classification updates via proxy fail | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1072733-4 | 2-Critical | Protocol Inspection IM package hardening | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 | |
1070677-1 | 3-Major | BT1070677 | Learning phase does not take traffic into account - dropping all. | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
940261-1 | 4-Minor | BT940261 | Support IPS package downloads via HTTP proxy. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
944121-4 | 3-Major | BT944121 | Missing SNI information when using non-default domain https monitor running in TMM mode. | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5 |
854129-6 | 3-Major | BT854129 | SSL monitor continues to send previously configured server SSL configuration after removal | 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1050969-1 | 1-Blocking | BT1050969 | After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid | 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5 |
969297 | 3-Major | BT969297 | Virtual IP configured on a system with SelfIP on vwire becomes unresponsive | 16.1.2.2 |
1058401-1 | 3-Major | BT1058401 | SSL Bypass does not work for inbound traffic | 17.0.0, 16.1.2.2 |
1048033-1 | 3-Major | BT1048033 | Server-speaks-first traffic might not work with SSL Orchestrator | 17.0.0, 16.1.2.2 |
1047377-1 | 3-Major | BT1047377 | "Server-speak-first" traffic might not work with SSL Orchestrator | 17.0.0, 16.1.2.2 |
1029869-1 | 3-Major | BT1029869 | Use of ha-sync script may cause gossip communications to fail | 17.0.0, 16.1.2.2, 15.1.6.1 |
1029585-1 | 3-Major | BT1029585 | Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync | 17.0.0, 16.1.2.2, 15.1.6.1 |
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1045101-4 | CVE-2022-26890 | K03442392, BT1045101 | Bd may crash while processing ASM traffic | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5 |
940185-7 | CVE-2022-23023 | K11742742, BT940185 | icrd_child may consume excessive resources while processing REST requests | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1065789-1 | CVE-2023-24594 | K000133132, BT1065789 | TMM may send duplicated alerts while processing SSL connections | 17.0.0, 16.1.2.1, 15.1.5 |
1063389-6 | CVE-2015-5191 | K84583382, BT1063389 | open-vm-tools vulnerability: CVE-2015-5191 | 17.0.0, 16.1.2.1, 14.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1015133-5 | 3-Major | BT1015133 | Tail loss can cause TCP TLP to retransmit slowly. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
749332-1 | 2-Critical | BT749332 | Client-SSL Object's description can be updated using CLI and with REST PATCH operation | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4 |
996001-5 | 3-Major | BT996001 | AVR Inspection Dashboard 'Last Month' does not show all data points | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
994305-3 | 3-Major | BT994305 | The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 | 17.0.0, 16.1.2.1, 15.1.5.1 |
968657-1 | 3-Major | BT968657 | Added support for IMDSv2 on AWS | 17.0.0, 16.1.2.1, 15.1.5.1 |
1032949-1 | 3-Major | BT1032949 | Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. | 17.0.0, 16.1.2.1, 15.1.5 |
1041765-2 | 4-Minor | BT1041765 | Racoon may crash in rare cases | 17.0.0, 16.1.2.1, 15.1.10 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
999097-1 | 3-Major | BT999097 | SSL::profile may select profile with outdated configuration | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
910673-6 | 3-Major | BT910673 | Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' | 17.0.0, 16.1.2.1, 15.1.5.1 |
898929-6 | 3-Major | BT898929 | Tmm might crash when ASM, AVR, and pool connection queuing are in use | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1038629-4 | 3-Major | BT1038629 | DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
1031609-1 | 3-Major | BT1031609 | Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1019609-1 | 3-Major | BT1019609 | No Error logging when BIG-IP device's IP address is not added in client list on netHSM.★ | 17.0.0, 16.1.2.1, 15.1.5.1 |
1017513-5 | 3-Major | BT1017513 | Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
1007749-2 | 3-Major | BT1007749 | URI TCL parse functions fail when there are interior segments with periods and semi-colons | 17.0.0, 16.1.2.1, 15.1.5 |
1048433-1 | 4-Minor | BT1048433 | Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation.★ | 16.1.2.1, 15.1.5.1 |
1024761-1 | 4-Minor | BT1024761 | HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body | 17.0.0, 16.1.2.1, 15.1.5 |
1005109-4 | 4-Minor | BT1005109 | TMM crashes when changing traffic-group on IPv6 link-local address | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
935249-3 | 3-Major | BT935249 | GTM virtual servers have the wrong status | 17.0.0, 16.1.2.1, 15.1.5 |
1039553-1 | 3-Major | BT1039553 | Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors | 17.0.0, 16.1.2.1, 15.1.5 |
1021061-4 | 3-Major | BT1021061 | Config fails to load for large config on platform with Platform FIPS license enabled | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993613-7 | 2-Critical | BT993613 | Device fails to request full sync | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
984593-1 | 3-Major | BT984593 | BD crash | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
921697-1 | 3-Major | BT921697 | Attack signature updates fail to install with Installation Error.★ | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6 |
907025-5 | 3-Major | BT907025 | Live update error" 'Try to reload page' | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
885765-1 | 3-Major | BT885765 | ASMConfig Handler undergoes frequent restarts | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
830341-5 | 3-Major | BT830341 | False positives Mismatched message key on ASM TS cookie | 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1043205-1 | 3-Major | BT1043205 | SSRF Violation should be shown as a Parameter Entity Reference. | 16.1.2.1 |
1042069-1 | 3-Major | Some signatures are not matched under specific conditions. | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5 | |
1002385-1 | 4-Minor | K67397230, BT1002385 | Fixing issue with input normalization | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1009093-2 | 2-Critical | BT1009093 | GUI widgets pages are not functioning correctly | 17.0.0, 16.1.2.1, 15.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
969317-4 | 3-Major | BT969317 | "Restrict to Single Client IP" option is ignored for vmware VDI | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
828761-5 | 3-Major | BT828761 | APM OAuth - Auth Server attached iRule works inconsistently | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
827393-5 | 3-Major | BT827393 | In rare cases tmm crash is observed when using APM as RDG proxy. | 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5 |
738593-3 | 3-Major | BT738593 | Vmware Horizon session collaboration (shadow session) feature does not work through APM. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1007677-2 | 3-Major | BT1007677 | Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' | 17.0.0, 16.1.2.1, 15.1.4.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039329-2 | 3-Major | BT1039329 | MRF per peer mode is not working in vCMP guest. | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5 |
1025529-2 | 3-Major | BT1025529 | TMM generates core when iRule executes a nexthop command and SIP traffic is sent | 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
956013-4 | 3-Major | BT956013 | System reports{{validation_errors}} | 16.1.2.1, 15.1.5, 14.1.4.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023437-1 | 3-Major | Buffer overflow during attack with large HTTP Headers | 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1055361-1 | 2-Critical | BT1055361 | Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. | 17.0.0, 16.1.2.1, 15.1.5.1 |
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
991421-2 | CVE-2022-23016 | K91013510, BT991421 | TMM may crash while processing TLS traffic | 17.0.0, 16.1.2, 15.1.4.1 |
989701-8 | CVE-2020-25212 | K42355373, BT989701 | CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
988549-10 | CVE-2020-29573 | K27238230, BT988549 | CVE-2020-29573: glibc vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
968893-3 | CVE-2022-23014 | K93526903, BT968893 | TMM crash when processing APM traffic | 17.0.0, 16.1.2, 15.1.4.1 |
940317-9 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1037181-1 | CVE-2022-23022 | K96924184, BT1037181 | TMM may crash while processing HTTP traffic | 17.0.0, 16.1.2 |
1032405-1 | CVE-2021-23037 | K21435974, BT1032405 | TMUI XSS vulnerability CVE-2021-23037 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1031269 | CVE-2022-23020 | K17514331, BT1031269 | TMM may consume excessive resources when processing logging profiles | 17.0.0, 16.1.2 |
1030689-1 | CVE-2022-23019 | K82793463, BT1030689 | TMM may consume excessive resources while processing Diameter traffic | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1029629-1 | CVE-2022-28706 | K03755971, BT1029629 | TMM may crash while processing DNS lookups | 17.0.0, 16.1.2, 15.1.5.1 |
1028669-7 | CVE-2019-9948 | K28622040, BT1028669 | Python vulnerability: CVE-2019-9948 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028573-6 | CVE-2020-10878 | K40508224, BT1028573 | Perl vulnerability: CVE-2020-10878 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1028497-7 | CVE-2019-15903 | K05295469, BT1028497 | libexpat vulnerability: CVE-2019-15903 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1021713-1 | CVE-2022-41806 | K00721320, BT1021713 | TMM may crash when processing AFM NAT64 policy | 17.0.0, 16.1.2, 15.1.5.1 |
1012365-4 | CVE-2021-20305 | K33101555, BT1012365 | Nettle cryptography library vulnerability CVE-2021-20305 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1007489-7 | CVE-2022-23018 | K24358905, BT1007489 | TMM may crash while handling specific HTTP requests★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
974341-6 | CVE-2022-23026 | K08402414, BT974341 | REST API: File upload | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
973409-6 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
941649-8 | CVE-2021-23043 | K63163637, BT941649 | Local File Inclusion Vulnerability | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
803965-10 | CVE-2018-20843 | K51011533, BT803965 | Expat Vulnerability: CVE-2018-20843 | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1035729-1 | CVE-2022-23021 | K57111075, BT1035729 | TMM may crash while processing traffic http traffic | 17.0.0, 16.1.2 |
1009725-1 | CVE-2022-23030 | K53442005, BT1009725 | Excessive resource usage when ixlv drivers are enabled | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985953-6 | 4-Minor | BT985953 | GRE Transparent Ethernet Bridging inner MAC overwrite | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039049-2 | 1-Blocking | BT1039049 | Installing EHF on particular platforms fails with error "RPM transaction failure" | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
997313-2 | 2-Critical | BT997313 | Unable to create APM policies in a sync-only folder★ | 17.0.0, 16.1.2, 15.1.4.1 |
1031357-2 | 2-Critical | BT1031357 | After reboot of standby and terminating peer, some IPsec traffic-selectors are still online | 17.0.0, 16.1.2 |
1029949-2 | 2-Critical | BT1029949 | IPsec traffic selector state may show incorrect state on high availability (HA) standby device | 17.0.0, 16.1.2 |
998221-1 | 3-Major | BT998221 | Accessing pool members from configuration utility is slow with large config | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3 |
946185-3 | 3-Major | BT946185 | Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
922185-3 | 3-Major | BT922185 | LDAP referrals not supported for 'cert-ldap system-auth'★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
881085-4 | 3-Major | BT881085 | Intermittent auth failures with remote LDAP auth for BIG-IP managment | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1045421-1 | 3-Major | K16107301, BT1045421 | No Access error when performing various actions in the TMOS GUI | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032737-2 | 3-Major | BT1032737 | IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate | 17.0.0, 16.1.2, 15.1.4.1 |
1032077-1 | 3-Major | BT1032077 | TACACS authentication fails with tac_author_read: short author body | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1028969-1 | 3-Major | BT1028969 | An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working | 17.0.0, 16.1.2 |
1026549-1 | 3-Major | BT1026549 | Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1022757-2 | 3-Major | BT1022757 | Tmm core due to corrupt list of ike-sa instances for a connection | 17.0.0, 16.1.2, 15.1.9 |
1021773-1 | 3-Major | BT1021773 | Mcpd core. | 17.0.0, 16.1.2, 15.1.7 |
1020377-1 | 3-Major | BT1020377 | Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon | 17.0.0, 16.1.2 |
1015645-2 | 3-Major | BT1015645 | IPSec SA's missing after reboot | 17.0.0, 16.1.2 |
1009949-4 | 3-Major | BT1009949 | High CPU usage when upgrading from previous version★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1003257-6 | 3-Major | BT1003257 | ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
921365-2 | 4-Minor | BT921365 | IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby | 17.0.0, 16.1.2, 15.1.4 |
1034617-1 | 4-Minor | BT1034617 | Login/Security Banner text not showing in console login. | 17.0.0, 16.1.2 |
1030845-1 | 4-Minor | BT1030845 | Time change from TMSH not logged in /var/log/audit. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1022417-1 | 4-Minor | BT1022417 | Ike stops with error ikev2_send_request: [WINDOW] full window | 17.0.0, 16.1.2, 15.1.9 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039041 | 1-Blocking | BT1039041 | Log Message: Clock advanced by <number> ticks | 17.0.0, 16.1.2 |
1040361-1 | 2-Critical | BT1040361 | TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5 |
915773-7 | 3-Major | BT915773 | Restart of TMM after stale interface reference | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
1023365-2 | 3-Major | BT1023365 | SSL server response could be dropped on immediate client shutdown. | 17.0.0, 16.1.2, 15.1.4.1 |
1021481-1 | 3-Major | BT1021481 | 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden. | 17.0.0, 16.1.2 |
1020957-1 | 3-Major | BT1020957 | HTTP response may be truncated by the BIG-IP system | 17.0.0, 16.1.2 |
1018577-4 | 3-Major | BT1018577 | SASP monitor does not mark pool member with same IP Address but different Port from another pool member | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1016113-1 | 3-Major | BT1016113 | HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. | 17.0.0, 16.1.2, 15.1.4 |
1008017-2 | 3-Major | BT1008017 | Validation failure on Enforce TLS Requirements and TLS Renegotiation | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
895557-5 | 4-Minor | BT895557 | NTLM profile logs error when used with profiles that do redirect | 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2 |
1031901-2 | 4-Minor | BT1031901 | In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked | 17.0.0, 16.1.2, 15.1.4.1 |
1018493-1 | 4-Minor | BT1018493 | Response code 304 from TMM Cache always closes TCP connection. | 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5 |
1002945-4 | 4-Minor | BT1002945 | Some connections are dropped on chained IPv6 to IPv4 virtual servers. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1035853-1 | 2-Critical | K41415626, BT1035853 | Transparent DNS Cache can consume excessive resources. | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
1028773-1 | 2-Critical | BT1028773 | Support for DNS Over TLS | 17.0.0, 16.1.2 |
1009037-1 | 2-Critical | BT1009037 | Tcl resume on invalid connection flow can cause tmm crash | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1021417-1 | 3-Major | BT1021417 | Modifying GTM pool members with replace-all-with results in pool members with order 0 | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
912149-7 | 2-Critical | BT912149 | ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1019853-1 | 2-Critical | K30911244, BT1019853 | Some signatures are not matched under specific conditions | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1017153-4 | 2-Critical | BT1017153 | Asmlogd suddenly deletes all request log protobuf files and records from the database. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1011065-1 | 2-Critical | K39002226, BT1011065 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1 |
1011061-4 | 2-Critical | K39002226, BT1011061 | Certain attack signatures may not match in multipart content | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
947341-4 | 3-Major | BT947341 | MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. | 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1 |
932133-1 | 3-Major | BT932133 | Payloads with large number of elements in XML take a lot of time to process | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
842013-1 | 3-Major | BT842013 | ASM Configuration is Lost on License Reactivation★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1042917-1 | 3-Major | BT1042917 | Using 'Full Export' of security policy should result with no diffs after importing it back to device. | 17.0.0, 16.1.2 |
1028109-1 | 3-Major | BT1028109 | Detected attack signature is reported with the wrong context. | 17.0.0, 16.1.2 |
1022269-1 | 3-Major | BT1022269 | False positive RFC compliant violation | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
1004069-4 | 3-Major | BT1004069 | Brute force attack is detected too soon | 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5 |
1004537-2 | 4-Minor | BT1004537 | Traffic Learning: Accept actions for multiple suggestions not localized | 17.0.0, 16.1.2, 15.1.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
932137-7 | 3-Major | BT932137 | AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
922105-1 | 3-Major | BT922105 | Avrd core when connection to BIG-IQ data collection device is not available | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5 |
1035133-4 | 3-Major | BT1035133 | Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
948113-1 | 4-Minor | BT948113 | User-defined report scheduling fails | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1020705-2 | 4-Minor | BT1020705 | tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name | 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1027217-1 | 1-Blocking | BT1027217 | Script errors in Network Access window using browser. | 17.0.0, 16.1.2, 15.1.4.1 |
1006893-4 | 2-Critical | BT1006893 | Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
993457-1 | 3-Major | BT993457 | TMM core with ACCESS::policy evaluate iRule | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1021485-3 | 3-Major | BT1021485 | VDI desktops and apps freeze with Vmware and Citrix intermittently | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1017233-2 | 3-Major | BT1017233 | APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption | 17.0.0, 16.1.2, 15.1.4.1 |
939877-3 | 4-Minor | BT939877 | OAuth refresh token not found | 17.0.0, 16.1.2, 15.1.4, 14.1.4.4 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1007113-3 | 2-Critical | BT1007113 | Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
1018285-2 | 4-Minor | BT1018285 | MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction | 17.0.0, 16.1.2, 15.1.4.1 |
1003633-1 | 4-Minor | BT1003633 | There might be wrong memory handling when message routing feature is used | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1049229-1 | 2-Critical | BT1049229 | When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1013629-4 | 3-Major | BT1013629 | URLCAT: Scan finds many Group/User Read/Write (666/664/662) files | 17.0.0, 16.1.2, 15.1.9 |
686783-1 | 4-Minor | BT686783 | UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5 |
1032689 | 4-Minor | BT1032689 | UlrCat Custom db feedlist does not work for some URLs | 16.1.2, 15.1.4.1, 14.1.4.5 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
929213-2 | 3-Major | BT929213 | iAppLX packages not rolled forward after BIG-IP upgrade★ | 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1038669-1 | 3-Major | BT1038669 | Antserver keeps restarting. | 17.0.0, 16.1.2, 15.1.5 |
1032797-1 | 3-Major | BT1032797 | Tmm continuously cores when parsing custom category URLs | 17.0.0, 16.1.2, 15.1.5 |
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
979877-9 | CVE-2020-1971 | K42910051, BT979877 | CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information | 16.1.1, 15.1.4, 14.1.5.1 |
954425-4 | CVE-2022-23031 | K61112120, BT954425 | Hardening of Live-Update | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
797797-7 | CVE-2019-11811 | K01512680, BT797797 | CVE-2019-11811 kernel: use-after-free in drivers | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3 |
1013569-1 | CVE-2022-31473 | K34893234, BT1013569 | Hardening of iApps processing | 17.0.0, 16.1.1, 15.1.4 |
1008561-4 | CVE-2022-23025 | K44110411, BT1008561 | In very rare condition, BIG-IP may crash when SIP ALG is deployed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
911141-1 | 3-Major | BT911141 | GTP v1 APN is not decoded/encoded properly | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
974241-3 | 2-Critical | BT974241 | Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades | 17.0.0, 16.1.1, 15.1.4 |
887117-4 | 3-Major | BT887117 | Invalid SessionDB messages are sent to Standby | 17.0.0, 16.1.1, 15.1.4.1 |
1019829-2 | 3-Major | BT1019829 | Configsync.copyonswitch variable is not functioning on reboot | 16.1.1 |
1018309-5 | 3-Major | BT1018309 | Loading config file with imish removes the last character | 17.0.0, 16.1.1, 15.1.4.1 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1023341-1 | 1-Blocking | HSM hardening | 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5 | |
995405-1 | 2-Critical | BT995405 | After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★ | 17.0.0, 16.1.3, 16.1.1 |
1040677 | 2-Critical | BT1040677 | BIG-IP D120 platform reports page allocation failures in N3FIPS driver | 17.0.0, 16.1.1 |
980617-1 | 3-Major | BT980617 | SNAT iRule is not working with HTTP/2 and HTTP Router profiles | 17.0.0, 16.1.1, 15.1.10 |
912945-3 | 4-Minor | BT912945 | A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1039069-1 | 1-Blocking | BT1039069 | Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049.★ | 17.0.0, 16.1.1, 15.1.4 |
993489-1 | 3-Major | BT993489 | GTM daemon leaks memory when reading GTM link objects | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
996381-1 | 2-Critical | K41503304, BT996381 | ASM attack signature may not match as expected | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1 |
970329-1 | 2-Critical | K70134152, BT970329 | ASM hardening | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
965229-5 | 2-Critical | BT965229 | ASM Load hangs after upgrade★ | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
986937-3 | 3-Major | BT986937 | Cannot create child policy when the signature staging setting is not equal in template and parent policy | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4 |
981069-3 | 3-Major | BT981069 | Reset cause: "Internal error ( requested abort (payload release error))" | 17.0.0, 16.1.1, 15.1.4 |
962589-4 | 3-Major | BT962589 | Full Sync Requests Caused By Failed Relayed Call to delete_suggestion | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
951133-4 | 3-Major | BT951133 | Live Update does not work properly after upgrade★ | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4 |
920149-3 | 3-Major | BT920149 | Live Update default factory file for Server Technologies cannot be reinstalled | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4 |
888289-8 | 3-Major | BT888289 | Add option to skip percent characters during normalization | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
1005105-3 | 3-Major | BT1005105 | Requests are missing on traffic event logging | 17.0.0, 16.1.1, 15.1.4, 14.1.4.5 |
1000741-1 | 3-Major | K67397230, BT1000741 | Fixing issue with input normalization | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
941625-3 | 4-Minor | BT941625 | BD sometimes encounters errors related to TS cookie building | 17.0.0, 16.1.1, 15.1.4 |
Application Visibility and Reporting Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
924945-5 | 3-Major | BT924945 | Fail to detach HTTP profile from virtual server | 17.0.0, 16.1.1, 16.0.1.2, 15.1.3 |
913085-6 | 3-Major | BT913085 | Avrd core when avrd process is stopped or restarted | 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1 |
909161-1 | 3-Major | BT909161 | A core file is generated upon avrd process restart or stop | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1024101-1 | 3-Major | BT1024101 | SWG as a Service license improvements | 17.0.0, 16.1.3, 16.1.1 |
1022625-2 | 3-Major | BT1022625 | Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator | 17.0.0, 16.1.1 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
993913-4 | 2-Critical | BT993913 | TMM SIGSEGV core in Message Routing Framework | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4 |
1012721-4 | 2-Critical | BT1012721 | Tmm may crash with SIP-ALG deployment in a particular race condition | 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5 |
1007821-3 | 2-Critical | BT1007821 | SIP message routing may cause tmm crash | 17.0.0, 16.1.1, 15.1.4 |
996113-2 | 3-Major | BT996113 | SIP messages with unbalanced escaped quotes in headers are dropped | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
805821-1 | 3-Major | BT805821 | GTP log message contains no useful information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
919301-1 | 4-Minor | BT919301 | GTP::ie count does not work with -message option | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913413-1 | 4-Minor | BT913413 | 'GTP::header extension count' iRule command returns 0 | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913409-1 | 4-Minor | BT913409 | GTP::header extension command may abort connection due to unreasonable TCL error | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
913393-1 | 5-Cosmetic | BT913393 | Tmsh help page for GTP iRule contains incorrect and missing information | 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
992213-3 | 3-Major | BT992213 | Protocol Any displayed as HOPTOPT in AFM policy view | 17.0.0, 16.1.1, 15.1.4, 14.1.4.2 |
1000405-1 | 3-Major | BT1000405 | VLAN/Tunnels not listed when creating a new rule via GUI | 17.0.0, 16.1.1, 15.1.4 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1018145 | 3-Major | BT1018145 | Firewall Manager user role is not allowed to configure/view protocol inspection profiles | 16.1.1, 15.1.4 |
Cumulative fix details for BIG-IP v16.1.5.1.0.13.7 that are included in this release
1622609-1 : Blast-RADIUS CVE-2024-3596
Links to More Info: K000141008
Component: Access Policy Manager
Symptoms:
Refer K000141008 for more details.
Conditions:
Refer K000141008 for more details.
Impact:
Refer K000141008 for more details.
Workaround:
None
Fixed Versions:
16.1.5.1.0.13.7
1621249-2: CVE-2024-3596
Links to More Info: K000141008
Component: TMOS
Symptoms:
Refer K000141008 for more details.
Conditions:
Refer K000141008 for more details.
Impact:
Refer K000141008 for more details.
Workaround:
None
Fix:
As part of the fix, a new cli option 'require_message_authenticator' in system auth is introduced. require_message_authenticator is false by default and it should be set true to mitigate this vulnerability. To configure it to true, below command should be used, tmsh modify sys db radius.messageauthenticator value true
Fixed Versions:
16.1.5.1.0.13.7
1678649-2: CVE-2024-3596
Links to More Info: K000141008
Component: TMOS
Symptoms:
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature
Conditions:
Radius authentication must be configured in BIG-IP to be vulnerable to CVE-2024-3596.
Impact:
BIG-IP may be susceptible to forgery attacks.
Workaround:
None
Fix:
As part of the fix, a new cli option 'require_message_authenticator' in system auth is introduced. require_message_authenticator is false by default and it should be set true to mitigate this vulnerability. To configure it to true, below command should be used, tmsh modify sys db radius.messageauthenticator value true
Fixed Versions:
16.1.5.1.0.13.7
999901-1 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.
Links to More Info: K68816502, BT999901
Component: Local Traffic Manager
Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.
This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).
Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.
Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.
Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.
Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.
Fix:
TMM now loads LTM policies with external data-groups as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.
Links to More Info: BT999881
Component: Local Traffic Manager
Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.
Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.
Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.
Workaround:
You can use any of the following workarounds:
-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.
Links to More Info: BT999125
Component: TMOS
Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.
Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.
Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).
Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.
Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:
tmsh restart sys service sod
Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.
Fix:
Redundant devices remain in the correct failover state following a management IP address change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
999097-1 : SSL::profile may select profile with outdated configuration
Links to More Info: BT999097
Component: Local Traffic Manager
Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.
Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.
Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.
Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.
Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
998957-1 : MCPD consumes excessive CPU while collecting statistics
Links to More Info: BT998957
Component: TMOS
Symptoms:
MCPD CPU utilization is 100%.
Conditions:
This condition can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected. The CPU impact is proportional to the number of objects configured. It appears unlikely to see a significant impact when under 1000 objects.
Impact:
CPU utilization by MCPD is excessive.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.0, 16.1.5
998225-6 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.
Links to More Info: BT998225
Component: TMOS
Symptoms:
TMM crashes during the primary blade transition.
Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes on primary blade transition.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
998221-1 : Accessing pool members from configuration utility is slow with large config
Links to More Info: BT998221
Component: TMOS
Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.
Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.
Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,
Managing pool members from configuration utility is very slow causing performance impact.
Workaround:
None
Fix:
Optimized the GUI query used for retrieving pool members data.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
997793-3 : Error log: Failed to reset strict operations; disconnecting from mcpd★
Links to More Info: K34172543, BT997793
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.
Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog.
2. Restart all services by issuing the command:
bigstart restart.
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
4. Start the overdog daemon after the system is online
systemctl start overdog.
Impact of workaround: it is possible that the EPSEC rpm database is or could be corrupted. If you find that you cannot access the GUI after appying this workaround, see https://cdn.f5.com/product/bugtracker/ID1188857.html
Fix:
After rebooting the device, you can now access the GUI without a 'Failed to reset' error.
Fixed Versions:
16.1.5
997561-5 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
997429-1 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled
Links to More Info: BT997429
Component: Advanced Firewall Manager
Symptoms:
Some DoS-related log messages may be missing
Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.
Impact:
Applications dependent on log frequency may be impacted.
Workaround:
Configure the mitigation limit about 10% over the attack limit.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
997313-2 : Unable to create APM policies in a sync-only folder★
Links to More Info: BT997313
Component: TMOS
Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:
-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices
Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.
Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.
Workaround:
You can use either of the following strategies to prevent the issue:
--Do not create APM policies in a sync-only folder.
--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
tmsh modify sys folder /Common/sync-only no-ref-check true
tmsh save sys config
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1
997269-1 : The management-dhcp contextual help for supersede-options is not available
Links to More Info: BT997269
Component: TMOS
Symptoms:
In TMSH, unable to view the contextual help for supersede-options of management-dhcp.
Conditions:
In TMSH, configuring DHCP settings for the management interface.
Impact:
The help text is not available on usage of supersede-options.
Workaround:
None
Fix:
Added missing contextual help for supersede-options.
Fixed Versions:
17.0.0, 16.1.5
996649-6 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
996381-1 : ASM attack signature may not match as expected
Links to More Info: K41503304, BT996381
Component: Application Security Manager
Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.
Conditions:
- Attack signature 200000128 enabled.
Impact:
Processed traffic may not match all expected attack signatures
Workaround:
N/A
Fix:
Attack signature 200000128 now matches as expected.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
996113-2 : SIP messages with unbalanced escaped quotes in headers are dropped
Links to More Info: BT996113
Component: Service Provider
Symptoms:
Dropped SIP messages.
Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote
Impact:
Certain SIP messages are not being passed via MRF.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data points
Links to More Info: BT996001
Component: TMOS
Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.
Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.
Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.
Workaround:
None
Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
995849-1 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c
Links to More Info: BT995849
Component: TMOS
Symptoms:
Tmm crashes while processing a large number of tunnels.
Conditions:
-- A large number of ipsec tunnels
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Memory allocation failures are handled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
995405-1 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing★
Links to More Info: BT995405
Component: Local Traffic Manager
Symptoms:
After an RPM upgrade, SSL Orchestrator traffic does not pass
Conditions:
Upgrading SSL Orchestrator via RPM
Impact:
Traffic will not pass.
Workaround:
Bigstart restart tmm
Fix:
Fixed an issue that was preventing from passing after an RPM upgrade.
Fixed Versions:
17.0.0, 16.1.3, 16.1.1
995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.
Links to More Info: BT995097
Component: TMOS
Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.
For instance, after reloading the configuration, the following section:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { "example.com" }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { "example.com" }
}
}
}
Becomes:
# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
supersede-options {
domain-name {
value { example.com }
}
domain-name-servers {
value { 8.8.8.8 }
}
domain-search {
value { example.com }
}
}
}
This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.
Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.
The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).
Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.
The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.
As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.
Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.
Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.
For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config
On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:
bigstart restart dhclient dhclient6
Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.
Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.
For instance, you can enter the following command:
tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }
And the system inserts the following instruction in the /etc/dhclient.conf file:
supersede domain-search "one.example.com", "two.example.com" ;
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
994973-1 : TMM crash with do_drivers_probe()
Links to More Info: BT994973
Component: Local Traffic Manager
Symptoms:
During the TMM shutdown time, TMM crashes. And the TMM core is created by SIGABRT using the xnet drivers. SIGABRT source is located within the do_drivers_probe()function.
Conditions:
Occurs while,
-- using the xnet drivers
-- rebooting TMM
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash.
Fixed Versions:
16.1.5
994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5
Links to More Info: BT994305
Component: TMOS
Symptoms:
Features supported in newer versions of open-vm-tools are not available.
Conditions:
This issue may be seen when running in VMware environments.
Impact:
Features that require a later version of open-vm-tools are not available.
Workaround:
None.
Fix:
The version of open-vm-tools has been updated to 11.1.5.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
994033-3 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
993913-4 : TMM SIGSEGV core in Message Routing Framework
Links to More Info: BT993913
Component: Service Provider
Symptoms:
TMM crashes on SIGSEGV.
Conditions:
This can occur while passing traffic through the message routing framework.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
993613-7 : Device fails to request full sync
Links to More Info: BT993613
Component: Application Security Manager
Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs
Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.
Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage
Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
993517-1 : Loading an upgraded config can result in a file object error in some cases
Links to More Info: BT993517
Component: Local Traffic Manager
Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:
-- 0107134a:3: File object by name (DEFAULT) is missing.
If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.
Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).
Impact:
Other than the error message, there is no impact.
Workaround:
After the initial reboot, save the configuration.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
993489-1 : GTM daemon leaks memory when reading GTM link objects
Links to More Info: BT993489
Component: Global Traffic Manager (DNS)
Symptoms:
The gtmd process memory consumption is higher than expected.
Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.
Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5
993481-1 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
993457-1 : TMM core with ACCESS::policy evaluate iRule
Links to More Info: BT993457
Component: Access Policy Manager
Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.
Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.
Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option
Links to More Info: BT993269
Component: Advanced Firewall Manager
Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.
DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.
Conditions:
-- DoS timestamp cookies are enabled, and either of the following:
-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.
Impact:
Traffic is dropped due to incorrect timestamps.
Workaround:
Disable timestamp cookies on the affected VLAN.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
992865-3 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances
Links to More Info: BT992865
Component: TMOS
Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.
Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
+ BIG-IP i11000 series (C123)
+ BIG-IP i15000 series (D116)
Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.
Workaround:
None
Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.
Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4
992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.
Links to More Info: BT992813
Component: TMOS
Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.
As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.
For example, you may be returned the following error when attempting to supersede the domain-search option:
01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search
Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.
Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.
Impact:
You are unable to instantiate the desired management-dhcp configuration.
Workaround:
None
Fix:
The list of dhcp-options known to mcpd has been updated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
992213-3 : Protocol Any displayed as HOPTOPT in AFM policy view
Links to More Info: BT992213
Component: Advanced Firewall Manager
Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.
Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.
Impact:
GUI shows an incorrect value.
Workaround:
None
Fix:
GUI Shows correct value for rule protocol option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2
992121-4 : REST "/mgmt/tm/services" endpoint is not accessible
Links to More Info: BT992121
Component: TMOS
Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.
Conditions:
When accessing /mgmt/tm/services through REST API
Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.
Workaround:
None
Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
991457-1 : The mpidump should show sequence number and higher precision date/time
Links to More Info: BT991457
Component: Local Traffic Manager
Symptoms:
The mpidump command does not some data that would be useful in a troubleshooting situation.
Conditions:
Running mpidump to gather data.
Impact:
Comparing tcpdumps with mpidumps is almost impossible due to the lack of timestamp precision in the mpidump tool's verbose text output. When doing analysis, it makes it extremely difficult, if not impossible without this precision
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade★
Links to More Info: BT990461
Component: Advanced Firewall Manager
Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.
Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.
Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.
Workaround:
Manually update the SYN cookie threshold values after an upgrade.
Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
989701-8 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response
989529-1 : AFM IPS engine takes action on unspecified services
Links to More Info: BT989529
Component: Protocol Inspection
Symptoms:
Specific ports configured in the IPS profile are not taken into account during the matching action exercised by the IPS subsystem. As a result, all ports are matched.
Conditions:
Service ports specified under Security :: Protocol Security : Inspection Profiles :: service type (e.g., HTTP).
Impact:
Increased resource usage and excessive logging.
Workaround:
None.
Fixed Versions:
16.1.5
989517-3 : Acceleration section of virtual server page not available in DHD
Links to More Info: BT989517
Component: TMOS
Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.
You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.
Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).
Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.
2) Loss of configuration items if making changes via the GUI.
Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.
Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
989501-2 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
988165-3 : VMware CPU reservation is now enforced.
Links to More Info: BT988165
Component: TMOS
Symptoms:
CPU reservation is not enabled which can result in insufficient CPU resource for virtual edition guest.
Conditions:
BIG-IP Virtual Edition running in VMware.
Impact:
Performance may be lower than expected particularly if ESXi is over subscribed and traffic volume is high.
Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.
Fix:
The VMware CPU reservation of 2GHz per core is now automatically enabled in the OVF file. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will see 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
987977-3 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
Links to More Info: BT987977
Component: Application Security Manager
Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.
Conditions:
When all the following conditions are met
-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.
Impact:
Remote logging server receives inaccurate message.
Workaround:
None
Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.
Fixed Versions:
17.1.1, 16.1.5
987885-6 : Half-open unclean SSL termination might not close the connection properly
Links to More Info: BT987885
Component: Local Traffic Manager
Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.
Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.
Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
987341-1 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.
Links to More Info: BT987341
Component: Access Policy Manager
Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.
Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.
Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
987301-3 : Software install on vCMP guest via block-device may fail with error 'reason unknown'
Links to More Info: BT987301
Component: TMOS
Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.
-- /var/log/liveinstall may contain an error similar to:
I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty
-- /var/log/kern.log may contain an error similar to:
Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712
Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:
tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3
Impact:
Sometimes the EHF installation fails on the guest.
Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
987077-3 : TLS1.3 with client authentication handshake failure
Links to More Info: BT987077
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.
Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.
Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.
Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.
Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policy
Links to More Info: BT986937
Component: Application Security Manager
Symptoms:
When trying to create a child policy, you get an error:
FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."
Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.
Impact:
You are unable to create the child policy and the system presents an error.
Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.
Fix:
The error no longer occurs on child policy creation.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4
985953-6 : GRE Transparent Ethernet Bridging inner MAC overwrite
Links to More Info: BT985953
Component: TMOS
Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.
Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.
Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.
Workaround:
None
Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.
To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:
tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config
This allows virtual servers on the BIG-IP system to process traffic.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
985329-2 : Saving UCS takes longer when iControl LX extension is installed
Links to More Info: BT985329
Component: Device Management
Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed.
You may also see errors logged in /var/log/restjavad.0.log:
[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
at java.lang.Thread.run(Thread.java:748)
Errors logged in /var/log/ltm:
err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery
Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.
Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).
Workaround:
None
Fixed Versions:
16.1.5
984965-4 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash
Links to More Info: BT984965
Component: Advanced Firewall Manager
Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.
In the file /var/log/sshplugin.start, errors may be logged including these lines:
shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor
Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.
Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.
Workaround:
First, attempt a clean process restart:
# bigstart restart sshplugin
If that is not effective, rebooting the entire system may clear the condition.
Fixed Versions:
16.1.5
984749-1 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."
Links to More Info: BT984749
Component: Global Traffic Manager (DNS)
Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".
Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."
Impact:
Client Cache Hit/Miss Statistics ratio affected.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
984657 : Sysdb variable not working from tmsh
Links to More Info: BT984657
Component: Traffic Classification Engine
Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh
Conditions:
The following sys db variable is enabled: cloud_only
You attempt to run the following command:
tmsh list sys db urlcat_query
Impact:
Sysdb variables does not work from tmsh
Fix:
After the fix able to verify sysdb variables from tmsh
Fixed Versions:
16.1.5, 16.0.1.2, 15.1.4.1
984593-1 : BD crash
Links to More Info: BT984593
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
984585-3 : IP Reputation option not shown in GUI.
Links to More Info: BT984585
Component: TMOS
Symptoms:
Cannot configure IP Reputation option from the GUI.
Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.
Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.
Workaround:
Use tmsh to configure IP Reputation.
Fix:
The IP Reputation option is now shown in the GUI.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
983073-3 : Certain traffic to ixlv & iavf can cause memory leak.
Links to More Info: K000138833
982785-2 : Guided Configuration hardening
Links to More Info: K52322100
982757-3 : APM Access Guided Configuration hardening
Links to More Info: K53197140
981917-4 : CVE-2020-8286 - cUrl Vulnerability
Links to More Info: K15402727
981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"
Links to More Info: BT981069
Component: Application Security Manager
Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"
Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type
Impact:
Traffic is affected.
Workaround:
Any of the following actions can resolve the issue:
1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
HTTP::cookie remove $aCookie
}
}
}
Fix:
Fixed an issue that was triggering resets on traffic.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles
Links to More Info: BT980617
Component: Local Traffic Manager
Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.
Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured
Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.
Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.
Fixed Versions:
17.0.0, 16.1.1, 15.1.10
979877-9 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information
979213-1 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
977761 : Connections are dropped if a certificate is revoked.
Links to More Info: BT977761
Component: Local Traffic Manager
Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.
Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.
Impact:
Ssl handshake failures due to revoked server certificate
Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.
Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.
Fixed Versions:
17.1.0, 16.1.2.2
977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded
Links to More Info: BT977153
Component: Advanced Firewall Manager
Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.
Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.
Workaround:
None.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
976669-5 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade
Links to More Info: BT976669
Component: TMOS
Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.
Conditions:
This can occur after rebooting or replacing a secondary blade.
Impact:
When the FIPS integrity checks fail the blades won't fully boot.
Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
To mitigate, copy the missing files from the primary blade to the secondary blade.
From the primary blade, issue the following command towards the secondary blade(s).
rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/
Fix:
Critical files are not deleted during secondary blade reboot.
Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled
Links to More Info: BT976525
Component: Local Traffic Manager
Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.
Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.
Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.
Workaround:
Use either of the following workarounds:
-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable
-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.
Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.
Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5
976337-2 : i40evf Requested 4 queues, but PF only gave us 16.
Links to More Info: BT976337
Component: TMOS
Symptoms:
During BIG-IP system boot, a message is logged:
i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.
Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)
Impact:
A message is logged but it is benign and can be ignored.
Fixed Versions:
16.1.2.2, 15.1.5.1
974985-6 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable
Links to More Info: BT974985
Component: Application Security Manager
Symptoms:
Non http traffic isn't forwarded to the backend server
Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-http traffic
Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>
Fix:
Fix DOSL7::disable command handler in the tmm code
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades
Links to More Info: BT974241
Component: TMOS
Symptoms:
Mcpd exists with error similar to:
01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'
Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled
Impact:
Mcpd restarts leading to failover.
Workaround:
Use standard customization and not modern customization.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
974205-5 : Unconstrained wr_urldbd size causing box to OOM
Links to More Info: BT974205
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.
Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.
Impact:
The device eventually runs out of memory (OOM condition).
Workaround:
Restart the wr_urldbd process:
restart sys service wr_urldbd
Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.
Added two sys DB variables:
-- wr_urldbd.cloud_cache.log.level
Value Range:
sys db wr_urldbd.cloud_cache.log.level {
value "debug"
default-value "none"
value-range "debug none"
}
-- wr_urldbd.cloud_cache.limit
Value Range:
sys db wr_urldbd.cloud_cache.limit {
value "5500000"
default-value "5500000"
value-range "integer min:5000000 max:10000000"
}
Note: Both these variables are introduced for debugging purpose.
Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6
970329-1 : ASM hardening
Links to More Info: K70134152, BT970329
Component: Application Security Manager
Symptoms:
Under certain conditions, ASM does not follow current best practices.
Conditions:
- ASM provisioned
Impact:
Attack detection is not triggered as expected
Workaround:
N/A
Fix:
Attack detection is now triggered as expected
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
969345-1 : Temporary TMSH files not always removed after session termination
Links to More Info: BT969345
Component: TMOS
Symptoms:
Temporary TMSH-related subdirectories and files located in /var/system/tmp/tmsh may not be properly cleaned up after a TMSH session is terminated. These files can accumulate and eventually cause disk-space issues.
Conditions:
A TMSH session is terminated abruptly rather than ended gracefully.
Impact:
The /var filesystem may fill up, causing any of a variety of problems as file-I/O operations fail for various software subsystems.
Workaround:
The BIG-IP software includes a shell script (/usr/local/bin/clean_tmsh_tmp_dirs) which can be run by the system administrator to clean up excess temporary files in the directories /var/tmp/tmsh and /var/system/tmp/tmsh.
Fixed Versions:
16.1.5
969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDI
Links to More Info: BT969317
Component: Access Policy Manager
Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.
Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.
Impact:
A connection from the second client is allowed, but it should not be allowed.
Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
969297 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive
Links to More Info: BT969297
Component: SSL Orchestrator
Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.
Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.
Impact:
The virtual server is unreachable.
Workaround:
None
Fix:
ARP forwarding to peer is decided based on whether Virtual IP and self-IP is configured or not.
Fixed Versions:
16.1.2.2
968929-2 : TMM may crash when resetting a connection on an APM virtual server
Links to More Info: BT968929
Component: Local Traffic Manager
Symptoms:
TMM crashes.
Conditions:
- HTTP profile without fallback host.
- iRules.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.
Fixed Versions:
17.0.0, 16.1.2.2
968657-1 : Added support for IMDSv2 on AWS
Links to More Info: BT968657
Component: TMOS
Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:
get_dossier call on the command line fails with:
01170003:3: halGetDossier returned error (1): Dossier generation failed.
This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.
Conditions:
AWS instances started with IMDSv2.
Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.
Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
968581-4 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description
Links to More Info: BT968581
Component: Local Traffic Manager
Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.
Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.
Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.
Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash
Links to More Info: BT967905
Component: TMOS
Symptoms:
Tmm crashes.
Conditions:
-- static bwc
-- virtual to virtual chain
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use the static bwc on a virtual chain.
Fix:
Fixed a tmm crash.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
967101-1 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.
Links to More Info: BT967101
Component: Local Traffic Manager
Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)
Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.
Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node
Links to More Info: BT966949
Component: TMOS
Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.
Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230
This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.
Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.
Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
966461-7 : Tmm memory leak
Links to More Info: BT966461
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm leaks memory for DNSSEC requests.
Conditions:
NetHSM is configured but disconnected.
or
Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.
Impact:
Tmm memory utilization increases over time.
Workaround:
None
Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.
tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
965897-4 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: Local Traffic Manager
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
965837-4 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection
Links to More Info: BT965837
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.
Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No workaround.
Fix:
Fixed a TMM crash related to ping access.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine
Links to More Info: BT965785
Component: Application Security Manager
Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.
Conditions:
There is no specific condition, the problem occurs rarely.
Impact:
Sync process requires an additional ASM restart
Workaround:
Restart ASM after sync process finished
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
965229-5 : ASM Load hangs after upgrade★
Links to More Info: BT965229
Component: Application Security Manager
Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------
In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
info tsconfig.pl[24675]: ASM initial configration script launched
info tsconfig.pl[24675]: ASM initial configration script finished
info asm_start[25365]: ASM config loaded
err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------
Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade
Impact:
ASM post upgrade config load hangs and there are no logs or errors
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
964625-5 : Improper processing of firewall-rule metadata
Links to More Info: BT964625
Component: Advanced Firewall Manager
Symptoms:
The 'mcpd' process may suffer a failure and be restarted.
Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.
Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.
Workaround:
Reduce the number of firewall policy rules.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
964533-2 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
Fix:
Log level has been changed so this issue no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
964125-6 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
963541-1 : Net-snmp5.8 crash
Links to More Info: BT963541
Component: TMOS
Symptoms:
Snmpd crashes.
Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.
Impact:
Snmpd crashes.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion
Links to More Info: BT962589
Component: Application Security Manager
Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition
Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.
Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
962177-6 : Results of POLICY::names and POLICY::rules commands may be incorrect
Links to More Info: BT962177
Component: Local Traffic Manager
Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.
Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.
Impact:
Traffic processing may not provide expected results.
Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1
961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policy
Links to More Info: BT961509
Component: Application Security Manager
Symptoms:
WebSocket frames receive a close frame
Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled
Impact:
WebSocket frame blocked in transparent mode
Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No
Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
960677-1 : Improvement in handling accelerated TLS traffic
Links to More Info: BT960677
Component: Local Traffic Manager
Symptoms:
Rare aborted TLS connections.
Conditions:
None
Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.
Workaround:
None
Fix:
The aborted connections will no longer be aborted and will complete normally.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
959985-3 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.
Links to More Info: BT959985
Component: TMOS
Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.
Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.
Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.
Workaround:
None
Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
959609-4 : Autodiscd daemon keeps crashing
Links to More Info: BT959609
Component: Advanced Firewall Manager
Symptoms:
Autodiscd daemon keeps crashing.
Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.
Impact:
Auto discovery feature is not working as expected
Workaround:
None.
Fix:
Auto discovery feature now works as expected.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
957905-1 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.
Links to More Info: BT957905
Component: Service Provider
Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.
SIP Responses that don't contain a content_length header are accepted and forwarded to the client.
The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.
Conditions:
SIP request / response without content_length header.
Impact:
RFC 6731 non compliance.
Workaround:
N/A
Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.
content_length header is treated as optional for UDP and SCTP.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
957637-1 : The pfmand daemon can crash when it starts.
Links to More Info: BT957637
Component: TMOS
Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.
The crash may happen more than once, until the process finally settles and is able to start correctly.
Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.
Impact:
Network connection lost while pfmand restarts.
Workaround:
None
Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
957453-1 : Javascript parser incompatible with ECMAScript 6/7+ javascript versions
Links to More Info: BT957453
Component: Access Policy Manager
Symptoms:
A web application failed to function on the client side.
Conditions:
-- APM proxying a web application.
-- Web application uses ES6/7 or higher javascript.
Impact:
The web application failed to function.
Workaround:
None
Fix:
The fix is implemented in two steps:
STEP 1:
Initial implementation with bug ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.
With this fix, a custom iRule workaround can be applied to fix a limited set of possible cases.
STEP 2:
With bug ID 957453, the implementation of the light rewriter on the server side is also completed.
No iRule workaround is required to support ES6/7+ javascript versions after the implementation of bug ID 957453.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
956645-4 : Per-request policy execution may timeout.
Links to More Info: BT956645
Component: Access Policy Manager
Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.
Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.
Impact:
Some clients will fail to connect to their destination.
Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).
Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.
Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9, 14.1.4.5
956373-4 : ASM sync files not cleaned up immediately after processing
Links to More Info: BT956373
Component: Application Security Manager
Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate
Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition
Impact:
If the files are large it may lead to "lack of disk space" problem.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1
956133-2 : MAC address might be displayed as 'none' after upgrading.★
Links to More Info: BT956133
Component: Local Traffic Manager
Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.
Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.
Impact:
Traffic disrupted when the MAC address is set to 'none'.
Workaround:
N/A
Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.4
956013-4 : System reports{{validation_errors}}
Links to More Info: BT956013
Component: Policy Enforcement Manager
Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses
Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.
Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.
Workaround:
None.
Fixed Versions:
16.1.2.1, 15.1.5, 14.1.4.5
955953-5 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'
Links to More Info: BT955953
Component: TMOS
Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.
Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled
Impact:
Traffic processing halts (no crash)
Fixed Versions:
17.0.0, 16.1.5, 15.1.10
955617-8 : Cannot modify properties of a monitor that is already in use by a pool
Links to More Info: BT955617
Component: Local Traffic Manager
Symptoms:
If the monitor is associated with a node or pool, then modifying monitor properties other than the destination address is displaying incorrect error. For example, modifying the receive string results in following error:
0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor
This error should only be generated if the destination address of an associated monitor is being modified, but this error message is generated when other parameters are modified.
Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.
Impact:
Monitor properties cannot be modified if they are in use by a pool.
Workaround:
Remove the monitor, modify it, and then add it again.
Fix:
Monitor properties can be modified even when the monitor is attached to the node or pool, updated values reflect in the node or pool.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
954001-7 : REST File Upload hardening
Component: Device Management
Symptoms:
REST file upload does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Only upload trusted files to the BIG-IP.
Fix:
REST file uploads now follow best security practices.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
953601-4 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions
Links to More Info: BT953601
Component: Local Traffic Manager
Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.
Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.
Impact:
HTTPS monitor shows pool members or nodes down when they are up.
Workaround:
Restart bigd or remove and add monitors.
Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
952521-1 : Memory allocation error while creating an address list with a large range of IPv6 addresses★
Links to More Info: BT952521
Component: Advanced Firewall Manager
Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"
Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.
Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.
Workaround:
Use CIDR notation or multiple, smaller IP ranges.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
951133-4 : Live Update does not work properly after upgrade★
Links to More Info: BT951133
Component: Application Security Manager
Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.
Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update
Impact:
Live Update can't query for new updates.
Workaround:
Restart tomcat process:
> bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4
950917-4 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034
Links to More Info: BT950917
Component: Application Security Manager
Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:
01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )
Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.
Impact:
Apply policy fails.
Workaround:
You can use any of the following workarounds:
-- Install an older signature update -SignatureFile_20200917_175034
-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.
-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------
Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1
950201-3 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
950153-3 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
950149 : Add configuration to ccmode for compliance with the Common Criteria STIP PPM.
Links to More Info: BT950149
Component: TMOS
Symptoms:
To comply with configuration requirements for the Common Criteria STIP PPM, the ccmode script must be updated.
Conditions:
Required compliance with Common Criteria STIP PPM configuration.
Impact:
Without these updates, the BIG-IP will not be compliant with the Common Criteria STIP requirements.
Workaround:
Follow the instructions in the Common Criteria Guidance document.
Fix:
This fix added configuration elements for compliance to Common Criteria STIP PPM requirements.
Fixed Versions:
17.0.0, 16.1.3
950069-1 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"
Links to More Info: BT950069
Component: Global Traffic Manager (DNS)
Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.
Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols
Impact:
Unable to edit the record.
Workaround:
Two workarounds available:
1. Use zonerunner to delete the record and then recreate it with the desired RDATA value
2. Manually edit the bind zone file (see K7032)
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
949857-7 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync
948985-3 : Workaround to address Nitrox 3 compression engine hang
Links to More Info: BT948985
Component: Local Traffic Manager
Symptoms:
Occasionally the Nitrox3 compression engine hangs.
In /var/log/ltm:
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.
Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chips: 5xxx, 7xxx, 12250, and B2250.
You can check if your platform has nitrox3 by running the following command:
tmctl -w 200 compress -s provider
provider
--------
bzip2
lzo
nitrox3 <--------
zlib
Impact:
The Nitrox3 hardware compression system becomes unavailable, and the compression mode switches to software compression. This can lead to high CPU usage.
Workaround:
Disable HTTP compression or use software compression.
Fix:
Added db key compression.nitrox3.dispatchsize to control the request size.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
948725-7 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users
948241-4 : Count Stateful anomalies based only on Device ID
Links to More Info: BT948241
Component: Application Security Manager
Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives
Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".
Impact:
False positives may occur in case of a proxy without XFF
Workaround:
None
Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
948113-1 : User-defined report scheduling fails
Links to More Info: BT948113
Component: Application Visibility and Reporting
Symptoms:
A scheduled report fails to be sent.
An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
Because : Unknown column ....... in 'order clause'
Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report
Impact:
Internal error for AVR report for ASM pre-defined.
Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr
Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});
The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm
Lastly, remount /usr back to read-only:
mount -o remount,ro /usr
Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
948065-1 : DNS Responses egress with an incorrect source IP address.
Links to More Info: BT948065
Component: Local Traffic Manager
Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.
Conditions:
Large responses of ~2460 bytes from local BIND
Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.
Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.
Note: This workaround has limitations, as some records in 'Additional Section' are truncated.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
947905-4 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails★
Links to More Info: BT947905
Component: TMOS
Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.
The system posts errors similar to the following:
-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (system-settings.ssh_max_session_limit) : framework/SchemaCmd.cpp, line 825
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Unexpected Error: "Can't load keyword definition (system-settings.ssh_max_session_limit)"
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property
Conditions:
Upgrade from one of the following release:
-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch
to one of the following releases:
-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1
Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.
Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.
You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903
Fixed Versions:
16.1.3, 16.0.1
947341-4 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.
Links to More Info: BT947341
Component: Application Security Manager
Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------
2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.
Conditions:
ASM/AVR provisioned
Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.
Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
https://support.f5.com/csp/article/K14956
https://support.f5.com/csp/article/K42497314
2. To identify the empty partitions, look into:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"
3. For every partition that is empty, manually (or via shell script) execute this sql:
mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"
Note: <empty_partition_name> must be substituted with the partition name, for example p100001.
4. Increase 'open_files_limit' to '10000'.
--------------------------------
In the /etc/my.cnf file:
1. Change the value of the 'open_files_limit' parameter to 10000.
2. Restart MySQL:
bigstart restart mysql
--------------------------------
5. pkill asmlogd
Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.
Fix:
This release increases the default 'open_files_limit' to '10000'.
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1
947333-2 : Irrelevant content profile diffs in Policy Diff
Links to More Info: BT947333
Component: Application Security Manager
Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected
Conditions:
-- Import a policy
-- Perform a policy diff
Impact:
Policy diff showing irrelevant diffs
Workaround:
None
Fix:
Removed grayed out diffs from policy diff content profile section
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1
946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'★
Links to More Info: BT946185
Component: TMOS
Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:
An error has occurred while trying to process your request.
Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.
Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.
Workaround:
To reconfigure the iApp, do the following:
1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List
2. Click the Application Link :: Reconfigure.
Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.
Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
945853-4 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession
Links to More Info: BT945853
Component: Advanced Firewall Manager
Symptoms:
TMM crashes during a configuration change.
Conditions:
This occurs under the following conditions:
-- Create/modify/delete multiple virtual servers in quick succession.
-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer crashes during a configuration change.
Fixed Versions:
16.1.3, 15.1.3
945357 : BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.
Links to More Info: BT945357
Component: Local Traffic Manager
Symptoms:
A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).
Conditions:
In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.
Impact:
Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.
Workaround:
This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.
Fix:
This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.
Fixed Versions:
17.0.0, 16.1.3
944381-2 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.
Links to More Info: BT944381
Component: Local Traffic Manager
Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.
Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.
Impact:
The handshake should fail but complete successfully
Fix:
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3.
After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1
944121-4 : Missing SNI information when using non-default domain https monitor running in TMM mode.
Links to More Info: BT944121
Component: In-tmm monitors
Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.
In-TMM monitors do not send any packet when TLS1.3 monitor is used.
Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.
- Another Condition :
TLS1.3 Monitor is used
Impact:
The TLS connection might fail in case of SNI
No SYN packet is sent in case of TLS1.3 monitor
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
943669-4 : B4450 blade reboot
Links to More Info: BT943669
Component: TMOS
Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.
Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.
Impact:
Traffic disrupted while the blade reboots.
Workaround:
None.
Fix:
The system now monitors the pause frames and reboots when needed.
Fixed Versions:
16.1.2.2, 15.1.2
943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions
Links to More Info: BT943577
Component: TMOS
Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:
err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..
Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
- a traffic-matching-criteria is attached to a virtual server
- the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
- the same traffic-matching-criteria is attached to the same virtual server
- the original port-list is modified (e.g. a description is changed)
- the TMC is changed to reference a _different_ port-list
Impact:
Unable to sync configurations.
Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.
If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.
1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:
tmsh save sys config
(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
cat /config{/partitions/*,}/bigip{_base,}.conf |
awk '
BEGIN { p=0 }
/^(ltm traffic-matching-criteria|net port-list) / { p=1 }
/^}/ { if (p) { p=0; print } }
{ if (p) print; }
' ) > /var/tmp/portlists-and-tmcs.txt
2. Copy /var/tmp/portlists-and-tmcs.txt to the target system
3. On the target system, load that file:
tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt
3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.
tmsh save sys config
clsh touch /service/mcpd/forceload
clsh reboot
4. On the source system, force a full-load sync to the device-group:
tmsh run cm config-sync force-full-load-push to-group <name of sync-group>
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
943257-3 : REST framework support for IPv6 ConfigSync addresses
Links to More Info: BT943257
Component: Device Management
Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.
Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Workaround:
None
Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.
Fixed Versions:
17.1.1, 16.1.5
943109-4 : Mcpd crash when bulk deleting Bot Defense profiles
Links to More Info: BT943109
Component: TMOS
Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.
Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.
Impact:
Crash of mcpd causing failover.
Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.
Fix:
There is no longer a crash of mcpd when deleting a large number of Bot Defense in a bulk using TMSH.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
942617-2 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable
Links to More Info: BT942617
Component: Application Security Manager
Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.
Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables
Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.
Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.
Fix:
Trim() to delete the whitspaces.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
942217-6 : Virtual server rejects connections even though the virtual status is 'available'
Links to More Info: BT942217
Component: TMOS
Symptoms:
With certain configurations, a virtual server keeps rejecting connections with reset cause 'VIP down' after 'trigger' events occur.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop' and 'connection-limit' to be any (not 0).
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or set the connection limit to be zero or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
Fixed Versions:
16.1.5
941625-3 : BD sometimes encounters errors related to TS cookie building
Links to More Info: BT941625
Component: Application Security Manager
Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:
-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.
-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.
Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.
Impact:
The cookie is not built and an error is logged.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4
940261-1 : Support IPS package downloads via HTTP proxy.
Links to More Info: BT940261
Component: Protocol Inspection
Symptoms:
IPS package download via HTTP proxy does not work.
2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.
Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered
Impact:
The IPS IM package fails to download.
Workaround:
No workaround.
Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
940225-4 : Not able to add more than 6 NICs on VE running in Azure
Links to More Info: BT940225
Component: TMOS
Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.
Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.
Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs
Adding more NICs to the instance makes the device fail to boot.
Workaround:
None
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
939877-3 : OAuth refresh token not found
Links to More Info: BT939877
Component: Access Policy Manager
Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:
err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)
Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb
Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.
Workaround:
Clear/reset the Authorization code column value manually:
As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }
Copy the value corresponding to <db_name>.
Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)
mysql> use <db_name>;
mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';
(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)
Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4
939757-8 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
939097-5 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests
Links to More Info: BT939097
Component: Application Security Manager
Symptoms:
bd.log shows error messages
Conditions:
Big chunked requests are sent
Impact:
Unexpected error messages seen in the bd.log
Workaround:
None
Fix:
The error messages related to long request allocation are no longer appearing.
Fixed Versions:
17.1.1, 16.1.5
937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict
Links to More Info: BT937649
Component: Local Traffic Manager
Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.
Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.
Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.
Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.
Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.
-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
ndal ignore_hw_dag yes
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
936501-1 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled
Links to More Info: BT936501
Component: TMOS
Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:
"file not allowed"
Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf
Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9
936441-7 : Nitrox5 SDK driver logging messages
Links to More Info: BT936441
Component: Local Traffic Manager
Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):
Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1
The above set of messages seems to be logged at about 2900-3000 times a second.
These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.
Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.
Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
936093-5 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
935945-2 : GTM HTTP/HTTPS monitors cannot be modified via GUI
Links to More Info: BT935945
Component: Global Traffic Manager (DNS)
Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:
01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.
Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.
Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.
Workaround:
If 'recv-status-code' has never been set, use tmsh instead.
Note: You can set 'recv-status-code' using tmsh, for example:
tmsh modify gtm monitor http http-default recv-status-code 200
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
935249-3 : GTM virtual servers have the wrong status
Links to More Info: BT935249
Component: Global Traffic Manager (DNS)
Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).
Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.
-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).
Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.
Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.
Fix:
The HTTP status code is now correctly searched only in the first line of the response.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5
935193-4 : With APM and AFM provisioned, single logout ( SLO ) fails
Links to More Info: BT935193
Component: Local Traffic Manager
Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:
-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message
Conditions:
Failures occur with Redirect SLO.
Impact:
SAML single logout does not work.
Workaround:
Use POST binding SLO requests.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10
935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
Links to More Info: BT935177
Component: TMOS
Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.
Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.
The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
934697-5 : Route domain is not reachable (strict mode)
Links to More Info: BT934697
Component: Local Traffic Manager
Symptoms:
Network flows are reset and following errors are found in /var/log/ltm:
Route domain not reachable (strict mode).
Conditions:
This might occur in either one of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.
or
Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.
Other
=====
Tunnel scenario's such as IPSec where client and encrypted traffic are in different route domains.
Impact:
Traffic is not sent to the node that is in a route domain.
The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.
Workaround:
Specify the node along with Route Domain ID.
-- For iRules, change from this:
when HTTP_REQUEST {
node 10.10.10.10 80
}
To this (assuming route domain 1):
when HTTP_REQUEST {
node 10.10.10.10%1 80
}
-- For LTM policies, change from this:
actions {
0 {
forward
select
node 10.2.35.20
}
}
To this (assuming route domain 1):
actions {
0 {
forward
select
node 10.2.35.20%1
}
}
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
932485-5 : Incorrect sum(hits_count) value in aggregate tables
Links to More Info: BT932485
Component: Application Visibility and Reporting
Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.
Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.
Impact:
The system reports incorrect values in AVR tables when dealing with large numbers
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade
Links to More Info: BT932137
Component: Application Visibility and Reporting
Symptoms:
After upgrade, AFM statistics show non-relevant data.
Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.
Impact:
Non-relevant data are shown in AFM statistics.
Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
932133-1 : Payloads with large number of elements in XML take a lot of time to process
Links to More Info: BT932133
Component: Application Security Manager
Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.
Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.
Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.
Workaround:
None
Fix:
This fix includes performance improvements for large XML payloads.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
930393-2 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration
Links to More Info: BT930393
Component: TMOS
Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.
Conditions:
-- Using IKEv1 and one of the following:
+ Performing an upgrade.
+ IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.
Impact:
IPsec tunnel is down permanently.
Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.
Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
929913-3 : External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events
Links to More Info: BT929913
Component: Advanced Firewall Manager
Symptoms:
DNS logs on LTM side do not print the all src_IP, per-srcIP, etc.
Conditions:
-- DNS logging is enabled
-- A DNS flood is detected
Impact:
Some information related to DNS attack event is missing such as src_IP, Per-SrcIP and Per-DstIP events.
Fix:
DNS now logs all src_IP, Per-SrcIP and Per-DstIP events.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
929909-3 : TCP Packets are not dropped in IP Intelligence
Links to More Info: BT929909
Component: Advanced Firewall Manager
Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets
Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned
Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.
Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
929429-8 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade★
Links to More Info: BT929213
Component: Device Management
Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm
-> Performing an upgrade
-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX
Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI
Workaround:
The package needs to be uninstalled and installed again for use.
Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again
Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.
sys db iapplxrpm.timeout {
default-value "60"
scf-config "true"
value "60"
value-range "integer min:30 max:600"
}
For example:
tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad
Increasing the db key and restarting restjavad should not be traffic impacting.
After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.
Note: The maximum db key value of 600 may be needed in some cases.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
929077-4 : Bot Defense allow list does not apply when using default Route Domain and XFF header
Links to More Info: BT929077
Component: Application Security Manager
Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.
Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.
Impact:
Request from an IP address that is on the allow list is blocked.
Workaround:
Allow the IP address using an iRule.
Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4
928997-3 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
928653-1 : [tmsh]:list security nat policy rules showing automap though the value set is None
Links to More Info: BT928653
Component: Advanced Firewall Manager
Symptoms:
The tmsh command 'tmsh list security nat policy rules' shows automap even though the value is set to None
Conditions:
1. AFM provisioned
2. NAT rules configured
Impact:
The tmsh commands 'tmsh save sys config; and 'tmsh load sys config' modify the None value to automap on the NAT policy rules.
Workaround:
None
Fixed Versions:
16.1.5
927633-4 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
Links to More Info: BT927633
Component: Local Traffic Manager
Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
and to /var/log/tmmX:
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.
Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.
Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.
Workaround:
None.
Fixed Versions:
16.1.5
926845-7 : Inactive ASM policies are deleted upon upgrade
Links to More Info: BT926845
Component: Application Security Manager
Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.
Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy
Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
926341-5 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade★
Links to More Info: BT926341
Component: Application Visibility and Reporting
Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.
Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.
Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.
Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.
When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5
925469-2 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo
Links to More Info: BT925469
Component: TMOS
Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.
Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.
-- Configure a new key with Subject Alternative Name (SAN).
Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.
Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
924945-5 : Fail to detach HTTP profile from virtual server
Links to More Info: BT924945
Component: Application Visibility and Reporting
Symptoms:
The virtual server might stay attached to the initial HTTP profile.
Conditions:
Attaching new HTTP profiles or just detaching an existing one.
Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.
Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.3
923821-1 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
Fix:
Captcha will now be triggered after successful CSI challenge.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
923221-8 : BD does not use all the CPU cores
Links to More Info: BT923221
Component: Application Security Manager
Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.
Conditions:
BIG-IP software is installed on a device with more than 32 cores.
Impact:
ASM does not use all of the available CPU cores.
Workaround:
Run the following commands from bash shell.
1. # mount -o remount,rw /usr
2. Modify the following file on the BIG-IP system:
/usr/local/share/perl5/F5/ProcessHandler.pm
Important: Make a backup of the file before editing.
3. Change this:
ALL_CPUS_AFFINITY => '0xFFFFFFFF',
To this:
ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',
4. # mount -o remount,ro /usr
5. Restart the asm process:
# bigstart restart asm.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
922737-1 : TMM crashes with a sigsegv while passing traffic
Links to More Info: BT922737
Component: SSL Orchestrator
Symptoms:
TMM crashes with a sigsegv while passing traffic.
Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server with service profile applied on the same BIG-IP system.
Impact:
Traffic is disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.0, 16.1.4, 15.1.10
922413-8 : Excessive memory consumption with ntlmconnpool configured
Links to More Info: BT922413
Component: Local Traffic Manager
Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.
Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.
Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.
Workaround:
None.
Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'★
Links to More Info: BT922185
Component: TMOS
Symptoms:
Admin users are unable to log in.
Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.
Impact:
The cert-ldap authentication does not work, so login fails.
Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
922105-1 : Avrd core when connection to BIG-IQ data collection device is not available
Links to More Info: BT922105
Component: Application Visibility and Reporting
Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.
Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.
Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.
Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:
tmsh modify analytics global-settings use-offbox disabled
Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
921697-1 : Attack signature updates fail to install with Installation Error.★
Links to More Info: BT921697
Component: Application Security Manager
Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:
/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)
/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781
Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.
2. Installing a new ASU file
Impact:
The attack signature update fails.
Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.
Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:
1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg
2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800
3. Restart ASM.
# bigstart restart asm
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6
921541-6 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
Fix:
The HTTP session hang no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
921441-4 : MR_INGRESS iRules that change diameter messages corrupt diam_msg
Links to More Info: BT921441
Component: Service Provider
Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.
There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found
Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:
ltm rule Diameter - iRule {
when MR_INGRESS {
DIAMETER:: host origin "hostname.realm.example"
}
}
-- Traffic arrives containing CER and ULR messages.
Impact:
Using the iRule to change the host origin corrupts the diameter message.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
921365-2 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby
Links to More Info: BT921365
Component: TMOS
Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.
Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs
This is a timing issue and can occur intermittently during a normal failover.
Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.
Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).
Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4
921149-6 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
Links to More Info: BT921149
Component: TMOS
Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.
Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.
Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.
Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
920149-3 : Live Update default factory file for Server Technologies cannot be reinstalled
Links to More Info: BT920149
Component: Application Security Manager
Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.
Conditions:
This occurs:
-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.
Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4
919301-1 : GTP::ie count does not work with -message option
Links to More Info: BT919301
Component: Service Provider
Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:
wrong # args: should be "-type <ie-path>"
Conditions:
Issue the 'GTP::ie count' command with -message command, for example:
GTP::ie count -message $m -type apn
Impact:
iRules fails and it could cause connection abort.
Workaround:
Swap order of argument by moving -message to the end, for example:
GTP::ie count -type apn -message $m
There is a warning message due to iRules validation, but the command works in runtime.
Fix:
'GTP::ie' count is now working with -message option.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
915773-7 : Restart of TMM after stale interface reference
Links to More Info: BT915773
Component: Local Traffic Manager
Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.
Conditions:
The conditions under which this occurs are unknown.
Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
915221-6 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
Links to More Info: BT915221
Component: Advanced Firewall Manager
Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.
Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.
-- Access to DoS dashboard.
Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.
Workaround:
Delete or purge /var/tmp/mcpd.out.
Fixed Versions:
16.1.5
915005-3 : AVR core files have unclear names
Links to More Info: BT915005
Component: Application Visibility and Reporting
Symptoms:
If avrd fails a core file created in this case is named according to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz
Conditions:
Avrd fails with a core
Impact:
It is inconvenient for identifying the process that caused the core.
Fix:
Improved the avrd core file name.
Fixed Versions:
16.1.5
913413-1 : 'GTP::header extension count' iRule command returns 0
Links to More Info: BT913413
Component: Service Provider
Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).
Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.
Impact:
The command returns false information.
Workaround:
None
Fix:
'GTP::header extension count' command now returns number of header extension correctly.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913409-1 : GTP::header extension command may abort connection due to unreasonable TCL error
Links to More Info: BT913409
Component: Service Provider
Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.
Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message
Impact:
TCL error log is shown and connection is aborted
Workaround:
None
Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913393-1 : Tmsh help page for GTP iRule contains incorrect and missing information
Links to More Info: BT913393
Component: Service Provider
Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.
Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.
Impact:
User may not be able to use related iRule command properly.
Workaround:
None
Fix:
Tmsh help page for GTP iRule is updated
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913085-6 : Avrd core when avrd process is stopped or restarted
Links to More Info: BT913085
Component: Application Visibility and Reporting
Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.
Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.
Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.
Workaround:
None.
Fix:
Avrd no longer cores when avrd process is stopped or restarted.
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed
Links to More Info: BT912945
Component: Local Traffic Manager
Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.
Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.
Impact:
The incorrect client SSL profile is selected.
Workaround:
Configure the 'Server Name' option in the client SSL profile.
Fix:
Fixed an issue with client SSL profile selection.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4
912517-7 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT912517
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle, or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
For BIG-IP versions prior to 17.0.0, a database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
912253-2 : Non-admin users cannot run show running-config or list sys
Links to More Info: BT912253
Component: TMOS
Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:
Unexpected Error: Can't display all items, can't get object count from mcpd.
The list /sys or list /sys telemd commands trigger the following error:
01070823:3: Read Access Denied: user (oper) type (Telemd configuration).
Conditions:
User account with a role of guest, operator, or any role other than admin.
Impact:
You are unable to show the running config, or use list or list sys commands.
Workaround:
Logon with an account with admin access.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
912149-7 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'
Links to More Info: BT912149
Component: Application Security Manager
Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:
/var/log/:
asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.
ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0
Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.
Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.
Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.
-- Security log profile changes are not propagated to other devices.
-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.
-- Policies with learning enabled do not generate learning suggestions.
Workaround:
Restart asm_config_server on the units in the device group.
# pkill -f asm_config_server
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
911729-4 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value
Links to More Info: BT911729
Component: Application Security Manager
Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.
Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.
Impact:
Redundant learning suggestion is issued.
Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.
Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.
Fixed Versions:
17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2
911585-5 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval
Links to More Info: BT911585
Component: Policy Enforcement Manager
Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.
Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)
Impact:
Session is not established.
Workaround:
None.
Fix:
Enhanced application to accept new sessions under problem conditions.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
911141-1 : GTP v1 APN is not decoded/encoded properly
Links to More Info: BT911141
Component: Service Provider
Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.
Conditions:
- GTP version 1.
- APN element.
Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.
Workaround:
Use iRules to convert between octetstring and dotted style domain name values.
Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.
Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
910673-6 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
Links to More Info: BT910673
Component: Local Traffic Manager
Symptoms:
Thales installation script fails with error message.
ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.
Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.
Impact:
Thales/nCipher NetHSM client software installation fails.
Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1
910213-7 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status
Links to More Info: BT910213
Component: Local Traffic Manager
Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.
Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.
As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.
Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"
Conditions:
Using the LB::down command in an iRule.
Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.
If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.
Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.
Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.
There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
909161-1 : A core file is generated upon avrd process restart or stop
Links to More Info: BT909161
Component: Application Visibility and Reporting
Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.
Conditions:
Avrd process is stopped or restarted.
Impact:
Avrd creates a core file but there is no other negative impact to the system.
Workaround:
None
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
907549-6 : Memory leak in BWC::Measure
Links to More Info: BT907549
Component: TMOS
Symptoms:
Memory leak in BWC calculator.
Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.
Impact:
A memory leak occurs.
Workaround:
None.
Fix:
Memory is not leaked.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5
907025-5 : Live update error" 'Try to reload page'
Links to More Info: BT907025
Component: Application Security Manager
Symptoms:
When trying to update Attack Signatures. the following error message is shown:
Could not communicate with system. Try to reload page.
Conditions:
Insufficient disk space to update the Attack Signature.
Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.
Workaround:
This following procedure restores the database to its default, initial state:
1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.
2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script
3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.
4. Add the following lines to create the live update database schema and set the SA user as expected:
CREATE SCHEMA PUBLIC AUTHORIZATION DBA
CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
CREATE USER SA PASSWORD ""
GRANT DBA TO SA
SET WRITE_DELAY 20
SET SCHEMA PUBLIC
5. Restart the tomcat process:
bigstart restart tomcat
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
906273-1 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
904661-4 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
Fixed Versions:
17.1.0, 16.1.4
903313-4 : OWASP page: File Types score in Broken Access Control category is always 0.
Links to More Info: BT903313
Component: Application Security Manager
Symptoms:
Under Broken Access Control category, the contribution of Disallowed File Types seems to be 0 no matter what is the number of Disallowed File Types in policy. As a result, it is not possible to reach full compliance.
Conditions:
Security Policy is configured. Not Applicable for parent or child policy.
Impact:
For any OWASP configurable policy (i.e. not parent or child policy), the policy cannot reach the maximum score for Broken Access Control category
Fixed Versions:
17.0.0, 16.1.4
902377-4 : HTML profile forces re-chunk even though HTML::disable
Links to More Info: BT902377
Component: Local Traffic Manager
Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.
Conditions:
Using HTML::disable in an HTTP_RESPONSE event.
Impact:
The HTML profile still performs a re-chunk.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1
901669-6 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.
Links to More Info: BT901669
Component: TMOS
Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.
-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.
Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.
Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.
The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.
Impact:
The 'tmsh show cm failover-status' command indicates an error.
Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:
tmsh restart sys service sod
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
898929-6 : Tmm might crash when ASM, AVR, and pool connection queuing are in use
Links to More Info: BT898929
Component: Local Traffic Manager
Symptoms:
TMM crashes and generates a core file.
Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.
Impact:
Tmm might crash. Traffic disrupted while tmm restarts.
Workaround:
Disable connection queuing on the pool.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
896941 : Common Criteria ccmode script updated
Links to More Info: BT896941
Component: TMOS
Symptoms:
Configuration of SSH must be done to support Common Criteria compliance. This is currently done by following instructions in the Common Criteria Guidance Document.
Conditions:
Common Criteria compliance configuration.
Impact:
This update automates the SSH configuration.
Workaround:
Continue to follow Common Criteria Guidance document instructions for SSH configuration.
Fix:
Added SSH configuration to meet Common Criteria requirements.
Fixed Versions:
17.0.0, 16.1.3
895557-5 : NTLM profile logs error when used with profiles that do redirect
Links to More Info: BT895557
Component: Local Traffic Manager
Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).
When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.
Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).
Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.
For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"
Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2
890169-4 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
890037-3 : Rare BD process core
Links to More Info: BT890037
Component: Application Security Manager
Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.
Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.
Impact:
Failover, traffic disturbance.
Workaround:
None
Fixed Versions:
16.1.5
889813-3 : Show net bwc policy prints bytes-per-second instead of bits-per-second
Links to More Info: BT889813
Component: TMOS
Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.
Conditions:
Running the tmsh command:
tmsh show net bwc policy
Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.10, 14.1.4.5
889605-2 : iApp with Bot profile is unavailable if application folder includes a subpath
Links to More Info: BT889605
Component: iApp Technology
Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.
Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.
Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.
Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu
Fix:
Open the iApps >> Applications view in TMUI and load the iApp.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
888765-2 : After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files★
Links to More Info: BT888765
Component: TMOS
Symptoms:
After upgrading, CGNAT is de-provisioned and tmm is restarted after config load.
Conditions:
- CGNAT provisioned prior to upgrade
- Upgrade from 13.1.0 to 15.1.0.1 and reboot
Impact:
-- CGNAT is de-provisioned
-- Tmm restarts
Workaround:
After upgrading, re-provision CGNAT:
tmsh modify sys provision cgnat level <level>
tmsh save sys config
Fixed Versions:
16.1.4
888289-8 : Add option to skip percent characters during normalization
Links to More Info: BT888289
Component: Application Security Manager
Symptoms:
An attack signature is not detected.
Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.
Impact:
An attack goes undetected.
Workaround:
Turn on the bad unescape violation or the metacharacter violation.
Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).
Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
887117-4 : Invalid SessionDB messages are sent to Standby
Links to More Info: BT887117
Component: TMOS
Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:
SessionDB ERROR: received invalid or corrupt HA message; dropped message.
Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.
Impact:
Standby drops these messages
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1
886649-5 : Connections stall when dynamic BWC policy is changed via GUI and TMSH
Links to More Info: BT886649
Component: TMOS
Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.
Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.
Impact:
Connection does not transfer data.
Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
886533-5 : Icap server connection adjustments
Links to More Info: BT886533
Component: Application Security Manager
Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.
Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.
Impact:
Slow responses to specific requests.
Workaround:
None.
Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
885765-1 : ASMConfig Handler undergoes frequent restarts
Links to More Info: BT885765
Component: Application Security Manager
Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.
Conditions:
When processing a large number of configuration updates.
Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
884945-1 : Latency reduce in case of empty parameters.
Links to More Info: BT884945
Component: Application Security Manager
Symptoms:
Traffic load with many empty parameters may lead to increased latency.
Conditions:
Sending requests with many empty parameters
Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.
Workaround:
None
Fix:
Ignore empty parameters
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
883049-9 : Statsd can deadlock with rrdshim if an rrd file is invalid
Links to More Info: BT883049
Component: Local Traffic Manager
Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.
You may see errors:
-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.
Conditions:
Truncation of a binary file in /var/rrd.
Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.
Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd
Fix:
Now detecting and rectifying truncation of RRD files.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
882709-6 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors★
Links to More Info: BT882709
Component: TMOS
Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.
Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.
Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).
Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.
Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:
net vlan external {
interfaces {
1.1 {
tagged
}
}
tag 4000
}
-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.
-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.
Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.
-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.
Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.
Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.
This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.
Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment
Links to More Info: BT881085
Component: TMOS
Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.
Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).
Impact:
There might be intermittent remote-auth failures.
Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
878641-3 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
Fix:
Certificate request message now may contain CAs
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
876677-2 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.
Links to More Info: BT876677
Component: Global Traffic Manager (DNS)
Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:
notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.
Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is running slowly or malfunctioning
Impact:
TMM crashes and, in redundant configurations, the unit fails over.
Workaround:
Do not use the debug TMM.
Fix:
The debug assert was removed and replaced by a debug log.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1
876569-2 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
Fix:
The system now handles gzip errors seen with QAT compression.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
874941-4 : HTTP authentication in the access policy times out after 60 seconds
Links to More Info: BT874941
Component: Access Policy Manager
Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.
Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.
Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.
Workaround:
None.
Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.
1. A db key to configure Connection Timeout for HTTP Server configuration:
+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout
2. A db key to configure Request Timeout for HTTP Server configuration:
+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout
Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.
The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.
Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.
Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5
874877-4 : The bigd monitor reports misleading error messages
Links to More Info: BT874877
Component: Local Traffic Manager
Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.
Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.
- The BIG-IP system configured to monitor an HTTPS/TCP monitor.
Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.
This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Following is an example:
-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.
In this case, a message is logged on the BIG-IP system:
notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]
The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and gets responses back, but they do not match the received string.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
873617-1 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.
Links to More Info: BT873617
Component: Fraud Protection Services
Symptoms:
DataSafe is not available with an AWAF license.
Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart
Impact:
DataSafe is not available.
Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.
Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
858005-1 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"
Links to More Info: BT858005
Component: Access Policy Manager
Symptoms:
APM Access Policy evaluation failed.
Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"
Impact:
APM end user’s session cannot be established.
Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent
Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
857045-4 : LDAP system authentication may stop working
Links to More Info: BT857045
Component: TMOS
Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.
In /var/log/daemon.log, you may see the following:
warning systemd[1]: nslcd.service failed
Conditions:
Nslcd daemon crashed, and it fails to restart.
Impact:
System authentication stops working until nslcd is restarted.
Workaround:
Manually restart nslcd daemon:
systemctl start nslcd
nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):
1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).
2. In the text editor, add these contents:
[Service]
# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always
3. Exit the text editor and save the file
4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.
5. Restart nslcd:
systemctl restart nslcd
Fixed Versions:
16.1.5
854129-6 : SSL monitor continues to send previously configured server SSL configuration after removal
Links to More Info: BT854129
Component: In-tmm monitors
Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.
Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.
Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.
Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').
Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
852613-4 : Connection Mirroring and ASM Policy not supported on the same virtual server
Links to More Info: BT852613
Component: Application Security Manager
Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.
Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.
Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.
Workaround:
None.
Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.
Fixed Versions:
16.1.5, 14.1.2.7
851121-6 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.
Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.
In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.
The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
850141-2 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
849029-7 : No configurable setting for maximum entries in CRLDP cache
Links to More Info: BT849029
Component: Access Policy Manager
Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.
Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.
Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.
Workaround:
None.
Fix:
There is now a setting for configuring maximum entries in CRLDP cache.
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4
844597-6 : AVR analytics is reporting null domain name for a dns query
Links to More Info: BT844597
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
Fix:
The domain name is now reported correctly under these conditions.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
844045-4 : ASM Response event logging for "Illegal response" violations.
Links to More Info: BT844045
Component: Application Security Manager
Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.
Conditions:
-- Response logging is enabled
-- An illegal response occurs
Impact:
Response logging does not occur.
Workaround:
N/A
Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.
Added an internal variable:
disable_illegal_response_logging -- default value 0.
If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
842425-6 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
842013-1 : ASM Configuration is Lost on License Reactivation★
Links to More Info: BT842013
Component: Application Security Manager
Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.
Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded
Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'
Workaround:
In the case of license re-activation/before upgrade:
Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.
In a case of booting the system into the new version:
Option 1:
1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
2. Reload the config from the fixed UCS file using the command in K13132.
Option 2:
1. Roll back to the old version.
2. Fix the issue that was preventing the config to load.
3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324
Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
838405-4 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
838305-9 : BIG-IP may create multiple connections for packets that should belong to a single flow.
Links to More Info: BT838305
Component: Local Traffic Manager
Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.
Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.
Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
832133-7 : In-TMM monitors fail to match certain binary data in the response from the server
Links to More Info: BT832133
Component: In-tmm monitors
Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.
Conditions:
This issue occurs when all of the following conditions are met:
- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).
- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.
- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.
Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.
Workaround:
Either one of the following workarounds can be used:
- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.
- Do not monitor the application through a binary response (if the application allows it).
Fix:
The monitor finds the recv string and shows the pool or member as available.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
831737-3 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
Fix:
Fixed a memory link with the Ping Access profile.
Fixed Versions:
17.1.1, 16.1.5, 15.1.6.1
830341-5 : False positives Mismatched message key on ASM TS cookie
Links to More Info: BT830341
Component: Application Security Manager
Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"
Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact
Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation
Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.
OR
2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint
Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm
Once enabled, ASM system does not trigger false positives.
Fixed Versions:
17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
829653-1 : Memory leak due to session context not freed
Links to More Info: BT829653
Component: Policy Enforcement Manager
Symptoms:
Memory increases slowly
Conditions:
A PEM iRule times out
Impact:
Memory could be exhausted depending on the frequency of the command timeouts
Fixed Versions:
17.0.0, 16.1.4
828761-5 : APM OAuth - Auth Server attached iRule works inconsistently
Links to More Info: BT828761
Component: Access Policy Manager
Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.
Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.
Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.
Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.
Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
827393-5 : In rare cases tmm crash is observed when using APM as RDG proxy.
Links to More Info: BT827393
Component: Access Policy Manager
Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.
Conditions:
APM is used as RDG proxy
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Tmm does not crash when APM is configured as RDG proxy.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
819645-1 : Reset Horizon View application does not work when accessing through F5 APM
Links to More Info: BT819645
Component: Access Policy Manager
Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.
Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android
Impact:
Impaired reset option functionality
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
818889-1 : False positive malformed json or xml violation.
Links to More Info: BT818889
Component: Application Security Manager
Symptoms:
A false positive malformed XML or JSON violation occurs.
Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.
Impact:
A false positive violation.
Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).
Fix:
N/A
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
815901-2 : Add rule to the disabled pem policy is not allowed
Links to More Info: BT815901
Component: Policy Enforcement Manager
Symptoms:
Adding rule to PEM policy is not allowed
Conditions:
A PEM policy is disabled
Impact:
You are unable to add rules to a PEM policy if it is disabled.
Fix:
Allow adding rules to disabled PEM policy
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
810917-1 : OWASP Compliance score is shown for parent and child policies that are not applicable.
Links to More Info: BT810917
Component: Application Security Manager
Symptoms:
OWASP score for a parent policy or child policy is shown as 0.
The more accurate value should be 'N/A' since these policies are not configurable for OWASP.
Conditions:
Create either child policy or parent policy. On Security ›› Application Security : Security Policies : Policies List page you will see in the OWASP Compliance score the value 0, and when going to OWASP page configuration (Security ›› Overview : OWASP Compliance) the user will see a note that the policy is not configurable for OWASP.
Impact:
When looking on the policies list, the user may get the impression that the parent or child policies can be configured to comply with OWASP.
Workaround:
Ignore OWASP Compliance score for child and parent policies.
Fixed Versions:
17.0.0, 16.1.4
808913-1 : Big3d cannot log the full XML buffer data
Links to More Info: BT808913
Component: Global Traffic Manager (DNS)
Symptoms:
Big3d cannot log the full XML buffer data:
-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.
Conditions:
The gtm.debugprobelogging variable is enabled.
Impact:
Not able to debug big3d monitoring issues efficiently.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
805821-1 : GTP log message contains no useful information
Links to More Info: BT805821
Component: Service Provider
Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.
Conditions:
GTP profile or iRules fails to process message
Impact:
User lacks of information for troubleshooting
Workaround:
N/A
Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.
Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
804529-1 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.
Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.
For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In the above example, the word 'members' is displayed in selflink.
Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.
Workaround:
The following workarounds are available:
1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
803109-4 : Certain configuration may result in zombie forwarding flows
Links to More Info: BT803109
Component: Local Traffic Manager
Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.
On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.
Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.
Conditions:
-- OneConnect configured.
And one of the following:
-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.
Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.
The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs
Workaround:
You can use any of the following workarounds:
-- Remove the OneConnect profile from the Virtual Server.
-- Do not use 'source-port preserve-strict' setting on the Virtual Server.
-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.
Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
796065-2 : PingAccess filter can accumulate connections increasing memory use.
Links to More Info: BT796065
Component: Access Policy Manager
Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.
Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.
Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.
Workaround:
None
Fix:
Fixed an issue with the ping access filter.
Fixed Versions:
16.1.4
794385-6 : BGP sessions may be reset after CMP state change
Links to More Info: BT794385
Component: Local Traffic Manager
Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.
This happens in the following instances:
- Blade reset.
- Booting up or shutting down.
- Running 'bigstart restart'.
- Setting a blade state from/to primary/secondary.
During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.
Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection
Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.
In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.
Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.
Fix:
BGP session is no longer reset during CMP state change.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
791669-5 : TMM might crash when Bot Defense is configured for multiple domains
Links to More Info: BT791669
Component: Application Security Manager
Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.
Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.
Impact:
TMM crash with core. Traffic disrupted while tmm restarts.
Workaround:
None,
Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.
Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3
780857-4 : HA failover network disruption when cluster management IP is not in the list of unicast addresses
Links to More Info: BT780857
Component: Local Traffic Manager
Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.
Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.
Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:
[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
Workaround:
You can add an explicit management IP firewall rule to allow this traffic:
tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }
This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
776117-1 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
760496-4 : Traffic processing interrupted by PF reset
Links to More Info: BT760496
Component: TMOS
Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.
Conditions:
-- E710 NICs are used.
-- Reset PF.
Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.
Workaround:
Restart the BIG-IP device.
Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
760355-4 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.
Fixed Versions:
16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
759928-6 : Engineering Hotfixes might not contain all required packages
Links to More Info: BT759928
Component: TMOS
Symptoms:
An Engineering Hotfix might be missing certain required packages.
Conditions:
This can occur with certain Engineering Hotfixes.
Impact:
Some of the required packages may be missing.
Workaround:
None
Fix:
Engineering Hotfix ISOs now automatically include packages for targets that may be affected by code change in a specific target.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
756918-4 : Engineering Hotfix ISOs may be nearly as large as full Release ISOs
Links to More Info: BT756918
Component: TMOS
Symptoms:
Engineering Hotfix ISO images might be unexpectedly large.
Conditions:
This might occur with certain Engineering Hotfix builds.
Impact:
Engineering Hotfixes are unnecessarily large.
Workaround:
None
Fix:
Engineering Hotfix ISO images are no longer created with a size that may occasionally exceed 2 GB, and no longer contain a complete set of packages replacing all packages installed by the original BIG-IP release upon which the Engineering Hotfix is based.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7
755976-9 : ZebOS might miss kernel routes after mcpd deamon restart
Links to More Info: BT755976
Component: TMOS
Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).
One of the most common scenario is a device reboot.
Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.
Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.
Workaround:
There are several workarounds; here are two:
-- Restart the tmrouted daemon:
bigstart restart tmrouted
-- Recreate the affected virtual address.
Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
752077-4 : Kerberos replay cache leaks file descriptors
Links to More Info: BT752077
Component: Access Policy Manager
Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:
-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept
There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:
-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write
Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.
Impact:
APM end users experience intermittent log on issues.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation
Links to More Info: BT749332
Component: TMOS
Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.
Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.
Impact:
REST PUT operation cannot be used to update/modify the description.
Workaround:
You can use either of the following:
-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.
-- You can also use PATCH operation and send only the required field which need modification.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4
748886-4 : Virtual server stops passing traffic after modification
Links to More Info: BT748886
Component: Local Traffic Manager
Symptoms:
A virtual server stops passing traffic after changes are made to it.
Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server
Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.
Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail
Links to More Info: BT742753
Component: TMOS
Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.
Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:
- Remove the Referer header.
- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.
Impact:
Users cannot log on to the BIG-IP system's WebUI.
Workaround:
As a workaround, you can do any of the following things:
- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).
- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).
- Modify the proxy solution so that it inserts compatible Referer and Host headers.
Fix:
CSRF checks based on HTTP headers pre-logon have been improved.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
738716-1 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients
Links to More Info: BT738716
Component: Access Policy Manager
Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.
Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource
Impact:
Unable to restart desktop from native and HTML5 clients.
Workaround:
None
Fix:
Restart desktop is successful and it works as expected.
Fixed Versions:
17.1.1, 16.1.5
738593-3 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.
Links to More Info: BT738593
Component: Access Policy Manager
Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.
Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client only.
-- Launch resources and VMware Horizon Client will use Blast protocol to display VMware sessions.
-- Shadow session is enabled in desktop.
Impact:
Desktop's Shadow session resource icon is not showed on webtop of native client.
Workaround:
None
Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop of native client.
Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
737692-5 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
Fix:
Tmm now restarts automatically when the PF comes back up after going down.
Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.
Fixed Versions:
17.1.1, 16.1.5, 15.1.3.1
724653-5 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.
Links to More Info: BT724653
Component: TMOS
Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).
Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.
For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan
And reloading the config will return the following error (as the partition has been deleted, including its flat config files):
root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
/defaults/asm_base.conf
/defaults/config_base.conf
/defaults/ipfix_ie_base.conf
/defaults/ipfix_ie_f5base.conf
/defaults/low_profile_base.conf
/defaults/low_security_base.conf
/defaults/policy_base.conf
/defaults/wam_base.conf
/defaults/analytics_base.conf
/defaults/apm_base.conf
/defaults/apm_saml_base.conf
/defaults/app_template_base.conf
/defaults/classification_base.conf
/var/libdata/dpi/conf/classification_update.conf
/defaults/urlcat_base.conf
/defaults/daemon.conf
/defaults/pem_base.conf
/defaults/profile_base.conf
/defaults/sandbox_base.conf
/defaults/security_base.conf
/defaults/urldb_base.conf
/usr/share/monitors/base_monitors.conf
Loading configuration...
/config/bigip_base.conf
/config/bigip_user.conf
/config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.
These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.
Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.
Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.
Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.
Fix:
Validation has been added that will make a config-sync receiver reject the operation if this includes the deletion of a non-empty partition. In this case, the config-sync will fail and report an error message similar to the following example:
0107082a:3: All objects from local device and all HA peer devices must be removed from a partition (test) before the partition may be removed, type ID (467), text ID (60706)
Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5
723109-2 : FIPS HSM: SO login failing when trying to update firmware
Links to More Info: BT723109
Component: TMOS
Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.
Conditions:
When trying to update FIPS firmware.
Impact:
This will not be able to upgrade the FIPS firmware.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
720610-4 : Automatic Update Check logs false 'Update Server unavailable' message on every run
Links to More Info: BT720610
Component: TMOS
Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.
Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.
Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.
Workaround:
None.
Fix:
The Automatic Update Check operation no longer logs false messages.
Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3
717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured
Links to More Info: BT717806
Component: Local Traffic Manager
Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.
Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.
Impact:
No performance impact
Workaround:
None
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
715748-7 : BWC: Flow fairness not in acceptable limits
Links to More Info: BT715748
Component: TMOS
Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.
Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.
Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
713754-3 : Apache vulnerability: CVE-2017-15715
Links to More Info: K27757011
693473-8 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
686783-1 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.
Links to More Info: BT686783
Component: Traffic Classification Engine
Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.
Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,
Impact:
Improper classification
Workaround:
Using an iRule can help classify the URL.
Fix:
Normalized the URL before putting in the custom database.
Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
674026-6 : iSeries AOM web UI update fails to complete.★
Links to More Info: BT674026
Component: TMOS
Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.
Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.
Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:
err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2
Workaround:
At the bash prompt run:
/etc/lcdui/bmcuiupdate
This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.
Fix:
AOM web UI update failures are now automatically corrected.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
673952-6 : 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot
Links to More Info: BT673952
Component: TMOS
Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:
notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all
Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.
Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.
If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.
Workaround:
None.
Fixed Versions:
17.0.0, 16.1.5
672963-1 : MSSQL monitor fails against databases using non-native charset
Links to More Info: BT672963
Component: Local Traffic Manager
Symptoms:
MSSQL monitor is fails against databases using non-native charset.
Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).
Impact:
MSSQL monitoring always marks node / member down.
Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:
1. Log in to the BIG-IP console into a bash prompt.
2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr
3. Restart bigd:
bigstart restart bigd
Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
669046-7 : Handling large replies to MCP audit_request messages
Links to More Info: BT669046
Component: TMOS
Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.
In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.
Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).
Memory usage is already high.
Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.
Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.
Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.
Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.
You can use tmsh/bash to view audit logs larger than 10,000 lines.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
662301-8 : 'Unlicensed objects' error message appears despite there being no unlicensed config
Links to More Info: BT662301
Component: TMOS
Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.
Conditions:
The BIG-IP system is licensed and the configuration loaded.
Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.
Workaround:
On an appliance, restart mcpd by running the following command:
bigstart restart mcpd
On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:
clsh bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
634576-3 : TMM core in per-request policy
Links to More Info: K48181045, BT634576
Component: Access Policy Manager
Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.
Conditions:
APM or SWG per-request policy with reject ending.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fix:
TMM no longer cores when per-request policy encounters reject ending.
Fixed Versions:
16.1.5, 13.1.0
605966-9 : BGP route-map changes may not immediately trigger route updates
Links to More Info: BT605966
Component: TMOS
Symptoms:
When a route-map is used to filter BGP advertisements, changes to the route-map that affect the filtered routes may not trigger an update to the affected routes.
Conditions:
BGP in use with a route-map filtering advertisements.
Impact:
BGP table may not reflect route-map changes until "clear ip bgp" is executed.
Workaround:
Run "clear ip bgp <neighbor>".
Fix:
Changing a route-map used with BGP updates affected routes without clearing the session.
Fixed Versions:
16.1.5
586948-2 : Dynamic toggling for HSB hardware checksum validation
Links to More Info: BT586948
Component: TMOS
Symptoms:
Disabling hardware checksum validation on BIG-IP requires manually editing a config tcl file and restarting TMM.
Conditions:
- Configuring HSB hardware checksum validation.
Impact:
None
Workaround:
None
Fix:
HSB hardware checksum validation can now be configured by using the new DB variable "tmm.hsb.hwchecksumvalidation".
When the value of this DB variable is changed, the HSB will be updated immediately without requiring a TMM restart.
Fixed Versions:
17.1.0, 16.1.5
574762-4 : Forwarding flows leak when a routing update changes the egress vlan
Links to More Info: BT574762
Component: Local Traffic Manager
Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.
Conditions:
Conditions to hit this are a route change on forwarded flows.
Impact:
Memory leak.
Workaround:
None
Fix:
Fixed a memory leak with forwarding flows.
Fixed Versions:
17.0.0, 16.1.4, 15.1.9
528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition
Links to More Info: BT528894
Component: TMOS
Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.
Conditions:
-- The system includes partitions other than Common.
-- Configuration in a partition other than Common is modified.
-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").
Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).
/config/bigip_base.conf will no longer contain config stanzas that belong there.
Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.
However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.
Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.
Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".
Note that neither workaround is permanent and the issue will reoccur.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
504374-1 : Cannot search Citrix Applications inside folders
Links to More Info: BT504374
Component: Access Policy Manager
Symptoms:
Search in webtop will not consider Citrix applications inside folders while searching.
Conditions:
Citrix applications available inside folder
Impact:
Unable to search Citrix applications inside folders.
Workaround:
None
Fixed Versions:
16.1.5
490138-1 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers
Links to More Info: BT490138
Component: Access Policy Manager
Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently
Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm
Impact:
Kerberos authentication fails, user cannot log in
Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers
Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>
Fixed Versions:
17.1.0, 16.1.4, 15.1.9
435231 : Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters
Links to More Info: K79342815, BT435231
Component: Local Traffic Manager
Symptoms:
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) parameters are not supported.
Conditions:
This affects ciphersuites that use Diffie–Hellman Ephemeral (DHE) key exchange.
Impact:
Support for larger FFDHE groups will be chosen if offered by the client.
Note: You might notice an impact to performance as compared with the previously chosen DHE 1024.
Workaround:
None
Fix:
With the support for the FFDHE groups defined in RFC7919, the system now supports DHE2048, DHE3072, DHE4096 keys. The default DHE key size is 2048 bits. (In previous BIG-IP versions, the default was 1024 bits.)
You can configure this default value by enabling or disabling the DB variable tmm.ssl.dh1024. To do so, use the following TMSH command syntax:
modify sys db tmm.ssl.dh1024 value enable/disable
To use FFDHE2048, FFDHE3072, FFDHE4096 keys, you define them in a cipher rule, and then use this rule in a cipher group before associating it with an SSL profile.
Note: If you use a cipher rule that does not define any of the FFDHE2048, FFDHE3072, or FFDHE4096 groups (e.g., f5-default), this feature is not enabled.
For more information, and for steps to define these rules, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.
Behavior Change:
RFC7919 Negotiated FFDHE parameters are now supported.
The FFDHE2048, FFDHE3072, FFDHE4096 keys are supported in this release. The default is DHE 2048 bits.
In previous versions, the default DHE key size was 1024 bits. If you want to continue to use DHE 1024 you can enable db var tmm.ssl.dh1024, by default it is disabled.
For more information, and for steps to use this feature, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.
Fixed Versions:
17.0.0, 16.1.2.2
427094-1 : Accept-language is not respected if there is no session context for page requested.
Links to More Info: BT427094
Component: Access Policy Manager
Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.
Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.
Impact:
APM page doesn't load the preferred language after refreshing twice.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
423519-5 : Bypass disabling the redirection controls configuration of APM RDP Resource.
Links to More Info: K74302282, BT423519
Component: Access Policy Manager
Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.
Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.
Impact:
User can bypass RDP resource restrictions.
Workaround:
NA
Fix:
User is not allowed to perform any redirection controls of the RDP resource.
Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1615861-2 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No work around
Fix:
Best security practices are now applied
Fixed Versions:
16.1.5.1, 15.1.10.5
1593681-2 : Monitor validation improvements
Component: TMOS
Symptoms:
Monitor validation did not follow expected behavior.
Conditions:
N/A
Impact:
N/A
Workaround:
No mitigation
Fix:
Only allow trusted admins to create and upload custom monitors. Do not upload untrusted monitors.
Fixed Versions:
16.1.5, 15.1.10.5
1560497 : Host is unreachable, vector is not mitigated by HW at profile level.
Links to More Info: BT1560497
Component: Advanced Firewall Manager
Symptoms:
HW drops are not getting incremented when traffic was sent to Host. Unreachable vector at profile level.
Conditions:
Configure the Host unreachable vector detection and mitigation limits at profile level.
Impact:
Hardware mitigation does not happen at profile level.
Workaround:
None
Fix:
Handled, neuron support checks for host with unreachable vector as the support was not there, such that, the packets were routed directly to flow table to effect the hardware stats.
Fixed Versions:
16.1.5
1552685-5 : Issues are observed with APM Portal Access on Chrome browser version 122 or later
Links to More Info: K000138771, BT1552685
Component: Access Policy Manager
Symptoms:
Web application using APM Portal Access stops working after upgrading to Chrome browser version 122 or later or a similar MS Edge browser version.
Conditions:
-- Chrome browser version 122 or later or a similar MS Edge browser version
-- APM Portal Access
Impact:
Applications will not work through Portal Access.
Workaround:
An iRule/iFile workaround is available. Refer to K000138771: APM Portal Access stops working after upgrading Chrome to version 122 (https://my.f5.com/manage/s/article/K000138771)
Fix:
APM portal access will work with Chrome browser version 122 or later or a similar MS Edge browser version.
Fixed Versions:
16.1.5
1538173-3 : Bados TLS fingerprints works incorrectly with chrome's new versions
Links to More Info: BT1538173
Component: Anomaly Detection Services
Symptoms:
The requests from the same Chrome browser but from different connections can have different TLS fingerprints
Conditions:
Behavioral L7 DOS is configured, BAD actors behavior detection configured with "Use TLS patterns as part of host identification" option.
Some good clients or attackers use new versions of Chrome
Impact:
The same user will be identified and examined as a different users
Workaround:
Don't use "TLS patterns as part of host identification" option"
Fix:
The requests from the same Chrome browser have different TLS fingerprints
Fixed Versions:
16.1.5
1507913-2 : CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
Links to More Info: K000139084, BT1507913
1507569-2 : KeyTrap: Extreme CPU consumption in DNSSEC validator
Links to More Info: K000139092, BT1507569
1506049-2 : Parsing large DNS messages may cause excessive CPU load
Links to More Info: K000138990, BT1506049
1506009-1 : Oauth core
Links to More Info: BT1506009
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth configured with opaque token generation
-- A configuration sync occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Identified and addressed the db proxy connection pointer validation in case of rollback when db query fails.
Fixed Versions:
16.1.5
1506005-2 : TMM core occurs due to OAuth invalid number of keys or credential block size
Links to More Info: BT1506005
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth is configured.
-- A configuration sync occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Modified the terminating condition based on the credential block length with the number of keys.
Fixed Versions:
16.1.5
1505789-2 : VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★
Links to More Info: K000138683, BT1505789
Component: Access Policy Manager
Symptoms:
When the user is upgraded to edge client version 7.2.4.6, they may fail to connect to the VPN server.
Conditions:
1. If LTM VS/NATed device is present before APM VPN enabled virtual server or any cases where client receives the VPN server IP different in the IP header and pre/config message.
2. BIG-IP versions v17.1.1.1 or v16.1.4.2 or v15.1.10.3 used along with edge client version 7.2.4.6.
Impact:
The user fails to connect to the VPN.
Workaround:
See the Recommended Actions at K000138683: Users cannot connect to BIG-IP APM virtual servers with BIG-IP Edge Client 7246, available at https://my.f5.com/manage/s/article/K000138683
Fix:
The user should be able to connect to the VPN even after the upgrade.
Fixed Versions:
16.1.5
1505753-1 : Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello
Links to More Info: BT1505753
Component: Local Traffic Manager
Symptoms:
When the request from the client contains the Maximum Fragment Length header, BIG-IP is able to process it and honors the functionality, but this parameter is not added to the ServerHello.
Conditions:
Send a request from a client that contains the maximum fragment length extension.
Impact:
The ClientHello succeeds but the TLS Handshake fails when the Server Hello is received.
Workaround:
None
Fixed Versions:
16.1.5
1505413 : Error in Wrapper for Array.slice Method When F5_window_link is Undefined
Links to More Info: BT1505413
Component: Access Policy Manager
Symptoms:
When Modern Rewrite Mode is used, an error occurs while processing traffic:
cache-fm-Modern.js:481 Uncaught TypeError: Cannot read properties of undefined (reading 'Array')
Conditions:
Modern Rewrite Mode is used
Impact:
Application does not function properly
Workaround:
Use the below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
iFile - Contact F5 support for iFile
Fix:
Application is working fine now
Fixed Versions:
16.1.5
1496701-1 : PEM CPPE reporting buffer overflow resulting in core
Links to More Info: BT1496701
Component: Policy Enforcement Manager
Symptoms:
PEM writes into buffer without checking size hence resulting unknown behavior or core.
TMM starts coring and rebooting.
Conditions:
1) PEM policy with action reporting is configured.
2) Reporting ->hsl-> session-reporting-fields has large number of fields.
Impact:
TMM core, hence service disruption.
Fix:
Check the bounds before each write
Fixed Versions:
16.1.5
1496457-2 : TMM crash under certain traffic patterns when an HTTP/2 profile is applied.
Component: Local Traffic Manager
Symptoms:
A TMM crash.
Conditions:
An LTM virtual server with an HTTP/2 profile attached.
Impact:
A TMM crash.
Workaround:
Set up HA pairs when configuring your BIG-IP device.
Fix:
The issue no longer occurs.
Fixed Versions:
16.1.5
1496269-2 : VCMP guest on version 16.1.4 or above might experience constant TMM crashes.★
Links to More Info: BT1496269
Component: TMOS
Symptoms:
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.
Conditions:
VCMP guest running version from 16.1.x software train, 16.1.4 or above.
vCMP host running any other software version.
Impact:
Post upgrade TMM enters crash/core loop on vCMP guest. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.5
1495217-3 : TMUI hardening
Links to More Info: K000138636, BT1495217
1494833-3 : A single signature does not match when exceeding 65535 states
Links to More Info: K000138898, BT1494833
Component: Application Security Manager
Symptoms:
One of the attack signatures is not matched.
Conditions:
When all signatures are enabled and custom ones are created.
Impact:
The attack signature is passed instead of getting blocked.
Workaround:
NA
Fix:
All the signatures will be detected and respective violations will be raised.
Fixed Versions:
17.1.1.3, 16.1.4.3, 15.1.10.4
1494293-4 : BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Links to More Info: BT1494293
Component: Local Traffic Manager
Symptoms:
BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Conditions:
- CMP forwarding occurs (traffic on ingress is handled by a different TMM on egress).
- Routing disruption happens.
- Flow collision with existing connection happens.
- connection.vlankeyed is enabled (default)
Impact:
Server-side traffic is silently dropped.
Workaround:
Clear the existing connection from the connection table according to K53851362
Fixed Versions:
16.1.5
1494137-1 : Translucent mode vlan-group uses wrong MAC when sending ICMP to client
Links to More Info: BT1494137
Component: Local Traffic Manager
Symptoms:
Translucent mode vlan-group uses source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.
Conditions:
1. Configure Vlangroup in Translucent mode on BIG-IP
2. Send an ICMP unreachable request from client to server.
3. Capture the tcpdump on the BIG-IP, observe the response packet has source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.
Impact:
The wrong MAC address is used which can cause traffic disruption.
Workaround:
Disable vlangroup.flow.allocate :
tmsh modify sys db vlangroup.flow.allocate value disable
Fix:
Translucent mode vlan-group uses source MAC as the server's MAC address instead of vlan-group's MAC address while responding to an ICMP unreachable request.
Fixed Versions:
16.1.5
1492361-2 : TMUI Security Hardening
Links to More Info: K000138894, BT1492361
1491481-2 : Server changes to support QT upgrade of Mac Clients
Links to More Info: BT1491481
Component: Access Policy Manager
Symptoms:
The old client build was failing due to a pending QT upgrade, the client requires server changes to support.
Conditions:
QTv5.5 and MAC OS(11.1)
Impact:
Cannot establish VPN connection with new clients.
Workaround:
None
Fix:
Server changes to support QT upgrade of clients.
Fixed Versions:
16.1.5
1491165-1 : TMM crashes when saving DAG setting and there are 7 or more blades
Links to More Info: BT1491165
Component: TMOS
Symptoms:
TMM crashes and generates a core file and continues to crash during startup.
Conditions:
A chassis has 7 or more blades installed.
The settings introduced by ID1282181 have been saved.
Impact:
Traffic interruption while TMM restarts.
Workaround:
The issue could be avoided by clearing the variables for ID1282181. However, this takes away the feature.
Fix:
The fix is adjusting the size of the buffers.
Fixed Versions:
16.1.5
1490833-1 : OAuth agent gets misconfigured when adding a new Scope/Claim in VPE
Links to More Info: BT1490833
Component: Access Policy Manager
Symptoms:
OAuth agents gets misconfigured when adding a new scope/claim in the visual policy editor (VPE)
Conditions:
- There are at least 10 scopes/claims attached to the OAuth agent.
- Adding a new scope/claim to the OAuth agent
Impact:
OAuth agent gets misconfigured
Workaround:
None
Fixed Versions:
16.1.5
1490765-2 : Request body can be unordered by bot-defense
Links to More Info: BT1490765
Component: Application Security Manager
Symptoms:
Certain request body, such as request body from a trusted bot, can be unordered after bot-defense applied its enforcement.
Conditions:
- bot-defense profile is in use
- bot-defense performs rDNS lookup for the request
- this manifests once in every five minutes
Impact:
Service or application that receives the unordered request body might not understand the request content and can fail.
Workaround:
Use iRule that disables bot-defense for the specific request, for example
- Check UA, URI, and other
- Disable bot-defense
Fixed Versions:
16.1.5
1489657-3 : HTTP/2 MRF incorrectly end stream for 100 Continue
Links to More Info: BT1489657
Component: Local Traffic Manager
Symptoms:
HTTP2 client resets the stream by PROTOCOL ERROR on seeing END_STREAM flag set in 100 CONTINUE header frame.
Conditions:
HTTP/2 MRF enabled
HTTP/2 on the server side.
HTTP POST with body length > 0
The HTTP request has the "Expect: 100-continue" header
The server responds 100 Continue
And versions that have BugID-1220629 fixed
Impact:
The request would not be processed due to PROTOCOL_ERROR.
Fix:
Special handling for 1xx headers
Fixed Versions:
16.1.5
1473701 : Oauth Discovery task is struck at "SAVE_AND_APPLY" state
Links to More Info: BT1473701
Component: Access Policy Manager
Symptoms:
Initial symptoms could be one of the following:
- Auto JWT discovery task stops or stalls and no reason is provided
- OIDC discovery task stops discovering
- Auto update of JWK fails
- OAuth token does not renew
- Oauth Discovery stuck at "SAVE_AND_APPLY"
- OAuth Provider Discovery Task does not work anymore
Other indications:
-> Stale JWK keys will be present in the config and Authentication fails with the following error in /var/log/apm:"OAuth Scope: failed for jwt-provider-list '/Common/VPN_JWT', error: None of the configured JWK keys match the received JWT token, JWT Header:
"
->restcurl -X GET tm/access/oidc/discover/ outputs the OIDC discovery task status and status will be in "SAVEANDAPPLY"
Conditions:
- jwk keys discovered from the openid well known url should be different from the existing JWK keys in the config
- And mcp should fail while applying the config. We can identify that if the /var/log/restjavad does not show the " Applying access policies" log after the "Updating mcp jwt and jwk objects for provide" log
Impact:
- Config will contain stale JWK keys
Workaround:
- Restart restjavad so that the discovery task starts again
Fix:
- Moved the apply access policy operation into a child thread so that the parent thread does not block itself until it receives a response from the mcp.
- Earlier the OIDC thread would be blocked until it got a successful response from the mcp for "apply access policy" and if it did receive a response, it would be blocked and would stop permanently without rescheduling itself.
- Now, even if the apply access policy fails in the current discovery cycle, the OIDC discovery worker will not be blocked and will be rescheduled for the next interval and the apply access policy will be reattempted as part of the next discovery cycle.
Fixed Versions:
16.1.5
1472853-2 : PVA may not fully come up on large platforms with many tmms
Links to More Info: BT1472853
Component: TMOS
Symptoms:
The PVA may not be fully initialized when tmm starts. This can lead to versions issues such as
* flows not being accelerated
* flows getting reset with idle timeout or "No flow found for ACK" reset cause messages.
Log message similar to the following is seen in /var/log/tmm2:
notice ePVA had not been globally enabled by HSBE2 LBB
Conditions:
-- BIG-IP iSeries i15800 platform.
-- PVA enabled
-- Tmm that has not been restarted since boot.
Impact:
-- flows may not be accelerated
-- flows may get reset with idle timeout or "No flow found for ACK" reset cause messages.
Workaround:
Restart tmm
Fixed Versions:
16.1.5
1472685-2 : Add support for 4 new Webroot Categories
Links to More Info: BT1472685
Component: Traffic Classification Engine
Symptoms:
URL's getting categorised as Uncategorized.
Conditions:
Query any of the URL that fall under new category
Impact:
URL does not get categorised as expected and gets classified as "Uncategorized"
Fix:
Added support for 4 new categories.
Fixed Versions:
16.1.5
1472609 : [APM]Some user roles unable view Access config GUI, getting 403 error
Links to More Info: BT1472609
Component: Access Policy Manager
Symptoms:
Some user roles (except admin, manager, resource manager, and App Editor users) get 403 forbidden when opening Access config in GUI.
Conditions:
- BIGIP versions 16.1.4.1 (or later), 15.1.10.2 (or later), and 17.1.0.3 (or later).
- User roles except for admin, manager, resource manager, and App Editor users.
Impact:
Unable to view APM UI.
Fixed Versions:
16.1.5
1470329-2 : PEM: Multiple layers of callback cookies need input validation in order to prevent crashes.
Links to More Info: BT1470329
Component: Policy Enforcement Manager
Symptoms:
TMM core and restart because of PEM.
Conditions:
1)PEM session attribute lookup via spmdb_session_attr_session_lookup_cb
2) The callback function in the cookie is null.
Impact:
TMM restarts. Service disruption.
Fix:
Fix: adding null check for callback function.
Fixed Versions:
16.1.5
1468809-2 : Attack signature "Staged Since" timestamp is not accurate
Links to More Info: BT1468809
Component: Application Security Manager
Symptoms:
Attack signature "Staged Since" timestamp is not accurate
Conditions:
Signature is set to staging
Impact:
The "Staging: Since" timestamp is inaccurate.
Workaround:
None
Fixed Versions:
16.1.5
1468589 : TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions
Links to More Info: BT1468589
Component: Access Policy Manager
Symptoms:
APM is unable to read or modify the CSS properties to dynamically change the style of the element
Conditions:
Modern Rewrite Mode is enabled
Impact:
Unable to read or modify the CSS properties to dynamically change the style of the element
Workaround:
Use the below iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
Request the iFile with the fix via an escalation
Fixed Versions:
16.1.5
1466293-2 : SIP MRF over TCP might cause excessive memory buffering
Component: Service Provider
Symptoms:
SIP MRF over TCP might cause excessive memory buffering.
Conditions:
Certain traffic patterns might flood the BIG-IP over TCP from the server side and cause excessive memory buffering.
Impact:
The system can undergo core
Fix:
Excessive memory buffering is eliminated when certain traffic pattern occurs.
Fixed Versions:
16.1.5
1466289-3 : SIP MRF might leave orphaned connections
Component: Service Provider
Symptoms:
Under certain traffic patterns, SIP MRF may leave orphaned connections.
Conditions:
A system with SIP MRF enabled.
Impact:
It leads to excessive memory buffering.
Fix:
Connections are no longer orphaned.
Fixed Versions:
16.1.5
1462885-2 : LTM should send ICMP port unreachable upon unsuccessful port selection.
Links to More Info: BT1462885
Component: Local Traffic Manager
Symptoms:
In some cases ICMP port unreachable is not sent back to the client when the BIG-IP system is unable to obtain an available port for a connection.
Conditions:
Flow collision happens, BIG-IP is unable to obtain an available port for connection.
Impact:
LTM drops traffic and does not send an ICMP error to the client.
Workaround:
None
Fixed Versions:
16.1.5
1462797-2 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent
Links to More Info: BT1462797
Component: Application Security Manager
Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled using an iRule. This occurs while sending an HTTP/2 request to the virtual server.
Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule
- HTTP/2 request is sent to virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.5
1462393 : Quota is not getting updated from the PEM side
Links to More Info: BT1462393
Component: Policy Enforcement Manager
Symptoms:
The quota is not updated when PEM receives the CCR-U message from the OCS.
Conditions:
Once the quota is exhausted,
1. OCS initiates a Re-Auth Request (RAR) to PEM
2. PEM responds with RAA
3. PEM then sends CCRu to OCS to request more quota
4. OCS responds with a CCA for additional quota for the rating group
5. Subscriber Session record did not change with new Granted Units.
Impact:
The quota is not updating from the PEM side.
Fix:
Quota is updating from the PEM side
Fixed Versions:
16.1.5
1461597-2 : IPS IM upgrade is taking more time
Links to More Info: BT1461597
Component: Protocol Inspection
Symptoms:
It takes more time than usual for the upgrade of the protocol inspection updates IM Package.
Conditions:
During IM Upgrade:
1) Go to security -> Protocol Inspection -> Inspection Updates -> Download Package -> From file -> choose file -> Download.
2) select the IM and click on install
3) select the IM and click on deploy
Impact:
It takes more time to upgrade to the latest IM package. This is due to a larger than normal number of signature updates.
Workaround:
None
Fix:
Setting the default action to don't inspect for new signatures in the default profiles.
Fixed Versions:
16.1.5
1455677-2 : ACCESS Policy hardening
Component: Access Policy Manager
Symptoms:
Under certain traffic patterns, ACCESS policy may crash
Conditions:
ACCESS policy evaluation is enabled
Impact:
A TMM core.
Workaround:
None
Fix:
The core is resolved.
Fixed Versions:
16.1.5
1449709-2 : Possible TMM core under certain Client-SSL profile configurations
Links to More Info: K000138912, BT1449709
1429897 : NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60
Links to More Info: BT1429897
Component: Local Traffic Manager
Symptoms:
With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS.
It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'.
If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.
Conditions:
--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x.
--> Create a new nethsm key using TMSH or WebUI.
Impact:
Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.
Workaround:
Use 'rfs-sync -c' after creating a new key.
Fix:
None
Fixed Versions:
16.1.5
1410989-3 : DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section.
Links to More Info: BT1410989
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system returns a malformed UDP DNS response.
Conditions:
When provided buf_size is able to fit the answer section but not able to fit authority and additional sections.
Impact:
Malformed UDP DNS response.
Workaround:
Use TCP DNS query.
Fix:
None
Fixed Versions:
16.1.5
1410953-2 : Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path.
Links to More Info: BT1410953
Component: TMOS
Symptoms:
Keymgmtd is coring and restarting in a loop.
Conditions:
Create an empty file in the crl_file_cache_d path and try restarting the keymgmtd.
Impact:
Key management-related operations will fail.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1409453 : [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config
Links to More Info: BT1409453
Component: Access Policy Manager
Symptoms:
On GUI: 'General database error retrieving information.'
In /var/log/ltm: Read Access Denied: user (es-manager) type (network acces address space include)
Conditions:
-- Non-admin user
-- Network Access configured on APM
Impact:
Non-admin users cannot access Network Access settings.
Workaround:
None
Fixed Versions:
16.1.5
1408381 : BADOS signals might no sync on HA setups
Links to More Info: BT1408381
Component: Anomaly Detection Services
Symptoms:
BADOS signals might no sync on HA setups.
Conditions:
When using High Availability setups with BADOS enabled.
Impact:
Standby machine is not synched in some scenarios.
Workaround:
Manual sync with the script that calls rsync.
Fix:
The state file always stays in sync.
Fixed Versions:
16.1.5
1402421 : Virtual Servers haviing adfs proxy configuration might have all traffic blocked
Links to More Info: BT1402421
Component: Access Policy Manager
Symptoms:
All requests for ADFS proxy will be blocked and will not be allowed.
Conditions:
/var/log/apm should show a line similar to below in a normal scenario
Nov 30 09:10:38 guest1.pslab.local debug adfs_proxy[9282]: 01aeffff:7: (null)::00000000: C: TMEVT_TIMER
TMEVT_TIMER should occur once every minute
These lines will be missing in the non-working case.
Impact:
Traffic to virtual servers having ADFS Proxy configuration will be disrupted.
Workaround:
- Restart adfs_proxy
- bigstart restart adfs_proxy
Fix:
None
Fixed Versions:
16.1.5
1400317-2 : TMM crash when using internal datagroup
Links to More Info: BT1400317
Component: Local Traffic Manager
Symptoms:
When an internal data group matches a local traffic policy, tmm crashes.
Conditions:
Local data group involved. External data groups are fine.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an external data group if possible
Fix:
Both internal and external data group works
Fixed Versions:
16.1.5
1399809-3 : DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.
Links to More Info: BT1399809
Component: Global Traffic Manager (DNS)
Symptoms:
DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.
Conditions:
--- DNS64 is enabled and set to secondary in DNS Profile.
--- qname-minimisation is enabled by default in code in the latest unbound.
--- That Profile is configured with dns cache.
--- A DNS listener is configured with the above profile.
--- DNS clients requesting ipv6 resolution requests towards the listener.
Impact:
IPv6 resolution is failing.
Workaround:
None
Fixed Versions:
16.1.5
1399645-2 : iRule event BOTDEFENSE_ACTION validation failing a subroutine call
Links to More Info: BT1399645
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from the BOTDEFENSE_ACTION event, an error occurs.
Conditions:
-- Configure an iRule with event BOTDEFENSE_ACTION.
-- The event calls a procedure.
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(BOTDEFENSE)": no such element in array.
Workaround:
None
Fix:
None
Fixed Versions:
16.1.5
1399289-1 : "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1
Links to More Info: BT1399289
Component: Application Security Manager
Symptoms:
If the "Attribute" in a schema file has an upper case letter, then schema validation fails.
This does not apply to "Element", which tries to match exact case.
Conditions:
Create a Case insensitive ASM policy. Create an XML Schema profile which has an "Attribute" Tag with at least one upper-case letter in the Attribute name.
Impact:
Requests fail with Violation, even though the Schema file has a specific attribute.
Workaround:
Have the "Attribute" tag name with all lower case letters, then the request does not gets blocked.
Fixed Versions:
16.1.5
1399241-2 : QUIC occasionally erroneously sends connection close with QPACK decoder stream error
Links to More Info: BT1399241
Component: Local Traffic Manager
Symptoms:
QUIC connections are occasionally closed with "QPACK decoder stream error" (error code 514).
Conditions:
The QPACK decoder stream of a QUIC connection receives part of a request in a packet or receives an ack or cancel for a stream that has already been closed.
Impact:
A connection close with "QPACK decoder stream error" is sent and the QUIC connection is closed. Web browsers might also conclude that the BIG-IP's QUIC implementation is not interoperable and stop initiating HTTP/3 connections.
Fix:
Fixed QPACK handling when receiving part of a request in a packet or receiving an ack or cancel for a stream that has already been closed.
Fixed Versions:
16.1.5
1398401-1 : Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.★
Links to More Info: K000135607, BT1398401
Component: Access Policy Manager
Symptoms:
After an upgrade, the configuration fails to load with one or more errors:
Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.
Conditions:
Upgrading SWG from a BIG-IP version that uses category names that no longer exist.
Impact:
BIG-IP upgrade fails.
Workaround:
Remove the affected category names before attempting the BIG-IP upgrade.
Fix:
Code exists to map old categories with the new.
Existing mapping code works till BIG-IP 13.x.x, the same code support extended for BIG-IP 15.x.x and later versions.
Fixed Versions:
16.1.5
1398229-1 : Enabling support for SSH-RSA in Non FIPS mode
Links to More Info: BT1398229
Component: TMOS
Symptoms:
Ssh-rsa is disabled in FIPS and non-FIPS mode, as SSH-RSA is a less secure algorithm.
Conditions:
Attempt to use SSH-RSA algorithm
Impact:
Unable to use SSH-RSA algorithm
Fix:
Added support for SSH-RSA in Non-FIPS mode.
It is still disabled in FIPS mode.
Fixed Versions:
16.1.5
1395281-2 : UDP payloads not ending with CRLF are being treated as BAD messages.
Links to More Info: BT1395281
Component: Service Provider
Symptoms:
The UDP SIP payloads that did not end with CRLF are being treated as BAD messages.
Conditions:
The UDP SIP payload did not end with CRLF.
Impact:
The UDP SIP message will be treated as a BAD message if the payload does not end with CRLF.
Workaround:
None
Fix:
Made SIPP parser changes to accept and process UDP SIP messages that do not end with CRLF.
Fixed Versions:
16.1.5
1395081-2 : Remote users are unable to generate authentication tokens
Links to More Info: K000137514, BT1395081
Component: TMOS
Symptoms:
On a BIG-IP version with the fix for ID1147633, remote users are unable to generate authentication tokens. This also results in following pages in the GUI being broken for users:
- Device Management >> Overview
- Local Traffic >> Network Map
Conditions:
-- BIG-IP version with the fix for ID1147633
-- Remote user authentication (such as TACACS, RADIUS, Active Directory, and other)
Impact:
Some parts of the GUI may not load for remote users.
Generating an authentication token for a remote user would result in an error message similar to the following:
{
"code": 400,
"message": "token creation failed; target user [<id>] does not exist in the system",
"referer": "https://<IP>/tmui/tmui/devmgmt/overview/app/index.html?ver=0.0.6.17.1.1",
"restOperationId": <ID>,
"kind": ":resterrorresponse"
}
Workaround:
None
Fix:
The GUI pages are loading successfully for remote users.
Fixed Versions:
17.1.1.1, 16.1.5
1394601-1 : PEM AVR onbox reporting stall
Links to More Info: BT1394601
Component: Policy Enforcement Manager
Symptoms:
When using PEM AVR onbox reporting, the per-subscriber reporting will stop working after a set of time.
Conditions:
- PEM AVR reporting.
Impact:
No per-subscriber reporting is available.
Workaround:
Restart tmm to get it working again.
Fix:
PEM AVR reporting continues to function.
Fixed Versions:
16.1.5
1394445-2 : Password-memory is not remembering passwords to prevent them from being used again
Links to More Info: BT1394445
Component: TMOS
Symptoms:
Password-memory is not remembering passwords to prevent users from using the same password again.
Conditions:
-- Policy-enforcement is enabled.
-- password-memory is configured.
Impact:
System should support "password memory" for each user and can't use previous password.
Workaround:
None
Fixed Versions:
16.1.5
1391357-1 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address
Links to More Info: K000136909, BT1391357
1391161-2 : sipmsg_parse_sdp crashes when SIP receives certain traffic pattern.
Component: Service Provider
Symptoms:
When the SIP message body has a certain traffic pattern, the sipmsg_parse_sdp crashes.
Conditions:
A pattern that can cause sipmsg_parse_sdp to crash.
Impact:
The system may core.
Fix:
Sipmsg_parse_sdp does not crash when SIP receives the traffic pattern that caused the core previously.
Fixed Versions:
16.1.5
1391081-2 : TMM crash when running HTTP/3 and persist record
Links to More Info: BT1391081
Component: Local Traffic Manager
Symptoms:
TMM crashes when handling an HTTP/3 request.
Conditions:
HTTP/3 traffic on a BIG-IP system with multiple TMMs and the use of persistence.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
16.1.5
1389225-2 : For certain iRules, TCP::close does not close the TCP connection
Links to More Info: BT1389225
Component: Local Traffic Manager
Symptoms:
When an iRule generates a TCP::close before a server-side connection is established, the BIG-IP system does not close the connection.
Conditions:
Example 1
With this iRule, if there are 2 pipelined http requests, the close will not happen after the first request
Sample iRule:
proc redirect {loc} {
HTTP::redirect $loc
TCP::close
}
when HTTP_REQUEST priority 1 {
call redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Example 2:
In this second example of iRule where there are no pools involved (say redirects or error message return 404 not found...) when no servers are connected to. In such case, the close will not happen.
ltm rule tcp_it {
when CLIENT_ACCEPTED {
TCP::collect 1
}
when CLIENT_DATA {
table or other commands for example
TCP::respond "reply" (or 404 not found...)
TCP::release
TCP::close
}
when CLIENT_CLOSED {
log local0. "Client closed"
}
when SERVER_CONNECTED {
log local0. "Server here"
}
}
When such rule involves no servers to be connected - hence "Server here" not displayed - the close will never happen.
Impact:
TCP connection lingers in TMM until expiration.
Workaround:
None
Fixed Versions:
16.1.5
1389049-1 : Frequent instances of provisioning-pending count spiking on various PEM devices
Links to More Info: BT1389049
Component: Policy Enforcement Manager
Symptoms:
PEM intermittently fails to provision subscribers and a large number of subscriber sessions go into the provisioning-pending state.
Conditions:
-- PEM is enabled
-- BIG-IP is configured to create subscriber dynamically and receive subscriber policy from PCRF
-- BIG-IP receives a large number of subscriber login/logout requests in a short period.
Impact:
New subscribers provisioning fails. Subscribers remain in the provision-pending state.
Workaround:
None
Fix:
With fix, new subscriber provisioning and old subscriber deletion is successful.
Fixed Versions:
16.1.5
1389033-2 : In an iRule SSL::sessionid returns an empty value★
Links to More Info: K000137430, BT1389033
Component: Local Traffic Manager
Symptoms:
The irule SSL::sessionid command used returns an empty value after an upgrade to v15.1.9.1, when used with a TLS1.3 session.
While SSL::sessionid in v15.1.8.2 returns the value specified in the ClientHello for a TLSv1.3 session, upgrading to v15.1.9.1 results in empty values returned when calling SSL::sessionid.
Conditions:
1. Use SSL::sessionid in an iRule
2. Use an affected BIG-IP version
3. Client establishes a TLS1.3 connection
Impact:
SSL::sessionid returns an empty value, which could result in unintended behavior for applications that use that iRule command.
Workaround:
None
Fixed Versions:
16.1.5
1388985-2 : The daemon dwbld uses 100% CPU when max port value configured in TMC port list
Links to More Info: BT1388985
Component: Advanced Firewall Manager
Symptoms:
When Traffic Matching Criteria (TMC) port list range is configured that includes maximum port value of 65535, counter is incremented till 65535 and wraps back to 0, as the variable used to store the counter is uint16_t.
Conditions:
- AFM license enabled.
- Daemon dwbld enabled
- Any TMC port list configured with maximum port value of 65535
Impact:
The daemon dwbld consumes 100% CPU impacting system performance.
Workaround:
Avoid configuring maximum port value of 65535 in TMC port list range.
Fix:
The counter is changed to uint32_t to avoid rollover when maximum port value is included in port list range.
Fixed Versions:
16.1.5
1388621-2 : Database monitor with no password marks pool member down
Links to More Info: BT1388621
Component: Local Traffic Manager
Symptoms:
If an LTM or GTM database monitor is configured with a username to log in to the database, but without a password, pool members monitored by that monitor will be marked Down.
When this issue occurs, an error message similar to the following (for a postgresql monitor in this example) will appear in the DBDaemon log file (/var/log/DBDaemon-*.log):
[MonitorWorker-###] - incomplete parameters: m_connectStr:'jdbc:postgresql://###.###.###.###:##/postgres' m_user:'*********' m_password:'null' max_use:'#' m_inst_id:'******'
The "incomplete parameters" and "m_password:'null'" items are the relevant parts of this error message.
Conditions:
This may occur under the following conditions:
-- LTM or GTM pool members are configured to use a database monitor, such as:
-- mssql
-- mysql
-- oracle
-- postgresql
-- The monitor is configured with a username, but no password
-- And this configuration is otherwise valid: The username is a configured in the target database with no password, and no password is required by the database for authentication of that user.
-- The version of BIG-IP, or BIG-IP Engineering Hotfix,
which includes a fix for Bug ID1025089.
Impact:
Pool members monitored by a database monitor, the configured will be marked Down.
Workaround:
Following is workaround for this issue:
-- Configure the database user with a password, and require password authentication for the user
-- Configure the database monitor with the correct password for the configured username
Fix:
Database monitors with usernames configured without a password (which matches the configuration of that user in the database itself) will report correct health status of monitored pool members.
Fixed Versions:
16.1.5
1388341-2 : tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN)
Links to More Info: BT1388341
Component: Anomaly Detection Services
Symptoms:
While requests are delayed in TMM due to various reasons, their virtual server and BADOS profile might be deleted.
This may lead to a TMM crash.
Conditions:
-- BIG-IP System, passing traffic.
-- The virtual server has objects attached, such as complex iRules or BADOS, which cause the requests to take more time to get through the tmm.
-- A connection is dropped while the request is still being handled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
If possible, avoid using objects that cause requests to be delayed, such as iRules and behavioral DoS.
Fix:
TMM does not crash when a connection is dropped while a request is still in the progress.
Fixed Versions:
16.1.5
1382329 : Handling 'active' attribute in introspection response
Links to More Info: BT1382329
Component: Access Policy Manager
Symptoms:
When Google is configured as an authorization server it does not include an 'active' attribute in response to the token validation endpoint. OAuth Scope fails without any error message.
Conditions:
BIG-IP configured as OAuth Client + Resource Server and Google as Authorisation server.
Impact:
BIG-IP Administrator will not be able to figure out why OAuth Scope fails by looking at the debug logs.
Workaround:
None
Fix:
Log an error message describing the absence of an 'active' attribute.
Fixed Versions:
16.1.5
1381565-2 : ADMD stability improvements when configured with TLS signatures
Component: Anomaly Detection Services
Symptoms:
- ADMD restart
- High CPU utilization of ADMD
- TMM restart
Conditions:
BADOS configured with TLS signatures
Impact:
- High CPU utilization
- Traffic loss
Workaround:
None
Fix:
- No ADMD restarts.
- ADMD consumes reasonable CPU resources
- No TMM restarts
Fixed Versions:
16.1.5
1381357-2 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability
Links to More Info: K000137365, BT1381357
1381065-1 : Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property.
Links to More Info: BT1381065
Component: Access Policy Manager
Symptoms:
Cache-fm-Modern.js:405 TypeError: Failed to execute 'fetch' on 'Window': Failed to read the 'signal' property from 'RequestInit': Failed to convert value to 'AbortSignal'.
Conditions:
When going through Portal Access Modern Rewrite mode
Impact:
Fetch request fails and throws an error
Workaround:
Mitigate the issue with below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
For iFile - Escalate a case explaining to open an SR requesting for such iFile
Fix:
NA
Fixed Versions:
16.1.5
1378329-2 : Secure internal communication between Tomcat and Apache
Links to More Info: K000137353
Component: TMOS
Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353
Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353
Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353
Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747
For more details see: https://my.f5.com/manage/s/article/K000137353
Fix:
Communication between Tomcat and Apache is secured.
Fixed Versions:
16.1.5, 15.1.10.5
1369673-2 : OCSP unable to staple certificate chain
Links to More Info: BT1369673
Component: Local Traffic Manager
Symptoms:
When a server returns a certificate chain that involves an archived Let's Encrypt certificate, the OCSP is unable to staple the full chain.
Conditions:
An OCSP is configured on the serverside profile, and the client tries to connect to a server that returns certificate chain using an archived Let's Encrypt certificate.
Impact:
The OCSP is unable to staple the certificate chain. If the stapling is required by the client, the connection will be broken.
Workaround:
None
Fixed Versions:
16.1.5
1366593-2 : HTTPS monitors can fail when multiple bigd processes use the same netHSM
Links to More Info: BT1366593
Component: Local Traffic Manager
Symptoms:
Monitors going down accompanied by netHSM FIPS errors in /var/log/ltm.
Following is an example error:
01960005:3: netHSM: Shared memory error [Failed to fetch result].
Conditions:
HTTPS monitors having server_ssl profile that is storing a key in netHSM.
Impact:
Intermittently seeing HTTPS monitors fail for brief periods, causing some pool members to briefly be marked down.
Workaround:
Configure bigd to run in single process mode by running the following commands:
tmsh modify sys db bigd.numprocs value 1
bigstart restart bigd
Fixed Versions:
16.1.5
1366445-3 : [CORS] "Replace with" and "Remove header" CORS functionalities does not work
Links to More Info: BT1366445
Component: Application Security Manager
Symptoms:
"Replace with" and "Remove header" CORS functionalities do not work
Conditions:
-- Allow CORS Enabled
"Replace headers" Or "Remove headers" enabled with Header 'AAA'
-- Disallowed header 'AAA' in request sent
Impact:
The request is blocked with "VIOL_CROSS_ORIGIN_REQUEST" violation
Workaround:
None
Fix:
The request passes with no violations.
Fixed Versions:
16.1.5
1366401 : [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation
Links to More Info: BT1366401
Component: Access Policy Manager
Symptoms:
You may see observe below logs in /var/log/apm
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_server_init, Line: 5382
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 4075
Conditions:
ASM is configured along with APM on the same virtual server.
Impact