Supplemental Document : BIG-IP 16.1.5.1.0.13.7 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.1.5

BIG-IP Analytics

  • 16.1.5

BIG-IP Link Controller

  • 16.1.5

BIG-IP LTM

  • 16.1.5

BIG-IP PEM

  • 16.1.5

BIG-IP AFM

  • 16.1.5

BIG-IP DNS

  • 16.1.5

BIG-IP FPS

  • 16.1.5

BIG-IP ASM

  • 16.1.5
Updated Date: 11/12/2024

BIG-IP Release Information

Version: 16.1.5.1.0.13.7
Build: 7.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes


Cumulative fixes from BIG-IP v16.1.5.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.3 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release
Cumulative fixes from BIG-IP v16.1.2 that are included in this release
Cumulative fixes from BIG-IP v16.1.1 that are included in this release
Known Issues in BIG-IP v16.1.x


Cumulative fixes from BIG-IP v16.1.5.1.0.13.7 that are included in this release


Vulnerability Fixes

A
ID Number CVE Links to More Info Description Fixed Versions
1622609-1 2024-3596 K000141008 Blast-RADIUS CVE-2024-3596 16.1.5.1.0.13.7
1621249-2 2024-3596 K000141008 CVE-2024-3596: Blast Radius 16.1.5.1.0.13.7
1678649-2 2024-3596 K000141008 Radius client configuration option for CVE-2024-3596 16.1.5.1.0.13.7



Cumulative fixes from BIG-IP v16.1.5.1 that are included in this release


Vulnerability Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1615861-2 3-Major   TMUI hardening 16.1.5.1, 15.1.10.5



Cumulative fixes from BIG-IP v16.1.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
983073-3 CVE-2024-41727 K000138833 Certain traffic to ixlv & iavf can cause memory leak. 17.1.0, 16.1.5
1507913-2 CVE-2023-50868 K000139084, BT1507913 CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources 16.1.5
1507569-2 CVE-2023-50387 K000139092, BT1507569 KeyTrap: Extreme CPU consumption in DNSSEC validator 16.1.5
1506049-2 CVE-2023-4408 K000138990, BT1506049 Parsing large DNS messages may cause excessive CPU load 16.1.5
1105589-2 CVE-2024-39778 K05710614, BT1105589 HSB lockup using stateless virtual server 17.1.1, 16.1.5
989373-7 CVE-2020-14314 K67830124, BT989373 CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem 16.1.5, 15.1.9
948725-7 CVE-2024-41723 K10438187, BT948725 An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users 17.1.1, 16.1.5
1308269 CVE-2022-4304 K000132943, BT1308269 OpenSSL vulnerability CVE-2022-4304 17.1.1, 16.1.5
1295017-4 CVE-2024-41164 K000138477, BT1295017 TMM crash when using MPTCP 17.1.1, 16.1.5, 15.1.10
1026873-7 CVE-2020-27618 K08641512, BT1026873 CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets 16.1.5, 15.1.9


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
737692-5 2-Critical BT737692 Handle x520 PF DOWN/UP sequence automatically by VE 17.1.1, 16.1.5, 15.1.3.1
1069441-3 3-Major BT1069441 Cookie without '=' sign does not generate rfc violation 17.1.1, 16.1.5, 15.1.10


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1395081-2 1-Blocking K000137514, BT1395081 Remote users are unable to generate authentication tokens 17.1.1.1, 16.1.5
1147633-2 1-Blocking   Hardening of token creation by users with an administrative role 17.1.1, 16.1.5
997793-3 2-Critical K34172543, BT997793 Error log: Failed to reset strict operations; disconnecting from mcpd 16.1.5
776117-1 2-Critical BT776117 BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type 17.1.1, 16.1.5, 15.1.10
1593681-2 2-Critical   Monitor validation improvements 16.1.5, 15.1.10.5
1410953-2 2-Critical BT1410953 Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path. 16.1.5
1394445-2 2-Critical BT1394445 Password-memory is not remembering passwords to prevent them from being used again 16.1.5
1378329-2 2-Critical K000137353 Secure internal communication between Tomcat and Apache 16.1.5, 15.1.10.5
1366089 2-Critical BT1366089 HSB firmware version 2.12.4.0 bitstream release for VIPRION B2250 blade 16.1.5
1360757 2-Critical BT1360757 The OWASP compliance score generation failing with error 501 "Invalid Path" 16.1.5
1295481-2 2-Critical BT1295481 FIPS keys are not restored when BIG-IP license is renewed after it expires 17.1.1, 16.1.5
1269593-2 2-Critical K000137127, BT1269593 SSH client fails to connect using host key type ssh-rsa 16.1.5
1191137-3 2-Critical BT1191137 WebUI crashes when the localized form data fails to match the expectations 17.1.1, 16.1.5, 15.1.9
1113609-2 2-Critical BT1113609 GUI unable to load Bot Profiles and tmsh is unable to list them as well. 17.1.1, 16.1.5
1075681-1 2-Critical   CVE-2020-17541 - Libjpeg-turbo all version have a stack-based buffer overflow in the "transform" component 16.1.5
1004929-1 2-Critical BT1004929 During config sync operation, MCPD restarts on secondary blade logging 01020012:3: A unsigned four-byte integer message item is invalid. 17.0.0, 16.1.5, 15.1.5, 14.1.4.5, 13.1.5
998957-1 3-Major BT998957 MCPD consumes excessive CPU while collecting statistics 17.1.0, 16.1.5
997561-5 3-Major BT997561 TMM CPU imbalance with GRE/TB and GRE/MPLS traffic 17.1.1, 16.1.5, 15.1.10
969345-1 3-Major BT969345 Temporary TMSH files not always removed after session termination 16.1.5
955953-5 3-Major BT955953 iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg' 17.0.0, 16.1.5, 15.1.10
950153-3 3-Major BT950153 LDAP remote authentication fails when empty attribute is returned 17.1.1, 16.1.5, 15.1.10
942217-6 3-Major BT942217 Virtual server rejects connections even though the virtual status is 'available' 16.1.5
715748-7 3-Major BT715748 BWC: Flow fairness not in acceptable limits 17.1.1, 16.1.5, 15.1.10
673952-6 3-Major BT673952 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot 17.0.0, 16.1.5
605966-9 3-Major BT605966 BGP route-map changes may not immediately trigger route updates 16.1.5
586948-2 3-Major BT586948 Dynamic toggling for HSB hardware checksum validation 17.1.0, 16.1.5
1496269-2 3-Major BT1496269 VCMP guest on version 16.1.4 or above might experience constant TMM crashes. 16.1.5
1491165-1 3-Major BT1491165 TMM crashes when saving DAG setting and there are 7 or more blades 16.1.5
1472853-2 3-Major BT1472853 PVA may not fully come up on large platforms with many tmms 16.1.5
1398229-1 3-Major BT1398229 Enabling support for SSH-RSA in Non FIPS mode 16.1.5
1353957-2 3-Major K000137505, BT1353957 The message "Error getting auth token from login provider" is displayed in the GUI 17.1.1.2, 16.1.5
1350717-3 3-Major BT1350717 When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off' 16.1.5
1350693-2 3-Major BT1350693 Log publisher using replicated destination with unreliable destination servers may leak xfrags 16.1.5
1345989 3-Major BT1345989 "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page 16.1.5
1338993-2 3-Major BT1338993 Failing to fetch the installed RPM, throwing an error Object contains no token child value 17.1.1, 16.1.5
1326501-2 3-Major BT1326501 Configure DAG fold_bits to improve connection distribution 16.1.5
1322701-3 3-Major   Vulnerability scanner reports BIG-IP is disclosing sensitive information 16.1.5
1320389-1 3-Major BT1320389 vCMP guest loses connectivity because of bad interface mapping 16.1.5
1312225-2 3-Major BT1312225 System Integrity Status: Invalid with some Engineering Hotfixes 16.1.5
1311125-3 3-Major BT1311125 DDM Receive Power value reported in ltm log is ten times too high 17.1.1, 16.1.5
1305125-2 3-Major BT1305125 Ssh to localhost not working with ssh-rsa 17.1.1, 16.1.5
1298133-3 3-Major BT1298133 BFD sessions using floating self IP do not work well on multi-blade chassis 16.1.5
1297257-2 3-Major BT1297257 Pool member Forced Offline then Enabled is marked down on peer after Incremental sync 16.1.5
1296553-1 3-Major BT1296553 Include RQM Debug registers in hsb_snapshot for B2250 blade 16.1.5
1294109-3 3-Major BT1294109 MCP does not properly read certificates with empty subject name 16.1.5
1293193-2 3-Major BT1293193 Missing MAC filters for IPv6 multicast 17.1.1, 16.1.5, 15.1.10
1291217-1 3-Major BT1291217 EasySoap++-0.6.2 is not coded to add an SNI 16.1.5
1186649 3-Major BT1186649 TMM keep crashing after vCMP Guest Upgrade to BIG-IP v16.1.3.2 16.1.5
1181757-4 3-Major BT1181757 BGPD assert when sending an update 16.1.5
1154381-4 3-Major BT1154381 The tmrouted might crash when management route subnet is received over a dynamic routing protocol 17.1.1, 16.1.5, 15.1.10
1147849-4 3-Major   Rest token creation does not follow all best practices 16.1.5
1135961-7 3-Major BT1135961 The tmrouted generates core with double free or corruption 17.1.1, 16.1.5, 15.1.9
1134509-4 3-Major BT1134509 TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. 17.1.1, 16.1.5, 15.1.10
1134057-4 3-Major BT1134057 BGP routes not advertised after graceful restart 17.1.1, 16.1.5, 15.1.9
1125733-3 3-Major BT1125733 Wrong server-side window scale used in hardware SYN cookie mode 17.1.0, 16.1.5, 15.1.9
1113693-3 3-Major BT1113693 SSL Certificate List GUI page takes a long time to load 16.1.5
1111993-2 3-Major BT1111993 HSB tool utility does not display PHY settings for HiGig interfaces 17.1.0, 16.1.5, 15.1.10
1104773-6 3-Major   REST API Access hardening 17.1.1, 16.1.5
1102837-2 3-Major BT1102837 Use native driver for e810 instead of sock 17.1.0, 16.1.5, 15.1.7
1093973-7 3-Major BT1093973 Tmm may core when BFD peers select a new active device. 16.1.5
1086393-1 3-Major BT1086393 Sint Maarten and Curacao are missing in the GTM region list 17.1.1, 16.1.5
1064893-1 3-Major BT1064893 Keymgmtd memory leak occurs while configuring ca-bundle-manager. 17.0.0, 16.1.5
1042589-1 3-Major BT1042589 Wrong trunk_id is associated in bcm56xxd. 17.0.0, 16.1.5, 15.1.10
1040573-4 3-Major BT1040573 REST operation takes a long time when two different users perform tasks in parallel 16.1.5
1040117-2 3-Major BT1040117 BIG-IP Virtual Edition drops UDP packets 17.1.1, 16.1.5, 15.1.10
1035661-4 3-Major BT1035661 REST Requests return 401 Unauthorized when using Basic Auth 16.1.5
1020129-2 3-Major BT1020129 Turboflex page in GUI reports 'profile.Features is undefined' error 17.1.1, 16.1.5, 15.1.10
1019429-1 3-Major BT1019429 CMP Forwarded flows do not get syncache counter decremented when only server-side is PVA accelerated 17.0.0, 16.1.5, 15.1.4.1
1009793-2 3-Major BT1009793 Tmm crash when using ipsec 16.1.5
857045-4 4-Minor BT857045 LDAP system authentication may stop working 16.1.5
1355149-3 4-Minor BT1355149 The icrd_child might block signals to child processes 16.1.5
1320889-3 4-Minor BT1320889 Sock interface driver might fail to forward some packets. 17.1.1, 16.1.5
1292493 4-Minor BT1292493 Enforcement of non-approved algorithms in FIPS or Common Criteria mode. 16.1.5
1280281-1 4-Minor BT1280281 SCP allow list may have issues with file paths that have spaces in them 17.1.1, 16.1.5, 15.1.10
1145729-3 4-Minor BT1145729 Partition description between GUI and REST API/TMSH does not match 17.1.1, 16.1.5
1136837-4 4-Minor BT1136837 TMM crash in BFD code due to incorrect timer initialization 17.1.1, 16.1.5, 15.1.10
1089005-4 4-Minor BT1089005 Dynamic routes might be missing in the kernel on secondary blades. 16.1.5
1064753-4 4-Minor BT1064753 OSPF LSAs are dropped/rate limited incorrectly. 16.1.5, 15.1.10
1046025-3 4-Minor BT1046025 The iavf and ixlv drivers have incorrect VHO flag for all packets 17.1.0, 16.1.5
1044893 4-Minor BT1044893 Kernel warnings from NIC driver Realtek 8139 17.1.1, 16.1.5, 15.1.10
1003081-3 4-Minor BT1003081 GRE/TB-encapsulated fragments are not forwarded. 17.1.1, 16.1.5, 15.1.10
997269-1 5-Cosmetic BT997269 The management-dhcp contextual help for supersede-options is not available 17.0.0, 16.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
994973-1 2-Critical BT994973 TMM crash with do_drivers_probe() 16.1.5
965897-4 2-Critical BT965897 Disruption of mcpd with a segmentation fault during config sync 17.1.1, 16.1.5, 15.1.10
927633-4 2-Critical BT927633 Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic 16.1.5
1496457-2 2-Critical   TMM crash under certain traffic patterns when an HTTP/2 profile is applied. 16.1.5
1346101-1 2-Critical BT1346101 SSL Orchestrator can crash TMM 16.1.5
1322973-2 2-Critical   A particular sequence of HTTP packets may cause TMM to crash 16.1.5
1319365-2 2-Critical BT1319365 Policy with external data group may crash TMM or return nothing with search contains 17.1.1, 16.1.5
1305697-3 2-Critical BT1305697 TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed 17.1.1, 16.1.5
1298029-3 2-Critical BT1298029 DB_monitor may end the wrong processes 17.1.1, 16.1.5
1209197-1 2-Critical BT1209197 Gtmd crash with SIGSEGV while importing or exporting a key or certificate to the BIG-IP 17.1.0, 16.1.5
1105145-2 2-Critical BT1105145 Request body on server side egress is not chunked when it needs to be after HTTP processes a 100 continue response. 17.1.0, 16.1.5
1078741-2 2-Critical BT1078741 Tmm crash 17.0.0, 16.1.5
1072377-3 2-Critical BT1072377 TMM crash in rare circumstances during route changes 17.1.0, 16.1.5, 15.1.10
996649-6 3-Major BT996649 Improper handling of DHCP flows leading to orphaned server-side connections 17.1.1, 16.1.5, 15.1.10
874877-4 3-Major BT874877 The bigd monitor reports misleading error messages 16.1.5
1505753-1 3-Major BT1505753 Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello 16.1.5
1494293-4 3-Major BT1494293 BIG-IP might fail to forward server-side traffic after a routing disruption occurs. 16.1.5
1494137-1 3-Major BT1494137 Translucent mode vlan-group uses wrong MAC when sending ICMP to client 16.1.5
1429897 3-Major BT1429897 NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60 16.1.5
1400317-2 3-Major BT1400317 TMM crash when using internal datagroup 16.1.5
1399645-2 3-Major BT1399645 iRule event BOTDEFENSE_ACTION validation failing a subroutine call 16.1.5
1399241-2 3-Major BT1399241 QUIC occasionally erroneously sends connection close with QPACK decoder stream error 16.1.5
1391081-2 3-Major BT1391081 TMM crash when running HTTP/3 and persist record 16.1.5
1389225-2 3-Major BT1389225 For certain iRules, TCP::close does not close the TCP connection 16.1.5
1389033-2 3-Major K000137430, BT1389033 In an iRule SSL::sessionid returns an empty value 16.1.5
1388621-2 3-Major BT1388621 Database monitor with no password marks pool member down 16.1.5
1369673-2 3-Major BT1369673 OCSP unable to staple certificate chain 16.1.5
1366593-2 3-Major BT1366593 HTTPS monitors can fail when multiple bigd processes use the same netHSM 16.1.5
1366217-2 3-Major BT1366217 The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator 16.1.5
1347569-1 3-Major BT1347569 TCL iRule not triggered due to handshake state exceeding trigger point 16.1.5
1312041 3-Major BT1312041 Connection RST with reason "STREAM max match size exceeded" after upgrading to v16.1.x 16.1.5
1311053-2 3-Major BT1311053 Invalid response may be sent to a client when a http compression profile and http analytics profile attached to a virtual server 16.1.5
1306249-1 3-Major BT1306249 Hourly spike in the CPU usage causing delay in TLS connections 16.1.5
1305361-2 3-Major BT1305361 Flows that are terminated by an ILX streaming plugin may not expire immediately 17.1.1, 16.1.5
1305329 3-Major BT1305329 HTTP iRule event HTTP_REQUEST_DATA is triggered even though there is no data collected via HTTP::collect command. 16.1.5
1304189-3 3-Major BT1304189 Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures 17.1.1, 16.1.5
1302077-4 3-Major BT1302077 Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server 17.1.1, 16.1.5
1300925-3 3-Major BT1300925 Shared memory race may cause TMM to core 17.1.1, 16.1.5
1294289-2 3-Major BT1294289 SSL Persist leaks memory on when client and server hello exceeds MSS 16.1.5
1284413 3-Major BT1284413 After upgrade to 16.1.3.2 from 16.0.1.1, BIG-IP can send CONNECT requests when no proxy select agent is used 16.1.5
1284261-3 3-Major BT1284261 Constant traffic on DHCPv6 virtual servers may cause a TMM crash. 17.1.1, 16.1.5, 15.1.10
1272501 3-Major BT1272501 Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure" 17.1.1, 16.1.5
1238529-2 3-Major BT1238529 TMM might crash when modifying a virtual server in low memory conditions 17.1.1, 16.1.5
1132105-2 3-Major   Database monitor daemon (DBDaemon) uses unsupported Java version 16.1.5
1112385-3 3-Major BT1112385 Traffic classes match when they shouldn't 17.1.1, 16.1.5, 15.1.10
1088597-2 3-Major BT1088597 TCP keepalive timer can be immediately re-scheduled in rare circumstances 17.1.1, 16.1.5, 15.1.10
1084965-3 3-Major BT1084965 Low visibility of attack vector 17.1.1, 16.1.5
1083621-1 3-Major BT1083621 The virtio driver uses an incorrect packet length 17.1.1, 16.1.5, 15.1.9
1059573-4 3-Major BT1059573 Variation in a case insensitive value of an operand in LTM policy may fail in some rules. 17.0.0, 16.1.5, 15.1.10
1036873-2 3-Major BT1036873 Pre-shared key extension sometimes is not the last extension in ClientHello in TLS1.3 17.0.0, 16.1.5
1025089-1 3-Major BT1025089 Pool members marked DOWN by database monitor under heavy load and/or unstable connections 16.1.5
1017421-4 3-Major BT1017421 SASP Monitor does not log significant error conditions at default logging level 16.1.5
929429-8 4-Minor BT929429 Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed 17.1.1, 16.1.5, 15.1.10
1489657-3 4-Minor BT1489657 HTTP/2 MRF incorrectly end stream for 100 Continue 16.1.5
1462885-2 4-Minor BT1462885 LTM should send ICMP port unreachable upon unsuccessful port selection. 16.1.5
1348841 4-Minor BT1348841 TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag. 16.1.5
1312105-2 4-Minor BT1312105 The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented 16.1.5
1304289-2 4-Minor BT1304289 Pool member monitored by both GTM and LTM monitors may be erroneously marked Down 17.1.1, 16.1.5
1269773-3 4-Minor BT1269773 Convert network-order to host-order for extensions in TLS1.3 certificate request 17.1.1, 16.1.5, 15.1.10
1121349-2 4-Minor BT1121349 CPM NFA may stall due to lack of other state transition 17.1.1, 16.1.5
1103117-2 4-Minor BT1103117 iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. 16.1.5
991457-1 5-Cosmetic BT991457 The mpidump should show sequence number and higher precision date/time 16.1.5
979213-1 5-Cosmetic BT979213 Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. 17.1.1, 16.1.5, 15.1.10


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1322497-2 2-Critical BT1322497 GTM monitor recv string with special characters causes frequent iquery reconnects 16.1.5
1225061-3 2-Critical BT1225061 The zxfrd segfault with numerous zone transfers 16.1.5
1212081-2 2-Critical BT1212081 The zxfrd segfault and restart loop due to incorrect packet processing 16.1.5
1081473-5 2-Critical BT1081473 GTM/DNS installations may observe the mcpd process crashing 17.1.1, 16.1.5
1410989-3 3-Major BT1410989 DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section. 16.1.5
1399809-3 3-Major BT1399809 DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile. 16.1.5
1313369-3 3-Major BT1313369 Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status 17.1.1, 16.1.5
1302825-3 3-Major BT1302825 Allow configuration of the number of times the CNAME chase is performed 17.1.1, 16.1.5
1137569-3 3-Major BT1137569 Set nShield HSM environment variable. 16.1.5, 15.1.10
1137217-2 3-Major BT1137217 DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13 16.1.5
1133201-1 3-Major BT1133201 Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools 17.1.1, 16.1.5
1128369-1 3-Major BT1128369 GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state 16.1.5
1100197-2 3-Major BT1100197 Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm 16.1.5
1100169-1 3-Major BT1100169 GTM iQuery connections may be reset after SSL key renegotiation. 16.1.5
1094069-1 3-Major BT1094069 iqsyncer will get stuck in a failed state when requesting a commit_id that is not on the target GTM 16.1.5
1085377-2 3-Major BT1085377 BIND9 upgrade from version 9.11 to 9.16 17.1.0, 16.1.5
1311169-3 4-Minor BT1311169 DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned 17.1.1, 16.1.5
1295565-3 4-Minor BT1295565 BIG-IP DNS not identified in show gtm iquery for local IP 17.1.1, 16.1.5
1186789-2 4-Minor BT1186789 DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x 17.1.1, 16.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
890037-3 2-Critical BT890037 Rare BD process core 16.1.5
1490765-2 2-Critical BT1490765 Request body can be unordered by bot-defense 16.1.5
1366445-3 2-Critical BT1366445 [CORS] "Replace with" and "Remove header" CORS functionalities does not work 16.1.5
1282281-3 2-Critical BT1282281 Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns 17.1.1, 16.1.5, 15.1.10
939097-5 3-Major BT939097 Error messages related to long request allocation appear in the bd.log incase of big chunked requests 17.1.1, 16.1.5
852613-4 3-Major BT852613 Connection Mirroring and ASM Policy not supported on the same virtual server 16.1.5, 14.1.2.7
1468809-2 3-Major BT1468809 Attack signature "Staged Since" timestamp is not accurate 16.1.5
1462797-2 3-Major BT1462797 TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent 16.1.5
1359281-2 3-Major BT1359281 Attack signature is not detected when the value does not have '=' 16.1.5
1350141-1 3-Major BT1350141 Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade 16.1.5
1348425-3 3-Major BT1348425 Header name or parameter name is configured with space. 16.1.5
1346461-3 3-Major BT1346461 Bd crash at some cases 16.1.5
1332769-2 3-Major BT1332769 Wildcard order incorrect for JSON Policy Import 16.1.5
1330473-2 3-Major BT1330473 Response_log_rate_limit is not applied 16.1.5
1329893-1 3-Major BT1329893 TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent 16.1.5
1329065-1 3-Major BT1329065 Hostname violation when hostname starts with multiple 0's 16.1.5
1316529-3 3-Major BT1316529 Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS 17.1.1, 16.1.5
1302689-3 3-Major BT1302689 ASM requests to rechunk payload 17.1.1, 16.1.5, 15.1.10
1301197-3 3-Major BT1301197 Bot Profile screen does not load and display large number of pools/members 17.1.1, 16.1.5, 15.1.10
1298161-2 3-Major BT1298161 Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute 16.1.5
1295057-3 3-Major BT1295057 Installation of Attack Signatures file reported as fail after 1 hour 16.1.5
1295009-1 3-Major BT1295009 "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data 17.1.1, 16.1.5, 15.1.10
1292685-2 3-Major BT1292685 The date-time RegExp pattern through swagger would not cover all valid options 17.1.1, 16.1.5, 15.1.10
1292645-2 3-Major BT1292645 False positive CORS violation can occur after upgrading to 17.1.x under certain conditions 17.1.1, 16.1.5
1288517-2 3-Major BT1288517 Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/ 16.1.5
1284097-2 3-Major BT1284097 False positive 'Illegal cross-origin request' violation 17.1.1, 16.1.5
1284073-3 3-Major BT1284073 Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies" 17.1.1, 16.1.5
1281397-1 3-Major BT1281397 SMTP requests are dropped by ASM under certain conditions 17.1.1, 16.1.5
1281389-1 3-Major BT1281389 Bot Defense can crash when using SMTP security profile 16.1.5
1270133-3 3-Major BT1270133 bd crash during configuration update 17.1.1, 16.1.5
1231137-3 3-Major BT1231137 During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition 16.1.5
1229813-2 3-Major BT1229813 The ref schema handling fails with oneOf/anyOf 17.1.1, 16.1.5, 15.1.10
1211905-2 3-Major BT1211905 Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" 16.1.5
1210321-1 3-Major BT1210321 Parameters are not created for properties defined in multipart request body when URL include path parameter 16.1.5
1207793-1 3-Major BT1207793 Bracket expression in JSON schema pattern does not work with non basic latin characters 17.1.1, 16.1.5, 15.1.10
1168157-2 3-Major BT1168157 OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8 16.1.5
1081285-1 3-Major BT1081285 ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled 16.1.5
1038689-3 3-Major BT1038689 "Mandatory request body is missing" violation should trigger for "act as a POST" methods only 17.1.1, 16.1.5
1004793-1 3-Major BT1004793 If there is an additional CSRT token, it triggers a No Max Parameter Protocol Compliance violation . 17.0.0, 16.1.5
987977-3 4-Minor BT987977 VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation 17.1.1, 16.1.5
911729-4 4-Minor BT911729 Redundant learning suggestion to set a Maximum Length when parameter is already at that value 17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2
1399289-1 4-Minor BT1399289 "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1 16.1.5
1366229-5 4-Minor BT1366229 Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import 16.1.5
1311253-3 4-Minor BT1311253 Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies 16.1.5
1186661-2 4-Minor BT1186661 The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes 16.1.5
1181833-2 4-Minor BT1181833 Content is not updating under respective tab of webUI when CSRF enabled 17.1.0, 16.1.5
1137245-1 4-Minor BT1137245 Issue with injected javascript can cause an error in the browser. 16.1.5
1084157-3 4-Minor BT1084157 Possible captcha loop when using Single Page Application 16.1.5
1016033-4 4-Minor BT1016033 Remote logging of WS/WSS shows date_time equal to Unix epoch start time 17.0.0, 16.1.5, 15.1.5
1030129-4 5-Cosmetic BT1030129 iHealth unnecessarily flags qkview for H701182 with mcp_module.xml 16.1.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
915005-3 4-Minor BT915005 AVR core files have unclear names 16.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1505789-2 1-Blocking K000138683, BT1505789 VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable" 16.1.5
1146341-2 1-Blocking BT1146341 TMM crashes while processing traffic on virtual server 17.1.0, 16.1.5, 15.1.10
831737-3 2-Critical BT831737 Memory Leak when using Ping Access profile 17.1.1, 16.1.5, 15.1.6.1
1552685-5 2-Critical K000138771, BT1552685 Issues are observed with APM Portal Access on Chrome browser version 122 or later 16.1.5
1455677-2 2-Critical   ACCESS Policy hardening 16.1.5
1398401-1 2-Critical K000135607, BT1398401 Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist. 16.1.5
1366401 2-Critical BT1366401 [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation 16.1.5
1355377-2 2-Critical BT1355377 Subroutine gating criteria utilizing TCL may cause TMM to restart 16.1.5
1355117-2 2-Critical K000137374, BT1355117 TMM core due to extensive memory usage 17.1.1, 16.1.5, 15.1.10.3
1321713-2 2-Critical K000135858, BT1321713 BIG-IP Rewrite Profile GUI and URI Validation is inconsistent 16.1.5
1104517-2 2-Critical BT1104517 In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map 17.1.1, 16.1.5, 15.1.10
1063261-4 2-Critical BT1063261 TMM crash is seen due to sso_config objects. 17.0.0, 16.1.5, 15.1.10
1020881-1 2-Critical BT1020881 TMM crashes while passing APM traffic. 16.1.5
738716-1 3-Major BT738716 Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients 17.1.1, 16.1.5
634576-3 3-Major K48181045, BT634576 TMM core in per-request policy 16.1.5, 13.1.0
1506009-1 3-Major BT1506009 Oauth core 16.1.5
1506005-2 3-Major BT1506005 TMM core occurs due to OAuth invalid number of keys or credential block size 16.1.5
1491481-2 3-Major BT1491481 Server changes to support QT upgrade of Mac Clients 16.1.5
1490833-1 3-Major BT1490833 OAuth agent gets misconfigured when adding a new Scope/Claim in VPE 16.1.5
1473701 3-Major BT1473701 Oauth Discovery task is struck at "SAVE_AND_APPLY" state 16.1.5
1472609 3-Major BT1472609 [APM]Some user roles unable view Access config GUI, getting 403 error 16.1.5
1409453 3-Major BT1409453 [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config 16.1.5
1402421 3-Major BT1402421 Virtual Servers haviing adfs proxy configuration might have all traffic blocked 16.1.5
1359245 3-Major BT1359245 Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html 16.1.5
1352945-1 3-Major BT1352945 Rewrite plugin memory leak 16.1.5
1350273-2 3-Major BT1350273 Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1 16.1.5
1348153 3-Major BT1348153 Assigned IP Address session variable always as IPv6 Address 16.1.5
1345997-2 3-Major BT1345997 Very large number of custom URLs in SWG can impact performance. 16.1.5
1341849 3-Major BT1341849 APM- tmm core SIGSEGV in saml artifact usage 16.1.5
1338837 3-Major BT1338837 [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message 16.1.5
1328433 3-Major BT1328433 TMM cores while using VPN with ipv6 configured 16.1.5
1292141-1 3-Major BT1292141 TMM crash while processing myvpn request 17.1.1, 16.1.5
1273881-4 3-Major BT1273881 TMM crashes while processing traffic on the virtual server 16.1.5
1269709-1 3-Major BT1269709 GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles 16.1.5
1251157-3 3-Major BT1251157 Ping Access filter can accumulate connections increasing the memory use 17.1.1, 16.1.5, 15.1.10
1238329 3-Major BT1238329 Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND 16.1.5
1207821-3 3-Major BT1207821 APM internal virtual server leaks memory under certain conditions 17.1.1, 16.1.5, 15.1.10
1190025-2 3-Major BT1190025 The OAuth process crash 16.1.5
1188417-2 3-Major BT1188417 Failure in the SelfTest/Integrity test triggers a reboot action. 16.1.5
1147621-2 3-Major BT1147621 AD query do not change password does not come into effect when RSA Auth agent used 17.1.1, 16.1.5, 15.1.9
1145989-2 3-Major BT1145989 ID token sub-session variables are not populated 16.1.5
1099833-5 3-Major   Add additional server side support for f5-epi links. 16.1.5
1044457-3 3-Major BT1044457 APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. 17.1.1, 16.1.5, 15.1.10
1006509-1 3-Major BT1006509 TMM memory leak 16.1.5, 15.1.7
1505413 4-Minor BT1505413 Error in Wrapper for Array.slice Method When F5_window_link is Undefined 16.1.5
1468589 4-Minor BT1468589 TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions 16.1.5
1382329 4-Minor BT1382329 Handling 'active' attribute in introspection response 16.1.5
1381065-1 4-Minor BT1381065 Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property. 16.1.5
1351493 4-Minor BT1351493 Invalid JSON node type while support-introspection enabled 16.1.5
1350997-1 4-Minor BT1350997 Changes to support pre-logon when secondary logon service is disabled on windows edge client 16.1.5
1294993 4-Minor BT1294993 URL Database download logs are not visible 17.1.1, 16.1.5
1218813-4 4-Minor BT1218813 "Timeout waiting for TMM to release running semaphore" after running platform_diag 17.1.1, 16.1.5, 15.1.9
1142389-3 4-Minor BT1142389 APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request 17.1.1, 16.1.5, 15.1.10
1100561 4-Minor BT1100561 AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth 17.1.1, 16.1.5
504374-1 5-Cosmetic BT504374 Cannot search Citrix Applications inside folders 16.1.5
427094-1 5-Cosmetic BT427094 Accept-language is not respected if there is no session context for page requested. 17.1.1, 16.1.5, 15.1.10


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1391161-2 2-Critical   sipmsg_parse_sdp crashes when SIP receives certain traffic pattern. 16.1.5
1304297-2 2-Critical   A certain client sequence via MRF passthrough may cause TMM to core 16.1.5
1270497-2 2-Critical BT1270497 MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method 16.1.5
1466293-2 3-Major   SIP MRF over TCP might cause excessive memory buffering 16.1.5
1466289-3 3-Major   SIP MRF might leave orphaned connections 16.1.5
1307517-2 3-Major BT1307517 Allow SIP reply with missing FROM 17.1.1, 16.1.5
1395281-2 4-Minor BT1395281 UDP payloads not ending with CRLF are being treated as BAD messages. 16.1.5
1329477-2 4-Minor BT1329477 Auto-initialization does not work with certain MRF connection-mode 17.1.1, 16.1.5
1251013-2 4-Minor BT1251013 Allow non-RFC compliant URI characters 17.1.1, 16.1.5, 15.1.10
1225797-4 4-Minor BT1225797 SIP alg inbound_media_reinvite test fails 17.1.1, 16.1.5
1184629-2 4-Minor BT1184629 Validate content length with respective to SIP header offset instead of parser offset 17.1.0, 16.1.5, 15.1.9


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
984965-4 3-Major BT984965 While intentionally exiting, sshplugin may invoke functions out of sequence and crash 16.1.5
915221-6 3-Major BT915221 DoS unconditionally logs MCP messages to /var/tmp/mcpd.out 16.1.5
844597-6 3-Major BT844597 AVR analytics is reporting null domain name for a dns query 17.1.1, 16.1.5, 15.1.10
1560497 3-Major BT1560497 Host is unreachable, vector is not mitigated by HW at profile level. 16.1.5
1388985-2 3-Major BT1388985 The daemon dwbld uses 100% CPU when max port value configured in TMC port list 16.1.5
1311561-1 3-Major BT1311561 Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding 17.1.1, 16.1.5
1196053-3 3-Major BT1196053 The autodosd log file is not truncating when it rotates 17.1.1, 16.1.5, 15.1.10
1067393-2 3-Major BT1067393 MCP validation - incorrect config load fail on AFM NAT rule with next-hop pool. 17.0.0, 16.1.5, 15.1.5.1
1047933-1 3-Major BT1047933 Virtual server security policy - An error has occurred while trying to process your request 17.0.0, 16.1.5
1042153-2 3-Major BT1042153 AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN. 17.1.1, 17.0.0, 16.1.5, 15.1.10
1032329-1 3-Major BT1032329 A user with low privileges cannot open the Rule List editor. 16.1.5, 15.1.4.1
1019557-1 3-Major BT1019557 Bdosd does not create /var/bdosd/*.json 17.0.0, 16.1.5
928653-1 4-Minor BT928653 [tmsh]:list security nat policy rules showing automap though the value set is None 16.1.5
1302869 4-Minor BT1302869 AFM is not accounting Nxdomain attack for TCP query 16.1.5


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1496701-1 2-Critical BT1496701 PEM CPPE reporting buffer overflow resulting in core 16.1.5
1312145-1 2-Critical BT1312145 Bcdatabase file gets truncated, deleted and re-downloaded in a loop 16.1.5
1470329-2 3-Major BT1470329 PEM: Multiple layers of callback cookies need input validation in order to prevent crashes. 16.1.5
1462393 3-Major BT1462393 Quota is not getting updated from the PEM side 16.1.5
1394601-1 3-Major BT1394601 PEM AVR onbox reporting stall 16.1.5
1389049-1 3-Major BT1389049 Frequent instances of provisioning-pending count spiking on various PEM devices 16.1.5
1302677-4 3-Major BT1302677 Memory leak in PEM when Policy is queried via TCL 17.1.1, 16.1.5, 15.1.10
1277381-3 3-Major   PEM resource leak in MW layer leads to crash of Diameter interface 16.1.5
1231001-2 3-Major BT1231001 PEM flow-term-on-sess-delete can cause cores 16.1.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1060393-1 3-Major K24102225, BT1060393 Extended high CPU usage caused by JavaScript Obfuscator. 16.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1538173-3 3-Major BT1538173 Bados TLS fingerprints works incorrectly with chrome's new versions 16.1.5
1408381 3-Major BT1408381 BADOS signals might no sync on HA setups 16.1.5
1388341-2 3-Major BT1388341 tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN) 16.1.5
1381565-2 3-Major   ADMD stability improvements when configured with TLS signatures 16.1.5
1046469-1 3-Major BT1046469 Memory leak during large attack 16.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
984657 3-Major BT984657 Sysdb variable not working from tmsh 16.1.5, 16.0.1.2, 15.1.4.1
1472685-2 3-Major BT1472685 Add support for 4 new Webroot Categories 16.1.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
985329-2 3-Major BT985329 Saving UCS takes longer when iControl LX extension is installed 16.1.5
943257-3 3-Major BT943257 REST framework support for IPv6 ConfigSync addresses 17.1.1, 16.1.5


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
989529-1 3-Major BT989529 AFM IPS engine takes action on unspecified services 16.1.5
1461597-2 3-Major BT1461597 IPS IM upgrade is taking more time 16.1.5
1269845-2 3-Major BT1269845 When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id' 16.1.5
1075001-2 3-Major BT1075001 Types 64-65 in IPS Compliance 'Unknown Resource Record Type' 16.1.5


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
1289845-3 3-Major BT1289845 Pool member marked as offline while matching both receive string and receive disable strings 16.1.5
1287045-3 3-Major BT1287045 In-TMM monitor may mark pool member offline despite its response matches Receive Disable String 16.1.5
1211985-4 3-Major BT1211985 BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring 17.1.1, 16.1.5, 15.1.10


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1303185-4 3-Major BT1303185 Large numbers of URLs in url-db can cause TMM to restart 17.1.1, 16.1.5, 15.1.10
1289417 3-Major BT1289417 SSL Orchestrator SEGV TMM core 17.1.1, 16.1.5



Cumulative fixes from BIG-IP v16.1.4.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1495217-3 CVE-2024-31156 K000138636, BT1495217 TMUI hardening 17.1.1.3, 16.1.4.3, 15.1.10.4
1492361-2 CVE-2024-33604 K000138894, BT1492361 TMUI Security Hardening 17.1.1.3, 16.1.4.3, 15.1.10.4
1449709-2 CVE-2024-28889 K000138912, BT1449709 Possible TMM core under certain Client-SSL profile configurations 17.1.1.3, 16.1.4.3, 15.1.10.4
1366025-2 CVE-2023-44487 K000137106, BT1366025 A particular HTTP/2 sequence may cause high CPU utilization. 17.1.1.3, 16.1.4.3, 15.1.10.4
1360917-4 CVE-2024-27202 K000138520, BT1360917 TMUI hardening 17.1.1.3, 16.1.4.3, 15.1.10.4


Functional Change Fixes

None


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1494833-3 2-Critical K000138898, BT1494833 A single signature does not match when exceeding 65535 states 17.1.1.3, 16.1.4.3, 15.1.10.4



Cumulative fixes from BIG-IP v16.1.4.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1361169-2 CVE-2023-40534 K000133467, BT1361169 Connections may persist after processing HTTP/2 requests 17.1.1.1, 16.1.4.2
1117229-1 CVE-2022-26377 K26314875, BT1117229 CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp 17.1.1.1, 16.1.4.2, 15.1.10.3
1391357-1 CVE-2023-43125 K000136909, BT1391357 Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address 17.1.1.1, 16.1.4.2, 15.1.10.3
1381357-2 CVE-2023-46748 K000137365, BT1381357 CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability 17.1.1.1, 16.1.4.2, 15.1.10.3
1304957-6 CVE-2023-5450 K000135040, BT1304957 BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 17.1.1.1, 16.1.4.2, 15.1.10.3
1240121-1 CVE-2022-36760 K000132643, BT1240121 CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp 17.1.1.1, 16.1.4.2, 15.1.10.3


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1354253-2 3-Major K000137322, BT1354253 HTTP Request smuggling with redirect iRule 17.1.1.1, 16.1.4.2, 15.1.10.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1316277-2 3-Major K000137796, BT1316277 Large CRL files may only be partially uploaded 17.1.1, 16.1.4.2, 15.1.10.3



Cumulative fixes from BIG-IP v16.1.4.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1324745-2 CVE-2023-41373 K000135689, BT1324745 An undisclosed TMUI endpoint may allow unexpected behavior 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6


Functional Change Fixes

None



Cumulative fixes from BIG-IP v16.1.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1167897-6 CVE-2022-40674 K44454157, BT1167897 [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c 17.1.1, 16.1.4, 15.1.9
1121661-2 CVE-2023-40534 K000133467, BT1121661 TMM may core while processing HTTP/2 requests 17.1.0, 16.1.4
981917-4 CVE-2020-8286 K15402727 CVE-2020-8286 - cUrl Vulnerability 17.1.1, 16.1.4, 15.1.10
949857-7 CVE-2024-22389 K32544615, BT949857 Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync 17.1.1, 16.1.4, 15.1.9
884541-9 CVE-2023-40537 K29141800, BT884541 Improper handling of cookies on VIPRION platforms 17.1.0, 16.1.4, 15.1.9
1317705-2 CVE-2024-25560 K000139037, BT1317705 TMM may restart on certain DNS traffic 17.1.1, 16.1.4
1315193-1 CVE-2024-33608 K000138728, BT1315193 TMM Crash in certain condition when processing IPSec traffic 17.1.1, 16.1.4
1314301-2 CVE-2024-23805 K000137334, BT1314301 TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled 17.1.1, 16.1.4, 15.1.10
1295661-2 CVE-2023-38418 K000134746, BT1295661 BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 17.1.1, 16.1.4
1289189-3 CVE-2024-24775 K000137333, BT1289189 In certain traffic patterns, TMM crash 17.1.1, 16.1.4, 15.1.10
1271349-3 CVE-2023-25690 K000133098, BT1271349 CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy 17.1.1, 16.1.4, 15.1.9
1238629-1 CVE-2024-21763 K000137521, BT1238629 TMM core when processing certain DNS traffic with bad actor (BA) enabled 17.1.1, 16.1.4, 15.1.10
1220629-3 CVE-2024-23314 K000137675, BT1220629 TMM may crash on response from certain backend traffic 17.1.1, 16.1.4, 15.1.9
1208529-4 CVE-2023-41085 K000132420, BT1208529 TMM crash when handling IPSEC traffic 17.1.0, 16.1.4, 15.1.9
1195489-2 CVE-2024-22093 K000137522, BT1195489 iControl REST input sanitization 17.1.1, 16.1.4, 15.1.9
1189465-3 CVE-2023-24461 K000132539, BT1189465 Edge Client allows connections to untrusted APM Virtual Servers 17.1.0.3, 16.1.4, 15.1.9
1189461-3 CVE-2023-36858 K000132563, BT1189461 BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 17.1.1, 16.1.4
1183453-1 CVE-2022-31676 K87046687 Local privilege escalation vulnerability (CVE-2022-31676) 17.1.0, 16.1.4, 15.1.9
1167929-4 CVE-2022-40674 K44454157, BT1167929 CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c 17.1.1, 16.1.4, 15.1.9
1161733-4 CVE-2023-40542 K000134652, BT1161733 Enabling client-side TCP Verified Accept can cause excessive memory consumption 17.1.0, 16.1.4, 15.1.9
1153969-2 CVE-2024-23979 K000134516, BT1153969 Excessive resource consumption when processing LDAP and CRLDP auth traffic 17.1.1, 16.1.4, 15.1.9
1133013-3 CVE-2023-43746 K41072952, BT1133013 Appliance mode hardening 17.1.0, 16.1.4, 15.1.9
1126285-1 CVE-2024-21849 K000135873, BT1126285 TMM might crash with certain HTTP traffic 17.1.0, 16.1.4
1122441-5 CVE-2015-1283, CVE-2021-45960,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-23515, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2021-46143 K19473898, BT1122441 Upgrading the libexpat library 17.1.0, 16.1.4, 15.1.9
1111097-6 CVE-2022-1271 K000130546, BT1111097 gzip arbitrary-file-write vulnerability CVE-2022-1271 17.1.0, 16.1.4, 15.1.9
1107293-7 CVE-2021-22555 K06524534, BT1107293 CVE-2021-22555: Linux kernel vulnerability 17.1.0, 16.1.4, 15.1.8
1102881-4 CVE-2021-25217 K08832573, BT1102881 dhclient/dhcpd vulnerability CVE-2021-25217 17.1.0, 16.1.4, 15.1.9
1098829-6 CVE-2022-23852,CVE-2022-25235,CVE-2022-25236,CVE-2022-23515,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824 K19473898, BT1098829 Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8 17.1.0, 16.1.4, 15.1.9
1093813-2 CVE-2002-20001, CVE-2022-40735, CVE-2024-41996 K83120834, BT1093813 DH Key Agreement vulnerability in APM server side components 17.1.0, 16.1.4
1093253-8 CVE-2021-3999 K24207649 CVE-2021-3999 Glibc Vulnerability 17.1.0, 16.1.4, 15.1.9
1091601-9 CVE-2022-23218, CVE-2022-23219 K52308021, BT1091601 Glibc vulnerabilities CVE-2022-23218, CVE-2022-23219 17.1.0, 16.1.4, 15.1.9
1091453-6 CVE-2022-23308 K32760744, BT1091453 libxml2 vulnerability CVE-2022-23308 17.1.0, 16.1.4, 15.1.8
1089225-4 CVE-2021-4034 K46015513, BT1089225 Polkit pkexec vulnerability CVE-2021-4034 17.1.0, 16.1.4, 15.1.8
1077301-4 CVE-2021-23133 K67416037, BT1077301 CVE-2021-23133 kernel: Race condition in sctp_destroy_sock list_del 17.1.0, 16.1.4, 15.1.8
1075733-3 CVE-2018-14348 K26890535, BT1075733 Updated libcgroup library to fix CVE-2018-14348 17.1.0, 16.1.4, 15.1.9
1075689-3 CVE-2020-25692,CVE-2020-25709,CVE-2020-12243,CVE-2019-13565,CVE-2020-25710,CVE-2020-36222,CVE-2020-36226,CVE-2020-36228,CVE-2020-36227,CVE-2021-27212,CVE-2020-36223,CVE-2020-36221,CVE-2020-36225,CVE-2020-36224,CVE-2019-13057 K56241216, BT1075689 Multiple CVE fixes for OpenLDAP library 17.1.0, 16.1.4, 15.1.8
1075657-3 CVE-2020-12825 K01074825, BT1075657 CVE-2020-12825 - libcroco vulnerability 17.1.1, 16.1.4, 15.1.10
1070753-4 CVE-2020-27216
CVE-2021-28169
CVE-2021-34428
CVE-2018-12536
K33548065, BT1070753 CVE-2020-27216: Eclipse Jetty vulnerability 17.1.1, 16.1.4, 15.1.9
1061977-3 CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 K31781390, BT1061977 Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 17.1.1, 16.1.4, 15.1.10
1057393-3 CVE-2019-18197 K10812540, BT1057393 CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText 17.0.0, 16.1.4, 15.1.8
1051305-4 CVE-2021-34798 K72382141, BT1051305 CVE-2021-34798: A NULL pointer dereference in httpd via malformed requests 17.0.0, 16.1.4, 15.1.7
1043821-1 CVE-2023-42768 K26910459, BT1043821 Inconsistent user role handling across configuration UIs 17.1.0, 16.1.4, 15.1.9
972545-7 CVE-2024-23976 K91054692, BT972545 iApps LX does not follow best practices in appliance mode 17.1.1, 16.1.4, 15.1.9
966541-1 CVE-2023-43485 K06110200, BT966541 Improper data logged in plaintext 17.1.0, 16.1.4, 15.1.9
950605-6 CVE-2020-14145 K48050136, BT950605 Openssh insecure client negotiation CVE-2020-14145 17.1.0, 16.1.4, 15.1.9
905937-8 CVE-2023-41253 K98334513, BT905937 TSIG key value logged in plaintext in log 17.1.0, 16.1.4, 15.1.9
785197-5 CVE-2019-9075 K42059040, BT785197 binutils vulnerability CVE-2019-9075 17.1.0, 16.1.4, 15.1.9
651029-12 CVE-2023-45219 K20307245, BT651029 Sensitive information exposed during incremental sync 17.1.0, 16.1.4, 15.1.9
1238321-4 CVE-2022-4304 K000132943 OpenSSL Vulnerability CVE-2022-4304 17.1.0.1, 16.1.4, 15.1.10
1235813-9 CVE-2023-0215 K000132946, BT1235813 OpenSSL vulnerability CVE-2023-0215 17.1.0.1, 16.1.4, 15.1.10
1235801-4 CVE-2023-0286 K000132941, BT1235801 OpenSSL vulnerability CVE-2023-0286 17.1.1, 16.1.4, 15.1.10
1189457-3 CVE-2023-22372 K000132522, BT1189457 Hardening of client connection handling from Edge client. 16.1.4, 15.1.9
1123537-9 CVE-2022-28615 K40582331, BT1123537 CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() 17.1.1, 16.1.4, 15.1.9
1121965-2 CVE-2022-28614 K58003591, BT1121965 CVE-2022-28614 (httpd): out-of-bounds read via ap_rwrite() 17.1.0, 16.1.4, 15.1.9
1099341-4 CVE-2018-25032 K21548854 CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs 17.1.1, 16.1.4, 15.1.9
1089921-6 CVE-2022-0359 K08827426, BT1089921 Vim vulnerability CVE-2022-0359 17.1.0, 16.1.4, 15.1.9
1089233-4 CVE-2022-0492 K54724312 CVE-2022-0492 Linux kernel vulnerability 17.1.0, 16.1.4, 15.1.9
1088445-7 CVE-2022-22720 K67090077, BT1088445 CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body 17.1.1, 16.1.4, 15.1.9
1070905-4 CVE-2017-7656 K21054458, BT1070905 CVE-2017-7656 jetty: HTTP request smuggling using the range header 17.1.1, 16.1.4, 15.1.9
1041577-4 CVE-2024-21782 K98606833, BT1041577 SCP file transfer system, completing fix for 994801 17.1.1, 16.1.4, 15.1.9
1021245-3 CVE-2019-20907 K78284681, BT1021245 CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive 17.1.0, 16.1.4, 15.1.9
1018997-1 CVE-2023-41964 K20850144, BT1018997 Improper logging of sensitive DB variables 17.1.0, 16.1.4, 15.1.9
1009157-1 CVE-2023-39447 K47756555, BT1009157 AGC hardening 16.1.4, 15.1.8
1296489-3 CVE-2024-23603 K000138047, BT1296489 ASM UI hardening 17.1.1, 16.1.4, 15.1.10
1057445-3 CVE-2019-13118 K96300145, BT1057445 CVE-2019-13118 libxslt vulnerability: uninitialized stack data 17.0.0, 16.1.4, 15.1.8
1057437-3 CVE-2019-13117 K96300145, BT1057437 CVE-2019-13117 libxslt vulnerability: uninitialized read in xsltNumberFormatInsertNumbers 17.0.0, 16.1.4, 15.1.8
1057149-3 CVE-2019-11068 K30444545, BT1057149 CVE-2019-11068 libxslt vulnerability: xsltCheckRead and xsltCheckWrite 17.0.0, 16.1.4, 15.1.8


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1088037-3 1-Blocking BT1088037 VELOS platform's cmp hash has been updated to handle only even ephemeral port numbers 17.1.0, 16.1.4, 15.1.8
1053589-1 1-Blocking BT1053589 DDoS functionality cannot be configured at a Zone level 16.1.4, 15.1.8
1282181-1 3-Major   High CPU or increased translation errors following upgrade or restart when DAG distribution changes 16.1.4
1211513-2 3-Major BT1211513 Data payload validation is added to HSB validation loopback packets 17.1.1, 16.1.4, 15.1.10
1144373-4 3-Major BT1144373 BIG-IP SFTP hardening 17.1.0, 16.1.4, 15.1.9
1040609-1 3-Major K21800102, BT1040609 RFC enforcement is bypassed when HTTP redirect irule is applied to the virtual server. 17.1.0, 16.1.4, 15.1.9
1025497-1 4-Minor BT1025497 BIG-IP may accept and forward invalid DNS responses 17.1.0, 16.1.4, 15.1.9


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1284969-1 1-Blocking BT1284969 Adding ssh-rsa key for passwordless authentication 17.1.0.1, 16.1.4
1224125-1 1-Blocking BT1224125 When you upgrade to 16.1.3.2 or 17.1, keys that are not approved in FIPS 140-3 are permitted to be used. 17.1.0, 16.1.4
1173441-3 1-Blocking BT1173441 The 'tmsh save sys config' call is being triggered when REST Authentication tokens (X-F5-Auth-Token) are deleted or expired 17.1.0, 16.1.4, 15.1.9
1161913-1 1-Blocking BT1161913 Upgrades from BIG-IP versions 15.1.8, 15.1.8.1, 15.1.8.2, or v15.1.9 to 16.1.1, 16.1.2, 16.1.3 (not 16.1.4) or 17.0.x (but not 17.1.x) fail, and leaves the device INOPERATIVE 16.1.4
1116845-4 1-Blocking BT1116845 Interfaces using the xnet driver are not assigned a MAC address 17.1.0, 16.1.4, 15.1.9
995849-1 2-Critical BT995849 Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c 17.0.0, 16.1.4, 15.1.9
994033-3 2-Critical BT994033 The daemon httpd_sam does not recover automatically when terminated 17.1.1, 16.1.4, 15.1.9
993481-1 2-Critical BT993481 Jumbo frame issue with DPDK eNIC 17.1.1, 16.1.4, 15.1.10
967905-5 2-Critical BT967905 Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1
950201-3 2-Critical BT950201 Tmm core on GCP 17.1.1, 16.1.4, 15.1.9
888765-2 2-Critical BT888765 After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files 16.1.4
723109-2 2-Critical BT723109 FIPS HSM: SO login failing when trying to update firmware 17.1.1, 16.1.4, 15.1.10
1290889-4 2-Critical K000134792, BT1290889 TMM disconnects from processes such as mcpd causing TMM to restart 17.1.1, 16.1.4, 15.1.9
1256841-1 2-Critical BT1256841 AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script 17.1.1, 16.1.4, 15.1.10
1232997-1 2-Critical BT1232997 IPSEC: The tmm process may exit with 'Invalid policy remote index' 16.1.4, 15.1.10
1225789-2 2-Critical BT1225789 The iHealth API is transitioning from SSODB to OKTA 17.1.1, 16.1.4, 15.1.9
1209709-4 2-Critical BT1209709 Memory leak in icrd_child when license is applied through BIG-IQ 17.1.1, 16.1.4, 15.1.9
1195377 2-Critical BT1195377 Getting Service Indicator log for disallowed RSA-1024 crypto algorithm 17.1.0, 16.1.4
1181613-1 2-Critical BT1181613 IPsec IKEv2: BIG-IP version 16.1.0 introduced RFC5996 non-compliance in IKE SA delete 17.1.0, 16.1.4
1178221-3 2-Critical BT1178221 In IPsec IKEv2, packet memory corruption after retransmitted ISAKMP with NAT 17.1.0, 16.1.4, 15.1.9
1144477-1 2-Critical BT1144477 IKE_SA_INIT uses src port 500 and dst port 4500 after IKE SA deleted 17.1.0, 16.1.4
1136429-4 2-Critical BT1136429 Closing of unrelated MCPD connection causes an errant reply to an in-progress transaction or request group 17.1.0, 16.1.4, 15.1.9
1134301-3 2-Critical BT1134301 IPsec interface mode may stop sending packets over tunnel after configuration update 17.1.0, 16.1.4, 15.1.9
1128629 2-Critical BT1128629 Neurond crash observed during live install through test script 17.1.0, 16.1.4, 15.1.9
1110893-4 2-Critical BT1110893 Some portions of the BIG-IP GUI do not work when accessed behind an HTTP proxy 17.1.0, 16.1.4, 15.1.9
1105901-2 2-Critical BT1105901 Tmm crash while doing high-speed logging 17.1.1, 16.1.4, 15.1.10
1095217-1 2-Critical BT1095217 Peer unit incorrectly shows the pool status as unknown after merging the configuration 17.1.0, 16.1.4, 15.1.9
1085805-2 2-Critical BT1085805 UCS restore with SSL Orchestrator deployed fails due to multiple iFiles and incorrect iFile reference. 17.1.0, 16.1.4
1085597-1 2-Critical BT1085597 IKEv1 IPsec peer cannot be created in config utility (web UI) 17.1.0, 16.1.4
1082941-2 2-Critical   System account hardening 17.1.0, 16.1.4, 15.1.9
1076909-4 2-Critical BT1076909 Syslog-ng truncates the hostname at the first period. 17.1.0, 16.1.4, 15.1.9
1075713-2 2-Critical   Multiple libtasn1 vulnuerabilities 17.1.1, 16.1.4
1075677-2 2-Critical   Multiple GnuTLS Mend findings 17.1.1, 16.1.4, 15.1.10
1035121-4 2-Critical BT1035121 Configsync syncs the node's monitor status 17.0.0, 16.1.4, 15.1.9
1023829-2 2-Critical BT1023829 Security->Policies in Virtual Server web page spins mcpd 100%, which later cores 17.0.0, 16.1.4, 15.1.9
998225-6 3-Major BT998225 TMM crash when disabling/re-enabling a blade that triggers a primary blade transition. 17.0.0, 16.1.4, 15.1.9
995097-1 3-Major BT995097 Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file. 17.0.0, 16.1.4, 15.1.10
992813-7 3-Major BT992813 The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations. 17.0.0, 16.1.4, 15.1.10
989501-2 3-Major BT989501 A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus 17.1.1, 16.1.4, 15.1.10
987301-3 3-Major BT987301 Software install on vCMP guest via block-device may fail with error 'reason unknown' 17.0.0, 16.1.4, 15.1.9
966949-6 3-Major BT966949 Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node 17.1.0, 16.1.4, 15.1.9
964125-6 3-Major BT964125 Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. 17.1.1, 16.1.4, 15.1.10
936093-5 3-Major BT936093 Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline 17.1.1, 16.1.4, 15.1.9
930393-2 3-Major BT930393 IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration 17.1.0, 16.1.4, 15.1.10
925469-2 3-Major BT925469 SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo 17.1.0, 16.1.4, 15.1.9
921149-6 3-Major BT921149 After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy 17.1.0, 16.1.4, 15.1.9
906273-1 3-Major BT906273 MCPD crashes receiving a message from bcm56xxd 17.1.1, 16.1.4, 15.1.10
804529-1 3-Major BT804529 REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools 17.1.1, 16.1.4, 15.1.10
662301-8 3-Major BT662301 'Unlicensed objects' error message appears despite there being no unlicensed config 17.1.0, 16.1.4, 15.1.9
1238693-2 3-Major BT1238693 Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 17.1.0.1, 16.1.4
1232521-2 3-Major   SCTP connection sticking on BIG-IP even after connection terminated 17.1.1, 16.1.4, 15.1.9
1166329-2 3-Major BT1166329 The mcpd process fails on secondary blades, if the predefined classification applications are updated. 17.1.0, 16.1.4
1160805-2 3-Major BT1160805 The scp-checkfp fail to cat scp.whitelist for remote admin 16.1.4, 15.1.9
1154933-4 3-Major   Improper permissions handling in REST SNMP endpoint 17.1.0, 16.1.4, 15.1.9
1153865-4 3-Major BT1153865 Restjavad OutOfMemoryError errors and restarts after upgrade 17.1.0, 16.1.4, 15.1.9
1146017-1 3-Major BT1146017 WebUI does not displays error when parent rewrite profile is not assigned to user defined rewrite profile 17.1.0, 16.1.4, 15.1.9
1136921-4 3-Major BT1136921 BGP might delay route updates after failover 17.1.1, 16.1.4, 15.1.10
1128169-1 3-Major BT1128169 TMM core when IPsec tunnel object is reconfigured 17.1.0, 16.1.4
1127169 3-Major BT1127169 The BIG-IP can reboot due to failure to initialize the OpenSSL FIPS RNG 17.1.0, 16.1.4
1126805-3 3-Major BT1126805 TMM CPU usage statistics may show a lower than expected value on Virtual Edition 17.1.0, 16.1.4, 15.1.9
1124209-3 3-Major BT1124209 Duplicate key objects when renewing certificate using pkcs12 bundle 17.1.1, 16.1.4, 15.1.9
1123885-2 3-Major BT1123885 A specific type of software installation may fail to carry forward the management port's default gateway. 17.1.0, 16.1.4, 15.1.9
1121517-2 3-Major BT1121517 Interrupts on Hyper-V are pinned on CPU 0 16.1.4, 15.1.10
1113961-1 3-Major K43391532, BT1113961 BIG-IP 16.1.3 VE with FIPS 140-3 May Fail to start in AWS-China 17.1.0, 16.1.4, 15.1.9
1112537-2 3-Major BT1112537 LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. 17.1.1, 16.1.4, 15.1.10
1112109-4 3-Major K000134769, BT1112109 Unable to retrieve SCP files using WinSCP or relative path name 17.1.0, 16.1.4, 15.1.9
1111629-4 3-Major BT1111629 Messages with "Failed Read: User, referer" are logged in /var/log/httpd/httpd_errors 17.1.0, 16.1.4, 15.1.9
1111421-1 3-Major BT1111421 IPsec SA info cannot be viewed in TMSH or the web UI 17.1.0, 16.1.4
1106489-2 3-Major BT1106489 GRO/LRO is disabled in environments using the TMM raw socket "sock" driver. 16.1.4, 15.1.10
1102849-3 3-Major BT1102849 Less-privileged users (guest, operator, etc) are unable to run top level commands 17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1101453-1 3-Major BT1101453 MCPD SIGABRT and core happened while deleting GTM pool member 17.1.0, 16.1.4, 15.1.9
1100409-4 3-Major BT1100409 Valid connections may fail while a virtual server is in SYN cookie mode. 17.1.0, 16.1.4, 15.1.9
1100321 3-Major BT1100321 MCPD memory leak 17.1.0, 16.1.4, 15.1.10
1100125-4 3-Major BT1100125 Per virtual SYN cookie may not be activated on all HSB modules 17.1.0, 16.1.4, 15.1.10
1091725-4 3-Major BT1091725 Memory leak in IPsec 17.1.0, 16.1.4, 15.1.9
1088429-4 3-Major BT1088429 Kernel slab memory leak 17.1.0, 16.1.4, 15.1.9
1086517-2 3-Major BT1086517 TMM may not properly exit hardware SYN cookie mode 17.1.0, 16.1.4, 15.1.6.1
1085837-2 3-Major BT1085837 Virtual server may not exit from hardware SYN cookie mode 17.1.0, 16.1.4, 15.1.6.1
1084781-6 3-Major   Resource Admin permission modification 17.1.0, 16.1.4, 15.1.9
1081649-2 3-Major BT1081649 Remove the "F5 iApps and Resources" link from the iApps->Package Management 17.1.0, 16.1.4, 15.1.9
1081641-4 3-Major BT1081641 Remove Hyperlink to Legal Statement from Login Page 17.1.0, 16.1.4, 15.1.10
1080297-1 3-Major BT1080297 ZebOS does not show 'log syslog' in the running configuration, or store it in the startup configuration 17.1.0, 16.1.4, 15.1.9
1077533-1 3-Major BT1077533 Status is showing INOPERATIVE after an upgrade and reboot 17.1.1, 16.1.4, 15.1.10
1077405-2 3-Major BT1077405 Ephemeral pool members may not be created with autopopulate enabled. 17.1.0, 16.1.4, 15.1.9
1076785-2 3-Major BT1076785 Virtual server may not properly exit from hardware SYN Cookie mode 17.1.0, 16.1.4, 15.1.5.1
1069337-2 3-Major   CVE-2016-1841 - Use after free in xsltDocumentFunctionLoadDocument 17.1.0, 16.1.4, 15.1.9
1063237-4 3-Major BT1063237 Stats are incorrect when the management interface is not eth0 16.1.4, 15.1.9
1062953-1 3-Major BT1062953 Unable to save configuration via tmsh or the GUI. 17.0.0, 16.1.4
1053557-2 3-Major BT1053557 Support for Mellanox CX-6 17.1.0, 16.1.4, 15.1.9
1048709-2 3-Major BT1048709 FCS errors between the switch and HSB 17.1.0, 16.1.4, 15.1.8
1044089-3 3-Major BT1044089 ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. 17.1.1, 16.1.4, 15.1.10
1032821-7 3-Major BT1032821 Syslog: invalid level/facility from /usr/libexec/smart_parse.pl 17.0.0, 16.1.4, 15.1.9
1029105-1 3-Major BT1029105 Hardware SYN cookie mode state change logs bogus virtual server address 17.1.0, 16.1.4, 15.1.4
1001069-5 3-Major BT1001069 VE CPU usage higher after upgrade, given same throughput 17.1.0, 16.1.4, 15.1.9
964533-2 4-Minor BT964533 Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. 17.1.1, 16.1.4, 15.1.10
939757-8 4-Minor BT939757 Deleting a virtual server might not trigger route injection update. 17.1.1, 16.1.4, 15.1.10
904661-4 4-Minor BT904661 Mellanox NIC speeds may be reported incorrectly on Virtual Edition 17.1.0, 16.1.4
889813-3 4-Minor BT889813 Show net bwc policy prints bytes-per-second instead of bits-per-second 17.0.0, 16.1.4, 15.1.10, 14.1.4.5
838405-4 4-Minor BT838405 Listener traffic-group may not be updated when spanning is in use 17.1.1, 16.1.4, 15.1.10
760496-4 4-Minor BT760496 Traffic processing interrupted by PF reset 17.1.0, 16.1.4, 15.1.9
674026-6 4-Minor BT674026 iSeries AOM web UI update fails to complete. 17.0.0, 16.1.4, 15.1.9
1256777-3 4-Minor BT1256777 In BGP, as-origination interval not persisting after restart when configured on a peer-group. 17.1.1, 16.1.4
1252537-3 4-Minor BT1252537 Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role 17.1.1, 16.1.4
1185257-4 4-Minor BT1185257 BGP confederations do not support 4-byte ASNs 17.1.1, 16.1.4, 15.1.10
1155733-1 4-Minor BT1155733 NULL bytes are clipped from the end of buffer 17.1.0, 16.1.4, 15.1.9
1117305-6 4-Minor BT1117305 The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials 17.1.1, 16.1.4, 15.1.9
1106353-4 4-Minor BT1106353 [Zebos] Expand zebos/bgp commands in a qkview 17.1.0, 16.1.4, 15.1.9
1090441-1 4-Minor BT1090441 IKEv2: Add algorithm info to SK_ logging 17.1.0, 16.1.4
1076897-4 4-Minor BT1076897 OSPF default-information originate command options not working properly 17.1.0, 16.1.4, 15.1.9
1076253-1 4-Minor BT1076253 IKE library memory leak 17.0.0, 16.1.4, 15.1.9
1062385-4 4-Minor BT1062385 BIG-IP has an incorrect limit on the number of monitored HA-group entries. 17.1.0, 16.1.4, 15.1.9
1057457-3 4-Minor   CVE-2015-9019: libxslt vulnerability: math.random() 17.0.0, 16.1.4, 15.1.8
1057449-3 4-Minor   CVE-2015-7995 libxslt vulnerability: Type confusion may cause DoS 17.0.0, 16.1.4, 15.1.8
1057441-3 4-Minor   An out-of-bounds access flawb in the libxslt component 17.0.0, 16.1.4, 15.1.8
1057433-3 4-Minor   Integer overflow in libxslt component 17.0.0, 16.1.4, 15.1.8


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1112349-4 1-Blocking BT1112349 FIPS Card Cannot Initialize 17.1.0, 16.1.4, 15.1.9
937649-4 2-Critical BT937649 Flow fwd broken with statemirror.verify enabled and source-port preserve strict 17.1.0, 16.1.4, 15.1.9
935193-4 2-Critical BT935193 With APM and AFM provisioned, single logout ( SLO ) fails 17.0.0, 16.1.4, 15.1.10
1282357-1 2-Critical BT1282357 Double HTTP::disable can lead to tmm core 17.1.1, 16.1.4, 15.1.10
1205501-2 2-Critical BT1205501 The iRule command SSL::profile can select server SSL profile with outdated configuration 17.1.1, 16.1.4, 15.1.9
1186249-2 2-Critical BT1186249 TMM crashes on reject rule 17.1.0, 16.1.4
1156697-3 2-Critical BT1156697 Translucent VLAN groups may pass some packets without changing the locally administered bit 17.1.0, 16.1.4, 15.1.9
1146377-2 2-Critical BT1146377 FastHTTP profiles do not insert HTTP headers triggered by iRules 17.1.1, 16.1.4, 15.1.9
1132405-4 2-Critical BT1132405 TMM does not process BFD echo pkts with src.addr == dst.addr 17.1.0, 16.1.4, 15.1.9
1126093 2-Critical BT1126093 DNSSEC Key creation failure with internal FIPS card. 17.1.1, 16.1.4
1110813-3 2-Critical BT1110813 Improve MPTCP retransmission handling while aborting 17.1.0, 16.1.4, 15.1.9
1099545-2 2-Critical BT1099545 Tmm may core when PEM virtual with a simple policy and iRule is being used 17.1.0, 16.1.4, 15.1.9
1075073-2 2-Critical BT1075073 TMM Crash observed with Websocket and MQTT profile enabled 17.0.0, 16.1.4, 15.1.9
1067669-1 2-Critical BT1067669 TCP/UDP virtual servers drop all incoming traffic. 17.0.0, 16.1.4, 15.1.9
1030185-5 2-Critical BT1030185 TMM may crash when looking up a persistence record using "persist lookup" iRule commands 17.0.0, 16.1.4, 15.1.9
1024241-1 2-Critical BT1024241 Empty TLS records from client to BIG-IP results in SSL session termination 17.1.1, 16.1.4, 15.1.9
985925-3 3-Major BT985925 Ipv6 Routing Header processing not compatible as per Segments Left value. 17.1.1, 16.1.4, 15.1.10
976525-5 3-Major BT976525 Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled 17.0.0, 16.1.4, 15.1.6.1, 14.1.5
956133-2 3-Major BT956133 MAC address might be displayed as 'none' after upgrading. 17.0.0, 16.1.4, 15.1.4, 14.1.4.4
948065-1 3-Major BT948065 DNS Responses egress with an incorrect source IP address. 17.0.0, 16.1.4, 15.1.9
921541-6 3-Major BT921541 When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. 17.1.1, 16.1.4, 15.1.10
878641-3 3-Major BT878641 TLS1.3 certificate request message does not contain CAs 17.1.1, 16.1.4, 15.1.9
876569-2 3-Major BT876569 QAT compression codec produces gzip stream with CRC error 17.1.1, 16.1.4, 15.1.10
851121-6 3-Major BT851121 Database monitor DBDaemon debug logging not enabled consistently 17.1.1, 16.1.4, 15.1.10
842425-6 3-Major BT842425 Mirrored connections on standby are never removed in certain configurations 17.1.1, 16.1.4, 15.1.10
693473-8 3-Major BT693473 The iRulesLX RPC completion can cause invalid or premature TCL rule resumption 17.1.1, 16.1.4, 15.1.9
574762-4 3-Major BT574762 Forwarding flows leak when a routing update changes the egress vlan 17.0.0, 16.1.4, 15.1.9
1292793-3 3-Major BT1292793 FIX protocol late binding flows that are not PVA accelerated may fail 17.1.1, 16.1.4, 15.1.10
1291565-2 3-Major BT1291565 BIG-IP generates more multicast packets in multicast failover high availability (HA) setup 17.1.1, 16.1.4, 15.1.10
1284993-1 3-Major BT1284993 TLS extensions which are configured after session_ticket are not parsed from Client Hello messages 17.1.1, 16.1.4
1284589-2 3-Major BT1284589 HTTP CONNECT request from client is not successful with iRule HTTP::disable discard command 16.1.4
1281637-1 3-Major BT1281637 When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE 17.1.1, 16.1.4, 15.1.9
1269733-3 3-Major BT1269733 HTTP GET request with headers has incorrect flags causing timeout 17.1.1, 16.1.4, 15.1.10
1250085-3 3-Major BT1250085 BPDU is not processed with STP passthough mode enabled in BIG-IP 17.1.1, 16.1.4
1238413-3 3-Major BT1238413 The BIG-IP might fail to update ARL entry for a host in a VLAN-group 17.1.1, 16.1.4, 15.1.10
1229417-2 3-Major   BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability 17.1.1, 16.1.4, 15.1.9
1229369-3 3-Major BT1229369 The fastl4 TOS mimic setting towards client may not function 17.1.1, 16.1.4, 15.1.10
1210469-3 3-Major BT1210469 TMM can crash when processing AXFR query for DNSX zone 17.1.1, 16.1.4, 15.1.9
1185133-2 3-Major BT1185133 ILX streaming plugins limited to MCP OIDs less than 10 million 17.1.0, 16.1.4, 15.1.9
1184153-2 3-Major BT1184153 TMM crashes when you use the rateshaper with packetfilter enabled 17.1.0, 16.1.4, 15.1.9
1159569-2 3-Major BT1159569 Persistence cache records may accumulate over time 17.1.0, 16.1.4, 15.1.9
1155393-2 3-Major BT1155393 Failure to remove chunk headers from chunked response with Rewrite/HTML profile and compression 17.1.0, 16.1.4, 15.1.9
1146241-2 3-Major BT1146241 FastL4 virtual server may egress packets with unexpected and erratic TTL values 17.1.0, 16.1.4, 15.1.9
1146037-1 3-Major BT1146037 Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade 17.1.0, 16.1.4
1144117-3 3-Major BT1144117 "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands 17.1.1, 16.1.4, 15.1.9
1141845-4 3-Major BT1141845 RULE_INIT with a call that contains an extra colon character (:) will crash BIG-IP. 17.1.0, 16.1.4, 15.1.9
1135313-4 3-Major BT1135313 Pool member current connection counts are incremented and not decremented 17.1.0, 16.1.4, 15.1.9
1133881-2 3-Major BT1133881 Errors in attaching port lists to virtual server when TMC is used with same sources 17.1.0, 16.1.4, 15.1.9
1133625-2 3-Major BT1133625 The HTTP2 protocol is not working when SSL persistence and session ticket are enabled 17.1.0, 16.1.4, 15.1.9
1128721-2 3-Major BT1128721 L2 wire support on vCMP architecture platform 17.1.0, 16.1.4, 15.1.8
1126841-3 3-Major BT1126841 HTTP::enable can rarely cause cores 17.1.1, 16.1.4, 15.1.10
1126329-2 3-Major BT1126329 SSL Orchestrator with explicit proxy mode with proxy chaining enabled fails to send the CONNECT 17.1.0, 16.1.4, 15.1.9
1123169-1 3-Major BT1123169 Error saving an iRule when calling a procedure from HTML_TAG_MATCHED event 17.1.0, 16.1.4, 15.1.9
1117609-2 3-Major BT1117609 VLAN guest tagging is not implemented for CX4 and CX5 on ESXi 17.1.1, 16.1.4, 15.1.10
1115041-1 3-Major BT1115041 BIG-IP does not forward the response received after GOAWAY, to the client. 17.1.0, 16.1.4, 15.1.9
1113181-2 3-Major BT1113181 Self-IP allows no traffic following a modification from "Allow Custom (Include Default)" to "Allow Custom". 16.1.4, 15.1.9
1112745-2 3-Major BT1112745 System CPU Usage detailed graph is not accessible on Cerebrus+ 17.1.0, 16.1.4, 15.1.7
1111473-4 3-Major BT1111473 The error Invalid monitor rule instance identifier occurs, and possible blade reboot loop after sync with FQDN nodes 17.1.0, 16.1.4, 15.1.9
1109953-4 3-Major BT1109953 TMM may crash if a data-group is used when an SSL Forward Proxy Bypass/Intercept list contains extremely long entry 17.1.0, 16.1.4, 15.1.9
1107565 3-Major BT1107565 SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 17.1.1, 16.1.4
1102429-2 3-Major BT1102429 iRule 'reject' command under 'FLOW_INIT' event does not send the reject packet out in some cases. 17.1.0, 16.1.4, 15.1.9
1101697-2 3-Major BT1101697 TLS1.3 connection failure with 0-RTT and Hello Retry Request (HRR). 17.1.0, 16.1.4, 15.1.7
1101181-2 3-Major BT1101181 HTTP request payload not forwarded by BIG-IP when serverside is HTTP/2 and HTTP MRF router is enabled on virtual server 17.1.0, 16.1.4, 15.1.9
1099229-4 3-Major BT1099229 SSL does not resume/reset async LTM policy events correctly when both policy and iRules are present 17.1.0, 16.1.4, 15.1.9, 14.1.5.1
1096893-1 3-Major BT1096893 TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection 17.1.1, 16.1.4, 15.1.9
1091969-3 3-Major BT1091969 iRule 'virtual' command does not work for connections over virtual-wire. 16.1.4, 15.1.9
1088173-2 3-Major BT1088173 With TLS 1.3, client Certificate is stored after HANDSHAKE even if retain-certificate parameter is disabled in SSL profile 17.1.0, 16.1.4, 15.1.7
1080569-2 3-Major BT1080569 BIG-IP prematurely closes clientside HTTP1.1 connection when serverside is HTTP2 and HTTP MRF router is enabled on virtual server 17.1.0, 16.1.4, 15.1.9
1079769-1 3-Major BT1079769 Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers 17.0.0, 16.1.4, 15.1.9
1077553-3 3-Major BT1077553 Traffic matches the wrong virtual server after modifying the port matching configuration 17.1.0, 16.1.4, 15.1.9
1076577-3 3-Major BT1076577 iRule command 'connects' fails to resume when used with Diameter/Generic-message 'irule_scope_msg' 17.1.0, 16.1.4, 15.1.7
1076573-3 3-Major BT1076573 MQTT profile addition is different in GUI and TMSH 17.0.0, 16.1.4, 15.1.9
1074505-1 3-Major BT1074505 Traffic classes are not attached to virtual server at TMM start 17.0.0, 16.1.4, 15.1.6.1, 14.1.5.1
1070389-4 3-Major K000132430, BT1070389 Tightening HTTP RFC enforcement 17.1.0, 16.1.4, 15.1.9
1068673-3 3-Major BT1068673 SSL forward Proxy triggers CLIENTSSL_DATA event on bypass. 17.1.0, 16.1.4, 15.1.9
1060021-1 3-Major BT1060021 Using OneConnect profile with RESOLVER::name_lookup iRule might result in core. 17.1.0, 16.1.4, 15.1.9
1053741-4 3-Major BT1053741 Bigd may exit and restart abnormally without logging a reason 17.1.0, 16.1.4, 15.1.8
1053173-1 3-Major BT1053173 Support for MQTT functionality over websockets. 17.0.0, 16.1.4
1043009 3-Major BT1043009 TMM dump capture for compression engine hang 17.1.0, 16.1.4, 15.1.9
1040017-5 3-Major BT1040017 Final ACK validation during flow accept might fail with hardware SYN Cookie 17.0.0, 16.1.4, 15.1.7
1012813-1 3-Major BT1012813 Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" 17.1.1, 16.1.4
1000561-5 3-Major BT1000561 HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side 17.1.1, 16.1.4, 15.1.9
1000069-3 3-Major BT1000069 Virtual server does not create the listener 17.1.0, 16.1.4, 15.1.9
962177-6 4-Minor BT962177 Results of POLICY::names and POLICY::rules commands may be incorrect 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1
960677-1 4-Minor BT960677 Improvement in handling accelerated TLS traffic 17.1.1, 16.1.4, 15.1.9
1281709-3 4-Minor BT1281709 Traffic-group ID may not be updated properly on a TMM listener 17.1.1, 16.1.4, 15.1.10
1240937-3 4-Minor BT1240937 The FastL4 TOS specify setting towards server may not function for IPv6 traffic 17.1.1, 16.1.4, 15.1.10
1211189-3 4-Minor BT1211189 Stale connections observed and handshake failures observed with errors 17.1.1, 16.1.4
1156105-2 4-Minor BT1156105 Proxy Exclusion List is not configurable if VLAN group and route-domain are in non default partition 17.1.0, 16.1.4, 15.1.9
1137717-2 4-Minor BT1137717 There are no dynconfd logs during early initialization 17.1.1, 16.1.4, 15.1.10
1133557-2 4-Minor BT1133557 Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name 17.1.1, 16.1.4, 15.1.10
1132765-4 4-Minor BT1132765 Virtual server matching might fail in rare cases when using virtual server chaining. 17.1.0, 16.1.4, 15.1.9
1128505-2 4-Minor BT1128505 HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy 17.1.1, 16.1.4
1122377-2 4-Minor BT1122377 If-Modified-Since always returns 304 response if there is no last-modified header in the server response 17.1.0, 16.1.4, 15.1.9
1111981-3 4-Minor BT1111981 Decrement in MQTT current connections even if the connection was never active 17.1.0, 16.1.4, 15.1.9
1103617-4 4-Minor BT1103617 'Reset on Timeout' setting might be ignored when fastl4 is used with another profile. 17.1.0, 16.1.4, 15.1.9
1101369-1 4-Minor BT1101369 MQTT connection stats are not updated properly 17.1.0, 16.1.4, 15.1.9
1037265-2 4-Minor K11453402, BT1037265 Improper handling of multiple cookies with the same name. 17.1.0, 16.1.4, 15.1.9
1034217-2 4-Minor BT1034217 Quic_update_rtt can leave ack_delay uninitialized. 17.0.0, 16.1.4, 15.1.9
1030533-1 4-Minor BT1030533 The BIG-IP system may reject valid HTTP responses from OCSP servers. 17.0.0, 16.1.4, 15.1.9
1027805-4 4-Minor BT1027805 DHCP flows crossing route-domain boundaries might fail. 17.0.0, 16.1.4, 15.1.9


Performance Fixes

ID Number Severity Links to More Info Description Fixed Versions
1127445-3 2-Critical BT1127445 Performance degradation after Bug ID 1019853 17.1.0, 16.1.4, 15.1.9


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1211341-4 1-Blocking BT1211341 Failed to delete custom monitor after dissociating from virtual server 17.1.0, 16.1.4, 15.1.10
1137485-2 2-Critical BT1137485 Gtmd produces excessive logging and may also crash (SIGSEGV) repeatedly 17.1.0, 16.1.4, 15.1.9
966461-7 3-Major BT966461 Tmm memory leak 17.1.0, 16.1.4, 15.1.9
935945-2 3-Major BT935945 GTM HTTP/HTTPS monitors cannot be modified via GUI 17.1.0, 16.1.4, 15.1.10
1230709-1 3-Major BT1230709 Remove unnecessary logging with nsec3_add_nonexist_proof 16.1.4, 15.1.10
1200929-2 3-Major BT1200929 GTM configuration objects larger than 16384 bytes can cause the GTM sync process to hang 17.1.0, 16.1.4, 15.1.10
1182353-3 3-Major BT1182353 DNS cache consumes more memory because of the accumulated mesh_states 17.1.1, 16.1.4, 15.1.9
1162081-6 3-Major   Upgrade the bind package to fix security vulnerabilities 17.1.0, 16.1.4, 15.1.9
1122497-4 3-Major BT1122497 Rapid response not functioning after configuration changes 17.1.0, 16.1.4, 15.1.9
1108237-2 3-Major BT1108237 Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. 17.1.1, 16.1.4
1073677-1 3-Major BT1073677 Add a db variable to enable answering DNS requests before reqInitState Ready 17.1.0, 16.1.4, 15.1.10
1060145-1 3-Major BT1060145 Change of virtual IP from virtual-server-discovery leads to mcp validation error on slot 2. 17.1.0, 16.1.4, 15.1.9
1048077 3-Major BT1048077 SELinux errors with gtmd when using internal FIPS card 17.1.0, 16.1.4
808913-1 4-Minor BT808913 Big3d cannot log the full XML buffer data 17.0.0, 16.1.4, 15.1.9


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1105341-2 0-Unspecified BT1105341 Decode_application_payload can break exponent notation in JSON 17.1.0, 16.1.4, 15.1.9
923821-1 2-Critical BT923821 Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack 17.1.1, 16.1.4, 15.1.9
884945-1 2-Critical BT884945 Latency reduce in case of empty parameters. 17.0.0, 16.1.4, 15.1.9
850141-2 2-Critical BT850141 Possible tmm core when using Dosl7/Bot Defense profile 17.1.1, 16.1.4, 15.1.9
791669-5 2-Critical BT791669 TMM might crash when Bot Defense is configured for multiple domains 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3
1132697-3 2-Critical BT1132697 Use of proactive bot defense profile can trigger TMM crash 17.1.1, 16.1.4, 15.1.9
1113161-2 2-Critical BT1113161 After upgrade, Learning and Blocking Settings page is not loading because some policies are still pointing to deleted factory Negsig sets 17.1.0, 16.1.4, 15.1.9
1095185-2 2-Critical BT1095185 Failed Configuration Load on Secondary Slot After Device Group Sync 17.1.0, 16.1.4, 15.1.9
1040757-1 2-Critical BT1040757 A BD memory leak was fixed 17.0.0, 16.1.4
974985-6 3-Major BT974985 Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable 17.0.0, 16.1.4, 15.1.9
956373-4 3-Major BT956373 ASM sync files not cleaned up immediately after processing 17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1
950917-4 3-Major BT950917 Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034 17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1
929077-4 3-Major BT929077 Bot Defense allow list does not apply when using default Route Domain and XFF header 17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4
928997-3 3-Major BT928997 Less XML memory allocated during ASM startup 17.1.1, 16.1.4, 15.1.9
903313-4 3-Major BT903313 OWASP page: File Types score in Broken Access Control category is always 0. 17.0.0, 16.1.4
890169-4 3-Major BT890169 URLs starting with double slashes might not be loaded when using a Bot Defense Profile. 17.1.1, 16.1.4, 15.1.10
1312057-1 3-Major   bd instability when using many remote loggers with Arcsight format 17.1.1, 16.1.4
1297089-3 3-Major BT1297089 Support Dynamic Parameter Extractions in declarative policy 17.1.1, 16.1.4
1296469-2 3-Major   ASM UI hardening 17.1.1, 16.1.4
1286101-1 3-Major BT1286101 JSON Schema validation failure with E notation number 17.1.1, 16.1.4, 15.1.10
1216297-1 3-Major BT1216297 TMM core occurs when using disabling ASM of request_send event 17.1.1, 16.1.4
1196537-1 3-Major BT1196537 BD process crashes when you use SMTP security profile 17.1.1, 16.1.4, 15.1.9
1195125 3-Major BT1195125 "Failed to allocate memory for nodes of size 0, no variables found in query" BD log message fix 16.1.4
1194173-2 3-Major BT1194173 BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value 17.1.1, 16.1.4, 15.1.9
1190365-3 3-Major BT1190365 OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly 17.1.1, 16.1.4, 15.1.10
1186437-1 3-Major BT1186437 Link to Server Technologies is not working 16.1.4
1186401-2 3-Major BT1186401 Using REST API to change policy signature settings changes all the signatures. 17.1.1, 16.1.4, 15.1.9
1186385-1 3-Major BT1186385 Link to 'Enforced Cookies' and 'SameSite Cookie Attribute Enforcement ' is opening the Policies List page 16.1.4
1184841-2 3-Major BT1184841 Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API 17.1.1, 16.1.4, 15.1.10
1173493-4 3-Major BT1173493 Bot signature staging timestamp corrupted after modifying the profile 17.1.1, 16.1.4, 15.1.10
1156889-3 3-Major BT1156889 TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions 17.1.1, 16.1.4, 15.1.9
1148009-2 3-Major BT1148009 Cannot sync an ASM logging profile on a local-only VIP 17.1.1, 16.1.4, 15.1.9
1144497-2 3-Major BT1144497 Base64 encoded metachars are not detected on HTTP headers 17.1.1, 16.1.4, 15.1.9
1141665-2 3-Major BT1141665 Significant slowness in policy creation following Threat Campaign LU installation 17.1.0, 16.1.4, 15.1.9
1137993-2 3-Major BT1137993 Violation is not triggered on specific configuration 17.1.1, 16.1.4, 15.1.9
1132981-2 3-Major BT1132981 Standby not persisting manually added session tracking records 17.1.1, 16.1.4, 15.1.9
1132741-2 3-Major BT1132741 Tmm core when html parser scans endless html tag of size more then 50MB 17.1.1, 16.1.4, 15.1.9
1128689-2 3-Major BT1128689 High BD CPU utilization 16.1.4, 15.1.9
1127809-2 3-Major BT1127809 Due to incorrect URI parsing, the system does not extract the expected domain name 17.1.0, 16.1.4, 15.1.9
1126409-3 3-Major BT1126409 BD process crash 17.1.0, 16.1.4, 15.1.9
1117245-2 3-Major BT1117245 Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file 17.1.1, 16.1.4, 15.1.10
1113881-2 3-Major BT1113881 Headers without a space after the colon, trigger an HTTP RFC violation 17.1.0, 16.1.4, 15.1.9
1112805-4 3-Major BT1112805 ip_address_intelligence field is not populated with value in ArcSight remote log when source IP is IPv4 17.1.0, 16.1.4, 15.1.9
1110281-2 3-Major BT1110281 Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable 17.1.1, 16.1.4, 15.1.9
1106937-3 3-Major BT1106937 ASM may skip signature matching 17.1.0, 16.1.4, 15.1.9
1102301-2 3-Major BT1102301 Content profiles created for types other than video and image allowing executable 17.1.0, 16.1.4
1100669-3 3-Major BT1100669 Brute force captcha loop 17.1.0, 16.1.4, 15.1.9
1100393-2 3-Major BT1100393 Multiple Referer header raise false positive evasion violation 17.1.0, 16.1.4
1099193-2 3-Major BT1099193 Incorrect configuration for "Auto detect" parameter is shown after switching from other data types 17.1.0, 16.1.4, 15.1.9
1098609-4 3-Major BT1098609 BD crash on specific scenario 17.1.1, 16.1.4, 15.1.9
1095041-2 3-Major BT1095041 ASM truncates cookies that contain a space in the name and TS cookie as part of cookie list. 17.1.0, 16.1.4, 15.1.10
1089853-2 3-Major BT1089853 "Virtual Server" or "Bot Defense Profile" links in Request Details are not working 17.1.0, 16.1.4
1089345-1 3-Major BT1089345 BD crash when mcp is down, usually on startups 17.1.0, 16.1.4
1085661-1 3-Major BT1085661 Standby system saves config and changes status after sync from peer 17.1.1, 16.1.4, 15.1.10
1084257-2 3-Major K11342432, BT1084257 New HTTP RFC Compliance check in headers 17.1.0, 17.0.0.1, 16.1.4, 15.1.7
1080613-1 3-Major BT1080613 LU configurations revert to default and installations roll back to genesis files 17.1.0, 16.1.4, 15.1.9
1078065-2 3-Major BT1078065 The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. 17.1.1, 16.1.4, 15.1.9
1072165-2 3-Major BT1072165 Threat_campaign_names and staged_threat_campaign_names fields are missing in ArcSight format 17.1.0, 16.1.4, 15.1.9
1069729-3 3-Major BT1069729 TMM might crash after a configuration change. 17.1.1, 16.1.4, 15.1.9
1067589-3 3-Major BT1067589 Memory leak in nsyncd 17.1.0, 16.1.4, 15.1.9
1067557-2 3-Major BT1067557 Value masking under XML and JSON content profiles does not follow policy case sensitivity 17.1.1, 16.1.4, 15.1.9
1059513-1 3-Major BT1059513 Virtual servers may appear as detached from security policy when they are not. 17.1.1, 16.1.4, 15.1.10
1058597-5 3-Major BT1058597 Bd crash on first request after system recovery. 17.0.0, 16.1.4, 15.1.9
1048949-1 3-Major BT1048949 TMM xdata leak on websocket connection with asm policy without websocket profile 17.1.1, 16.1.4, 15.1.9
1029989-6 3-Major BT1029989 CORS : default port of origin header is set 80, even when the protocol in the header is https 16.1.4, 15.1.10
1023889-3 3-Major BT1023889 HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message 17.1.1, 16.1.4, 15.1.10
1017557-1 3-Major BT1017557 ASM Plugin Abort reset for chunked response without proper terminating 0 chunk followed by FIN 17.1.0, 16.1.4, 15.1.9
942617-2 4-Minor BT942617 Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable 17.1.1, 16.1.4, 15.1.10
810917-1 4-Minor BT810917 OWASP Compliance score is shown for parent and child policies that are not applicable. 17.0.0, 16.1.4
1213333 4-Minor BT1213333 Check box to select all attack signatures does not work properly 16.1.4
1189865-2 4-Minor BT1189865 "Cookie not RFC-compliant" violation missing the "Description" in the event logs 17.1.1, 16.1.4, 15.1.9
1184929-1 4-Minor BT1184929 GUI link displays mixed values FULFILLED or Requirement Fulfilled and NOT FULFILLED or Requirement Not Fulfilled 16.1.4
1133997-3 4-Minor BT1133997 Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import 17.1.1, 16.1.4
1132925-3 4-Minor BT1132925 Bot defense does not work with DNS Resolvers configured under non-zero route domains 17.1.0, 16.1.4, 15.1.9
1123153-3 4-Minor BT1123153 "Such URL does not exist in policy" error in the GUI 17.1.1, 16.1.4, 15.1.9
1113753-2 4-Minor BT1113753 Signatures might not be detected when using truncated multipart requests 17.1.1, 16.1.4, 15.1.10
1111793-2 4-Minor BT1111793 New HTTP RFC Compliance check for incorrect newline separators between request line and first header 17.1.0, 16.1.4, 15.1.7
1108657-3 4-Minor BT1108657 No notification about disabled "Virus detected" violation in case of enabling "Anti-Virus Protection" 17.1.0, 16.1.4
1099765-3 4-Minor BT1099765 Inconsistent behavior in violation detection with maximum parameter enforcement 17.1.1, 16.1.4, 15.1.10
1092965-2 4-Minor BT1092965 Disabled "Illegal Base64 value" violation is detect for staged base64 parameter with attack signature in value 17.1.0, 16.1.4, 15.1.9
1084857-2 4-Minor BT1084857 ASM::support_id iRule command does not display the 20th digit 17.1.1, 16.1.4, 15.1.10
1083513-1 4-Minor BT1083513 BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd 17.1.1, 16.1.4, 15.1.10
1076825-1 4-Minor BT1076825 "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases. 17.1.1, 16.1.4
1026277-6 4-Minor BT1026277 Apply Policy can get ignored in auto-sync setup, while importing/replacing several existing policies with policies that have Policy Builder enabled 17.0.0, 16.1.4
1003765-2 4-Minor BT1003765 Authorization header signature triggered even when explicitly disabled 17.1.0, 16.1.4, 15.1.4.1
1113333-3 5-Cosmetic BT1113333 Change ArcSight Threat Campaign key names to be camelCase 17.1.0, 16.1.4, 15.1.9


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932485-5 3-Major BT932485 Incorrect sum(hits_count) value in aggregate tables 17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
1111189-2 3-Major BT1111189 Listing errors in tmsh and installation failures when the configuration includes an AVR scheduled-report. 17.1.0, 16.1.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
965837-4 2-Critical BT965837 When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection 17.0.0, 16.1.4, 15.1.9
1283645 2-Critical BT1283645 Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1111149-2 2-Critical BT1111149 Nlad core observed due to ERR_func_error_string can return NULL 17.1.1, 16.1.4, 15.1.9
1110489-3 2-Critical BT1110489 TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event 17.1.1, 16.1.4, 15.1.9
1106757-3 2-Critical BT1106757 Horizon VDI clients are intermittently disconnected 17.1.0, 16.1.4, 15.1.9
1082581-2 2-Critical BT1082581 Apmd sees large memory growth due to CRLDP Cache handling 17.1.0, 16.1.4, 15.1.9, 14.1.5.3
1078829-1 2-Critical BT1078829 Login as current user fails in VMware 17.0.0, 16.1.4, 15.1.10
1065501-2 2-Critical BT1065501 [API Protection]Per request policy is getting timed out 17.0.0, 16.1.4, 15.1.9
1046633-1 2-Critical BT1046633 Rare tmm crash when sending packets to apmd fails 17.0.0, 16.1.4, 15.1.9
957453-1 3-Major BT957453 Javascript parser incompatible with ECMAScript 6/7+ javascript versions 17.1.0, 16.1.4, 15.1.9
956645-4 3-Major BT956645 Per-request policy execution may timeout. 17.0.0, 16.1.4, 15.1.9, 14.1.4.5
819645-1 3-Major BT819645 Reset Horizon View application does not work when accessing through F5 APM 17.1.0, 16.1.4, 15.1.9
796065-2 3-Major BT796065 PingAccess filter can accumulate connections increasing memory use. 16.1.4
752077-4 3-Major BT752077 Kerberos replay cache leaks file descriptors 17.0.0, 16.1.4, 15.1.9
490138-1 3-Major BT490138 Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers 17.1.0, 16.1.4, 15.1.9
1268521 3-Major BT1268521 SAML authentication with the VCS fails when launching the applications/remote desktops from the APM Webtop when multiple RD resources are assigned to the APM Webtop 17.1.1, 16.1.4, 15.1.10
1232977-3 3-Major BT1232977 TMM leaking memory in OAuth scope identifiers when parsing scope lists 17.1.1, 16.1.4
1208949-1 3-Major BT1208949 TMM cored with SIGSEGV at 'vpn_idle_timer_callback' 17.1.1, 16.1.4, 15.1.10
1205029 3-Major BT1205029 WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application 17.1.1, 16.1.4
1196401-2 3-Major BT1196401 Restarting TMM does not restart APM Daemon 17.1.0, 16.1.4, 15.1.9
1180365-2 3-Major BT1180365 APM Integration with Citrix Cloud Connector 17.1.1, 16.1.4, 15.1.10
1173669-1 3-Major BT1173669 Unable to reach backend server with Per Request policy and Per Session together 17.1.0, 16.1.4, 15.1.9
1167985-2 3-Major BT1167985 Network Access resource settings validation errors 17.1.1, 16.1.4
1166449-2 3-Major BT1166449 APM - NTLM authentication will stop working if any of DC FQDN is not resolvable in the configured DC list 17.1.0, 16.1.4, 15.1.9
1145361 3-Major BT1145361 When JWT is cached the error "JWT Expired and cannot be used" is observed 17.1.1, 16.1.4
1124109-2 3-Major   Add "typ":"JWT" to JOSE Header while generating JWT token from OAuth AS 17.1.0, 16.1.4, 15.1.10
1113661-1 3-Major BT1113661 When OAuth profile is attached to access policy, iRule event in VPE breaks the evaluation 17.1.0, 16.1.4
1111397-4 3-Major BT1111397 [APM][UI] Wizard should also allow same patterns as the direct GUI 17.1.1, 16.1.4, 15.1.9
1108109-4 3-Major BT1108109 APM policy sync fails when access policy contains customization images 17.1.0, 16.1.4, 15.1.9
1104409-1 3-Major BT1104409 Added Rewrite Control Lists builder to Admin UI 17.1.0, 16.1.4, 15.1.9
1101321-3 3-Major BT1101321 APM log files are flooded after a client connection fails. 17.1.0, 16.1.4, 15.1.9
1100549-3 3-Major BT1100549 "Resource Administrator" role cannot change ACL order 17.1.0, 16.1.4, 15.1.9
1099305-2 3-Major BT1099305 Nlad core observed due to ERR_func_error_string can return NULL 17.1.0, 16.1.4, 15.1.9
1089101-2 3-Major BT1089101 Apply Access Policy notification in UI after auto discovery 17.1.0, 16.1.4, 15.1.9
1075849-5 3-Major   APM client hardening 17.1.0, 16.1.4, 15.1.8.2
1070029-1 3-Major BT1070029 GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service 17.1.1, 16.1.4, 15.1.10
1067609-2 3-Major   Static keys were used while generating UUIDs under OAuth module 17.1.0, 16.1.4, 15.1.9
1064001-1 3-Major BT1064001 POST request to a virtual server with stream profile and a access policy is aborted. 17.0.0, 16.1.4, 15.1.9
1060477-1 3-Major BT1060477 iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". 17.1.1, 16.1.4, 15.1.9
1050165 3-Major BT1050165 APM SSO is disabled in the session of users and requires support of administrator for resolving 17.1.0, 16.1.4, 15.1.9
1046401-2 3-Major BT1046401 APM logs shows truncated OCSP URL path while performing OCSP Authentication. 17.1.1, 16.1.4, 15.1.10
1042505-1 3-Major BT1042505 Session variable "session.user.agent" does not get populated for edge clients 17.0.0, 16.1.4, 15.1.9
1039941-3 3-Major BT1039941 The webtop offers to download F5 VPN when it is already installed 17.1.1, 16.1.4, 15.1.10
1038753-4 3-Major K75431121, BT1038753 OAuth Bearer with SSO does not process headers as expected 17.1.0, 16.1.4, 15.1.9
1037877-3 3-Major BT1037877 OAuth Claim display order incorrect in VPE 17.1.0, 16.1.4, 15.1.9
1018877-2 3-Major BT1018877 Subsession variable values mixing between sessions 17.0.0, 16.1.4, 15.1.9
1013729-2 3-Major BT1013729 Changing User login password using VMware View Horizon client results in “HTTP error 500” 17.0.0, 16.1.4, 15.1.10
1010961-1 3-Major BT1010961 Redirect fails when accessing SAML Resource more than once in SAML IDP initiated Flow 17.1.0, 16.1.4
1010809-3 3-Major BT1010809 Connection is reset when sending a HTTP HEAD request to APM Virtual Server 17.1.0, 16.1.4, 15.1.9
1002413-2 3-Major BT1002413 Websso puts quotation marks around non-string claim type 'custom' values 17.0.0, 16.1.4
1000669-4 3-Major BT1000669 Tmm memory leak 'string cache' leading to SIGFPE 17.0.0, 16.1.4, 15.1.9
1252005 4-Minor BT1252005 VMware USB redirection does not work with DaaS 17.1.1, 16.1.4, 15.1.10
1224409 4-Minor BT1224409 Unable to set session variables of length >4080 using the -secure flag 17.1.1, 16.1.4, 15.1.10
1195385 4-Minor BT1195385 OAuth Scope Internal Validation fails upon multiple providers with same type 17.1.1, 16.1.4
1088389-2 4-Minor BT1088389 Admin to define the AD Query/LDAP Query page-size globally 17.1.0, 16.1.4, 15.1.9
1079441-2 4-Minor BT1079441 APMD leaks memory in underlying LDAP/AD cyrus/krb5 libraries 17.1.0, 16.1.4, 15.1.9
1050009-2 4-Minor BT1050009 Access encountered error:ERR_NOT_FOUND. File: <file name> messages in 'acs_cmp_acp_req_handler' function in APM logs 17.1.0, 16.1.4, 15.1.9
1041985-1 4-Minor BT1041985 TMM memory utilization increases after upgrade 17.1.1, 16.1.4, 15.1.9
1040829-4 4-Minor BT1040829 Errno=(Invalid cross-device link) after SCF merge 17.1.1, 16.1.4, 15.1.10
1028081-1 4-Minor BT1028081 [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page 17.1.1, 16.1.4, 15.1.9


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1269889-3 2-Critical BT1269889 LTM crashes are observed while running SIP traffic and pool members are offline 17.1.1, 16.1.4, 15.1.10
1239901-2 2-Critical BT1239901 LTM crashes while running SIP traffic 17.1.1, 16.1.4, 15.1.9
1141853-2 2-Critical BT1141853 SIP MRF ALG can lead to a TMM core 17.1.0, 16.1.4, 15.1.9
1291149-3 3-Major BT1291149 Cores with fail over and message routing 17.1.1, 16.1.4, 15.1.10
1287313-2 3-Major BT1287313 SIP response message with missing Reason-Phrase or with spaces are not accepted 17.1.1, 16.1.4, 15.1.10
1189513-4 3-Major BT1189513 SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header 17.1.1, 16.1.4, 15.1.9
1167941-3 3-Major BT1167941 CGNAT SIP ALG INVITE loops between BIG-IP and Server 17.1.0, 16.1.4, 15.1.9
1038057-4 3-Major BT1038057 Unable to add a serverssl profile into a virtual server containing a FIX profile 17.1.1, 16.1.4, 15.1.9
1213469-1 4-Minor BT1213469 MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped 17.1.1, 16.1.4
1116941-1 4-Minor BT1116941 Need larger Content-Length value supported for SIP 17.1.0, 16.1.4, 15.1.9


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1013353-1 1-Blocking BT1013353 ICMP flood or ICMP/IP/IPv6 fragment vectors are not hardware mitigated when configured on VS 16.1.4
1292093 2-Critical BT1292093 Neuron based HW SYN cookie broken due to ZBDDOS feature porting to 16.1.x 16.1.4
1287425 2-Critical BT1287425 Observed crash while running sweep flood tests 16.1.4
1136917-1 2-Critical BT1136917 TMM crashed when dos-profile (with BDOS and White-list enabled) disassociated from Virtual Server. 17.1.0, 16.1.4
1106273-3 2-Critical BT1106273 "duplicate priming" assert in IPSECALG 17.1.1, 16.1.4, 15.1.9
1069809 2-Critical BT1069809 AFM rules with ipi-category src do not match traffic after failover. 16.1.4, 15.1.9
1048425-4 2-Critical BT1048425 Packet tester crashes TMM when vlan external source-checking is enabled 16.1.4
1040685-4 2-Critical BT1040685 Core file on blade slot2 after reboot (TMM SIGSEGV in pktclass_classifier) 17.0.0, 16.1.4, 15.1.10
1038549-1 2-Critical BT1038549 TMM core when BDoS is enabled for an extended time 16.1.4
997429-1 3-Major BT997429 When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled 17.1.0, 16.1.4, 15.1.9
993269-3 3-Major BT993269 DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option 17.0.0, 16.1.4, 15.1.9
952521-1 3-Major BT952521 Memory allocation error while creating an address list with a large range of IPv6 addresses 17.0.0, 16.1.4, 15.1.9
929913-3 3-Major BT929913 External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events 17.0.0, 16.1.4, 15.1.9
1287873 3-Major BT1287873 Hardware mitigation is not working for a few SIP vectors 16.1.4
1216573-1 3-Major BT1216573 AFM Learning Domain issue when trying with many valid domains 16.1.4
1209409-3 3-Major BT1209409 Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU 16.1.4
1127117-1 3-Major BT1127117 High Memory consumption for NAT translations of NAPT/PBA End Point Independent modes 17.1.0, 16.1.4, 15.1.9
1124149-2 3-Major BT1124149 Increase the configuration for the PCCD Max Blob size from 4GB to 8GB 17.1.0, 16.1.4, 15.1.9
1121521-2 3-Major BT1121521 Libssh upgrade from v0.7.7 to v0.9.6 17.1.0, 16.1.4, 15.1.8
1112781 3-Major BT1112781 DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. 17.1.1, 16.1.4, 15.1.9
1078625 3-Major BT1078625 TMM crashes during DoS processing 17.1.1, 16.1.4
1070033-2 3-Major BT1070033 Virtual server may not fully enter hardware SYN Cookie mode. 17.0.0, 16.1.4, 14.1.4.6
1020061-3 3-Major BT1020061 Nested address lists can increase configuration load time 17.0.0, 16.1.4, 15.1.9
760355-4 4-Minor BT760355 Firewall rule to block ICMP/DHCP from 'required' to 'default' 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
1215401-1 4-Minor BT1215401 Under Shared Objects, some country names are not available to select in the Address List 16.1.4, 15.1.9
1211021-4 4-Minor BT1211021 Enforcement does not happen for entries in new and modified IPI feed lists due to lock issues 17.1.0, 16.1.4, 15.1.10
1069265-3 4-Minor BT1069265 New connections or packets from the same source IP and source port can cause unnecessary port block allocations. 17.1.1, 16.1.4, 15.1.10
1003377-3 4-Minor BT1003377 Disabling DoS TCP SYN-ACK does not clear suspicious event count option 16.1.4, 15.1.9


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1159397-1 1-Blocking BT1159397 The high utilization of memory when blade turns offline results in core 17.1.0, 16.1.4, 15.1.9
1186925-4 2-Critical BT1186925 When FUA in CCA-i, PEM does not send CCR-u for other rating-groups 17.1.1, 16.1.4, 15.1.9
1095989-1 2-Critical BT1095989 PEM behaviour on receiving CCA with result code: 4012 and FUA on the Gy interface 17.1.0, 16.1.4
829653-1 3-Major BT829653 Memory leak due to session context not freed 17.0.0, 16.1.4
1259489-3 3-Major BT1259489 PEM subsystem memory leak is observed when using PEM::subscriber information 17.1.1, 16.1.4, 15.1.10
1238249-1 3-Major BT1238249 PEM Report Usage Flow log is inaccurate 17.1.1, 16.1.4, 15.1.10
1226121-2 3-Major BT1226121 TMM crashes when using PEM logging enabled on session 17.1.1, 16.1.4, 15.1.9
1207381-3 3-Major BT1207381 PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored 17.1.1, 16.1.4, 15.1.9
1190353-3 3-Major BT1190353 The wr_urldbd BrightCloud database downloading from a proxy server is not working 17.1.1, 16.1.4, 15.1.10
1174085-1 3-Major BT1174085 Spmdb_session_hash_entry_delete releases the hash's reference 17.1.1, 16.1.4, 15.1.9
1174033-2 3-Major BT1174033 The UPDATE EVENT is triggered with faulty session_info and resulting in core 17.1.0, 16.1.4, 15.1.9
1108681-4 3-Major BT1108681 PEM queries with filters return error message when a blade is offline 17.1.0, 16.1.4, 15.1.9
1093357-4 3-Major BT1093357 PEM intra-session mirroring can lead to a crash 17.1.1, 16.1.4, 15.1.10
1089829-3 3-Major BT1089829 PEM A112 15.1.5.0.69.10 - Constant SIGSEGV cores on both peers 17.1.0, 16.1.4, 15.1.9
1020041-3 3-Major BT1020041 "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs 17.1.1, 16.1.4, 15.1.10


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1016045-4 4-Minor BT1016045 OOPS logging may appear while active ftp if the port command forces a cmp_redirection and a quit follows. 16.1.4, 15.1.9


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1211297-3 2-Critical BT1211297 Handling DoS profiles created dynamically using iRule and L7Policy 17.1.1, 16.1.4, 15.1.9
1060057-2 3-Major BT1060057 Enable or Disable APM dynamically with Bados generates APM error 17.1.0, 16.1.4, 15.1.9


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1161965-3 3-Major BT1161965 File descriptor(fd) and shared memory leak in wr_urldbd 17.1.0, 16.1.4, 15.1.9
974205-5 4-Minor BT974205 Unconstrained wr_urldbd size causing box to OOM 17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6
1168137-3 4-Minor BT1168137 PEM Classification Auto-Update for month is working as hourly 17.1.0, 16.1.4, 15.1.9
1167889 4-Minor BT1167889 PEM classification signature scheduled updates do not complete 17.1.0, 16.1.4, 15.1.9
1117297-1 4-Minor BT1117297 Wr_urldbd continuously crashes and restarts 17.1.0, 16.1.4, 15.1.9


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
954001-7 3-Major   REST File Upload hardening 17.1.1, 16.1.4, 15.1.10
1196477-3 3-Major BT1196477 Request timeout in restnoded 17.1.1, 16.1.4, 15.1.9
1049237-1 4-Minor BT1049237 Restjavad may fail to cleanup ucs file handles even with ID767613 fix 17.1.1, 16.1.4, 15.1.10


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
889605-2 3-Major BT889605 iApp with Bot profile is unavailable if application folder includes a subpath 17.1.0, 16.1.4, 15.1.9
1004697-3 3-Major BT1004697 Saving UCS files can fail if /var runs out of space 16.1.4, 15.1.10
1093933-3 4-Minor   CVE-2020-7774 nodejs-y18n prototype pollution vulnerability 17.1.1, 16.1.4, 15.1.9


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1122205-1 3-Major BT1122205 The 'action' value changes when loading protocol-inspection profile config 17.1.1, 16.1.4, 15.1.10
1098837-1 4-Minor BT1098837 Configuration failure due to the DB validation exception happening in the ips_inspection_sig and ips_inspection_compl tables 17.1.0, 16.1.4, 15.1.9
1135073-3 5-Cosmetic BT1135073 IPS signature update webUI warning message "An active subscription is required to access certain inspections" is always enabled 17.1.0, 16.1.4, 15.1.9


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
1107549-2 2-Critical BT1107549 In-TMM TCP monitor memory leak 17.1.0, 16.1.4, 15.1.8
1110241-2 3-Major BT1110241 in-tmm http(s) monitor accumulates unchecked memory 17.1.0, 16.1.4, 15.1.9
1046917-4 3-Major BT1046917 In-TMM monitors do not work after TMM crashes 17.1.0, 16.1.4, 15.1.8


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
922737-1 2-Critical BT922737 TMM crashes with a sigsegv while passing traffic 17.1.0, 16.1.4, 15.1.10
1104037-2 2-Critical BT1104037 Tmm crash after changing "connection.vlankeyed" to disabled on system with L2 wire 17.1.0, 16.1.4, 15.1.10
1289365-1 3-Major BT1289365 The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode 17.1.1, 16.1.4, 15.1.10
1095145-3 4-Minor BT1095145 Virtual server responding with ICMP unreachable after using /Common/service 17.1.0, 16.1.4



Cumulative fixes from BIG-IP v16.1.3.5 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1285173-3 CVE-2023-38138 K000133474, BT1285173 Improper query string handling on undisclosed pages 17.1.0.2, 16.1.3.5, 15.1.9.1
1265425-2 CVE-2023-38423 K000134535, BT1265425 Improper query string handling on undisclosed pages 17.1.0.2, 16.1.3.5, 15.1.9.1
1185421-4 CVE-2023-38419 K000133472, BT1185421 iControl SOAP uncaught exception when handling certain payloads 17.1.0.2, 16.1.3.5, 15.1.9.1


Functional Change Fixes

None



Cumulative fixes from BIG-IP v16.1.3.4 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1223369-3 CVE-2024-23982 K000135946, BT1223369 Classification of certain UDP traffic may cause crash 17.1.1, 16.1.3.4, 15.1.10
1213305-3 CVE-2023-27378 K000132726, BT1213305 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1208989-3 CVE-2023-27378 K000132726, BT1208989 Improper value handling in DOS Profile properties page 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1208001-1 CVE-2023-22374 K000130415, BT1208001 iControl SOAP vulnerability CVE-2023-22374 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204961-4 CVE-2023-27378 K000132726, BT1204961 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1204793-4 CVE-2023-27378 K000132726, BT1204793 Improper query string handling on undisclosed pages 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4
1196033-2 CVE-2023-27378 K000132726, BT1196033 Improper value handling in DataSafe UI 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1106989-3 CVE-2023-29163 K20145107, BT1106989 Certain configuration settings may lead to memory accumulation 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1086293-4 CVE-2023-22358 K76964818, BT1086293 Untrusted search path vulnerability in APM Windows Client installer processes 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4
1086289-4 CVE-2023-22358 K76964818, BT1086289 BIG-IP Edge Client for Windows vulnerability CVE-2023-22358 17.1.0, 17.0.0.2, 16.1.3.4, 15.1.8.2, 14.1.5.4
1207661-4 CVE-2023-28406 K000132768, BT1207661 Datasafe UI hardening 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4
1096373-2 CVE-2023-28742 K000132972, BT1096373 Unexpected parameter handling in BIG3d 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4


Functional Change Fixes

None



Cumulative fixes from BIG-IP v16.1.3.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
982785-2 CVE-2022-25946 K52322100 Guided Configuration hardening 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3
890917-8 CVE-2023-22323 K56412001, BT890917 Performance may be reduced while processing SSL traffic 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1143073-4 CVE-2022-41622 K94221585, BT1143073 iControl SOAP vulnerability CVE-2022-41622 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1107437-3 CVE-2023-22839 K37708118, BT1107437 TMM may crash when enable-rapid-response is enabled on a DNS profile 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1106161-2 CVE-2022-41800 K13325942, BT1106161 Securing iControlRest API for appliance mode 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1105389-4 CVE-2023-23552 K17542533, BT1105389 Incorrect HTTP request handling may lead to resource leak 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
1093821-4 CVE-2023-22422 K43881487, BT1093821 TMM may behave unexpectedly while processing HTTP traffic 17.1.0, 17.0.0.2, 16.1.3.3
1085077-4 CVE-2023-22340 K34525368, BT1085077 TMM may crash while processing SIP-ALG traffic 17.0.0, 16.1.3.3, 15.1.8, 14.1.5.3
1083225-2 CVE-2023-22842 K08182564, BT1083225 TMM may crash while processing SIP traffic 17.0.0, 16.1.3.3, 15.1.8.1, 14.1.5.3
1062569-1 CVE-2023-22664 K56676554, BT1062569 HTTP/2 stream bottom filter leaks memory at teardown under certain conditions 17.1.0, 17.0.0.2, 16.1.3.3
1032553-5 CVE-2023-22281 K46048342, BT1032553 Core when virtual server with destination NATing receives multicast 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8, 14.1.5.3
1112445-2 CVE-2023-22302 K58550078, BT1112445 Fix to avoid zombie node on the chain 17.1.0, 17.0.0.2, 16.1.3.3
1073005-2 CVE-2023-22326 K83284425, BT1073005 iControl REST use of the dig command does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1065917-2 CVE-2023-22418 K95503300, BT1065917 BIG-IP APM Virtual Server does not follow security best practices 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.7, 14.1.5.3


Functional Change Fixes

None


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1113385-4 3-Major BT1113385 Expired REST tokens are not getting deleted from /var/run/pamcache on standalone BIG-IP 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3
1103369-2 3-Major BT1103369 DELETE of REST Auth token does not result in deletion of the pamcache token file on a multi-slot VIPRION chassis, vCMP guest, or VELOS tenant 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1134085-2 2-Critical BT1134085 Intermittent TMM core when iRule is configured with SSL persistence 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1122473-4 2-Critical BT1122473 TMM panic while initializing URL DB 17.1.0, 16.1.3.3, 15.1.9
1174873-3 3-Major BT1174873 Query string separators ? or / in MutiDomain or SAML use cases are incorrectly converted to "%3F" or "%2F" 17.1.0, 17.0.0.2, 16.1.3.3, 15.1.8.1, 14.1.5.3



Cumulative fixes from BIG-IP v16.1.3.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
982777-9 CVE-2022-27230 K21317311, BT982777 APM hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982769-12 CVE-2022-27806 K68647001, BT982769 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982753-2 CVE-2022-27806 K68647001, BT982753 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
982745-5 CVE-2022-27806 K68647001, BT982745 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
963625-3 CVE-2022-27806 K68647001, BT963625 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
959153-3 CVE-2022-27806 K68647001, BT959153 Appliance mode hardening 17.0.0, 16.1.3.2, 15.1.8, 14.1.5.3
1106289-2 CVE-2022-41624 K43024307, BT1106289 TMM may leak memory when processing sideband connections. 17.1.0, 17.0.0.1, 16.1.3.2, 15.1.7, 14.1.5.2, 13.1.5.1
1068821 CVE-2022-41806 K00721320, BT1068821 TMM may crash when processing AFM NAT64 policy 16.1.3.2
1004881-5 CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 K12492858, BT1004881 Update angular, jquery, moment, axios, and lodash libraries in AGC 17.0.0, 16.1.3.2, 15.1.8


Functional Change Fixes

None


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1137037 2-Critical BT1137037 System boots into an inoperative state after installing engineering hotfix with FIPS 140-2/140-3 license in version 16.1.x 16.1.3.2



Cumulative fixes from BIG-IP v16.1.3.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
972517-7 CVE-2023-43746 K41072952, BT972517 Appliance mode hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1104493-1 CVE-2022-35272 K90024104, BT1104493 Client-side abort during server-side establishment may cause tmm to behave abnormally in HTTP MRF proxy 17.1.0, 17.0.0.1, 16.1.3.1
1093621-2 CVE-2022-41832 K10347453 Some SIP traffic patterns over TCP may cause resource exhaustion on BIG-IP 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1, 13.1.5.1
1085729-2 CVE-2022-41836 K47204506, BT1085729 bd may crash while processing specific request 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1076397-1 CVE-2022-35735 K13213418, BT1076397 TMSH hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1073841-1 CVE-2022-34862 K66510514, BT1073841 URI normalization does not function as expected 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1073357-2 CVE-2022-34862 K66510514, BT1073357 TMM may crash while processing HTTP traffic 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1067505-4 CVE-2022-34651 K59197053, BT1067505 TMM may crash while processing TLS traffic with HTTP::respond 17.0.0, 16.1.3.1, 15.1.6.1
1066673-1 CVE-2022-35728 K55580033, BT1066673 BIG-IP Configuration Utility(TMUI) does not follow best practices for managing active sessions 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1024029-2 CVE-2022-35245 K58235223, BT1024029 TMM may crash when processing traffic with per-session APM Access Policy 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
919357-8 CVE-2022-41770 K22505850, BT919357 iControl REST hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
881809-8 CVE-2022-41983 K31523465, BT881809 Client SSL and Server SSL profile hardening 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
740321-1 CVE-2022-34851 K50310001, BT740321 iControl SOAP API does not follow current best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1084013-4 CVE-2022-36795 K52494562, BT1084013 TMM does not follow TCP best practices 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1081153-2 CVE-2022-41813 K93723284, BT1081153 TMM may crash while processing administrative requests 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1073549-1 CVE-2022-35735 K13213418, BT1073549 TMSH hardening 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1055925-1 CVE-2022-34844 K34511555, BT1055925 TMM may crash while processing traffic on AWS 17.0.0, 16.1.3.1, 15.1.6.1
1043281-6 CVE-2021-3712 K19559038, BT1043281 OpenSSL vulnerability CVE-2021-3712 17.0.0, 16.1.3.1, 15.1.6.1
1006921-1 CVE-2022-33962 K80970653, BT1006921 iRules Hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063641-4 CVE-2022-33968 K23465404, BT1063641 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1063637-4 CVE-2022-33968 K23465404, BT1063637 NTLM library hardening 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1036057-1 3-Major BT1036057 Add support for line folding in multipart parser. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1025261-3 3-Major BT1025261 Restjavad uses more resident memory in control plane after software upgrade 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1071621-1 4-Minor BT1071621 Increase the number of supported traffic selectors 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1120433-2 1-Blocking BT1120433 Removed gtmd and big3d daemon from the FIPS-compliant list 17.1.0, 16.1.3.1
989517-3 2-Critical BT989517 Acceleration section of virtual server page not available in DHD 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
957637-1 2-Critical BT957637 The pfmand daemon can crash when it starts. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
936501-1 2-Critical BT936501 Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled 17.1.0, 16.1.3.1, 15.1.9
759928-6 2-Critical BT759928 Engineering Hotfixes might not contain all required packages 17.0.0, 16.1.3.1, 15.1.7
1097193-2 2-Critical K000134769, BT1097193 Unable to SCP files using WinSCP or relative path name 17.1.0, 16.1.3.1, 15.1.9
1076921-1 2-Critical BT1076921 The Hostname in BootMarker logs and /var/log/ltm logs that sourced from TMM were getting truncated. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1048853-1 2-Critical BT1048853 TMM memory leak of "IKE VBUF" 17.0.0, 16.1.3.1, 15.1.7
1041865-4 2-Critical K16392416, BT1041865 Correctable machine check errors [mce] should be suppressed 17.0.0, 16.1.3.1, 15.1.7
992121-4 3-Major BT992121 REST "/mgmt/tm/services" endpoint is not accessible 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
720610-4 3-Major BT720610 Automatic Update Check logs false 'Update Server unavailable' message on every run 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3
1123149 3-Major BT1123149 Sys-icheck fail for /etc/security/opasswd 17.1.0, 16.1.3.1
1120685 3-Major BT1120685 Unable to update the password in the CLI when password-memory is set to > 0 17.1.0, 16.1.3.1
1091345-2 3-Major BT1091345 The /root/.bash_history file is not carried forward by default during installations. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1087621-1 3-Major BT1087621 IKEv2: IPsec CREATE_CHILD_SA (IKE) fails due to bad ECP payload 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1048137-2 3-Major BT1048137 IPsec IKEv1 intermittent but consistent tunnel setup failures 17.0.0, 16.1.3.1, 15.1.9
1042737-4 3-Major BT1042737 BGP sending malformed update missing Tot-attr-len of '0. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1024661-3 3-Major BT1024661 SCTP forwarding flows based on VTAG for bigproto 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
756918-4 4-Minor BT756918 Engineering Hotfix ISOs may be nearly as large as full Release ISOs 17.0.0, 16.1.3.1, 15.1.7
1090569-1 4-Minor BT1090569 After enabling a TLS virtual server, TMM crashes with SIGFPE and 1 hour later with SIGSEGV 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1080317-3 4-Minor BT1080317 Hostname is getting truncated on some logs that are sourced from TMM 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1067105-2 4-Minor BT1067105 Racoon logging shows incorrect SA length. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
944381-2 2-Critical BT944381 Dynamic CRL checking for client certificate is not working when TLS1.3 is used. 17.0.0, 16.1.3.1, 15.1.6.1
780857-4 2-Critical BT780857 HA failover network disruption when cluster management IP is not in the list of unicast addresses 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1113549-3 2-Critical BT1113549 System boots into an inoperative state after installing engineering hotfix with FIPS140-2/140-3 License 17.1.0, 16.1.3.1
1110205-2 2-Critical BT1110205 SSL::collect in CLIENTSSL_DATA prevents orderly connection shutdown 17.1.0, 16.1.3.1, 15.1.9
1087469-2 2-Critical BT1087469 iRules are not triggered when an SSL client connects to a BIG-IP system using an empty certificate. 17.1.0, 16.1.3.1, 15.1.6.1
1087217-2 2-Critical BT1087217 TMM crash as part of the fix made for ID912209 17.1.0, 16.1.3.1
1086677-4 2-Critical BT1086677 TMM Crashes in xvprintf() because of NULL Flow Key 17.0.0, 16.1.3.1, 15.1.7
1080581-1 2-Critical BT1080581 Virtual server creation is not allowed to have TCP, UDP and HTTP together with Client or Server SSL Profiles. 17.0.0, 16.1.3.1, 15.1.5.1
1074517-1 2-Critical BT1074517 Tmm may core while adding/modifying traffic-class attached to a virtual server 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1073609-4 2-Critical BT1073609 Tmm may core while using reject iRule command in LB_SELECTED event. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1020645 2-Critical BT1020645 When HTTP CONNECT is sent, iRule event HTTP_RESPONSE_RELEASE is not triggered 17.1.0, 16.1.3.1, 15.1.4.1
999881-6 3-Major BT999881 Tcl command 'string first' not working if payload contains Unicode characters. 17.0.0, 16.1.3.1, 15.1.7
948985-3 3-Major BT948985 Workaround to address Nitrox 3 compression engine hang 17.0.0, 16.1.3.1, 15.1.6.1
922413-8 3-Major BT922413 Excessive memory consumption with ntlmconnpool configured 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
748886-4 3-Major BT748886 Virtual server stops passing traffic after modification 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1109833-1 3-Major BT1109833 HTTP2 monitors not sending request 17.1.0, 16.1.3.1
1091761-1 3-Major BT1091761 Mqtt_message memory leaks when iRules are used 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1082225-4 3-Major BT1082225 Tmm may core while Adding/modifying traffic-class attached to a virtual server. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1070789 3-Major BT1070789 SSL fwd proxy invalidating certificate even through bundle has valid CA 17.1.0, 16.1.3.1
1068445-1 3-Major BT1068445 TCP duplicate acks are observed in speed tests for larger requests 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1060989 3-Major BT1060989 Improper handling of HTTP::collect 17.1.0, 16.1.3.1
1053149-1 3-Major BT1053149 A FastL4 TCP connection which is yet to fully establish fails to update its internal SEQ space when a new SYN is received. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1043805-3 3-Major BT1043805 ICMP traffic over NAT does not work properly. 17.0.0, 16.1.3.1, 15.1.7, 14.1.5.1
1036169-4 3-Major BT1036169 VCMPD rsync server max connection limit: guest "Exit flags for PID 17299: 0x500". 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1022453-4 3-Major BT1022453 IPv6 fragments are dropped when packet filtering is enabled. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1006157-3 3-Major BT1006157 FQDN nodes not repopulated immediately after 'load sys config' 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
987885-6 4-Minor BT987885 Half-open unclean SSL termination might not close the connection properly 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1104073-2 4-Minor BT1104073 Use of iRules command whereis with "isp" or "org" options may cause TCL object leak. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1077701-1 2-Critical BT1077701 GTM "require M from N" monitor rules do not report when the number of "up" responses change 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
984749-1 3-Major BT984749 Discrepancy between DNS cache statistics "Client Summary" and "Client Cache." 17.0.0, 16.1.3.1, 15.1.7
1091249-2 3-Major BT1091249 BIG-IP DNS and Link Controller systems may use an incorrect IPv6 translation address. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1078669-2 3-Major BT1078669 iRule command “RESOLVER::name_lookup” returns null for TCP resolver with TC (truncated) flag set. 17.0.0, 16.1.3.1, 15.1.7
1071301-1 3-Major BT1071301 GTM server does not get updated even when the virtual server status changes. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1071233-1 3-Major BT1071233 GTM Pool Members may not be updated accurately when multiple identical database monitors are configured 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
950069-1 4-Minor BT950069 Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record" 17.0.0, 16.1.3.1, 15.1.6.1
1084673-2 4-Minor BT1084673 GTM Monitor "require M from N" status change log message does not print pool name 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1048685-4 2-Critical BT1048685 Rare TMM crash when using Bot Defense Challenge 17.0.0, 16.1.3.1, 15.1.7
1015881-4 2-Critical BT1015881 TMM might crash after configuration failure 17.1.0, 16.1.3.1, 15.1.7
886533-5 3-Major BT886533 Icap server connection adjustments 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1083913-2 3-Major BT1083913 Missing error check in ICAP handling 17.1.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1082461-2 3-Major BT1082461 The enforcer cores during a call to 'ASM::raise' from an active iRule 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1
1078765-1 3-Major BT1078765 Arcsight remote log with 200004390,200004389 signatures in the request may crash the enforcer. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1062493-1 3-Major BT1062493 BD crash close to it's startup 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1056957-1 3-Major BT1056957 An attack signature can be bypassed under some scenarios. 17.1.0, 17.0.0.1, 16.1.3.1
1036305-5 3-Major BT1036305 "Mandatory request body is missing" violation in staging but request is unexpectedly blocked 17.0.0, 16.1.3.1, 15.1.6.1
1030133-2 3-Major BT1030133 BD core on XML out of memory 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1014973-5 3-Major BT1014973 ASM changed cookie value. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
948241-4 4-Minor BT948241 Count Stateful anomalies based only on Device ID 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
947333-2 4-Minor BT947333 Irrelevant content profile diffs in Policy Diff 17.1.0, 17.0.0.1, 16.1.3.1
1079721 4-Minor BT1079721 OWASP 2017 A2 Category - Login enforcement link is broken 16.1.3.1
1073625-2 4-Minor BT1073625 Peer (standby) unit's policies after autosync show a need for Apply Policy when the imported policy has learning enabled. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1058297-2 4-Minor BT1058297 Policy history values for 'max Size Of Saved Versions' and for 'min Retained Files In Dir' is reset during upgrade 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
1046317-2 4-Minor BT1046317 Violation details are not populated with staged URLs for some violation types 17.0.0, 16.1.3.1, 15.1.6.1
1040513-5 4-Minor BT1040513 The counter for "FTP commands" is always 0. 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1
1014573-1 4-Minor BT1014573 Several large arrays/objects in JSON payload may core the enforcer 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1029689-2 5-Cosmetic BT1029689 Incosnsitent username "SYSTEM" in Audit Log 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
926341-5 3-Major BT926341 RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade 17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
987341-1 2-Critical BT987341 BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers. 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5
1071485-3 3-Major BT1071485 For IP based bypass, Response Analytics sends RST. 17.0.0, 16.1.3.1, 15.1.10
1063345-5 3-Major BT1063345 Urldbmgrd may crash while downloading the database. 17.0.0, 16.1.3.1, 15.1.9
1043217-1 3-Major BT1043217 NTLM frontend auth fails with the latest Microsoft RDP client on MacOS 14.0.1 platform 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1
1039725-1 3-Major BT1039725 Reverse proxy traffic fails when a per-request policy is attached to a virtual server. 17.0.0, 16.1.3.1, 15.1.9
1024437-6 3-Major BT1024437 Urldb index building fails to open index temp file 17.0.0, 16.1.3.1, 15.1.9
1022493-4 3-Major BT1022493 Slow file descriptor leak in urldbmgrd (sockets open over time) 17.0.0, 16.1.3.1, 15.1.10
1010597-1 3-Major BT1010597 Traffic disruption when virtual server is assigned to a non-default route domain 17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
921441-4 3-Major BT921441 MR_INGRESS iRules that change diameter messages corrupt diam_msg 17.0.0, 16.1.3.1, 15.1.7
1103233-2 4-Minor BT1103233 Diameter in-tmm monitor is logging disconnect events unnecessarily 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
977153-3 3-Major BT977153 Packet with routing header IPv6 as next header in IP layer fails to be forwarded 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1091565-1 2-Critical BT1091565 Gy CCR AVP:Requested-Service-Unit is misformatted/NULL 17.1.0, 16.1.3.1, 15.1.9
1090649-3 3-Major BT1090649 PEM errors when configuring IPv6 flow filter via GUI 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1
1084993 3-Major BT1084993 [PEM][Gy] e2e ID/h2h ID in RAR / RAA Not Matching 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
911585-5 4-Minor BT911585 PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7
815901-2 4-Minor BT815901 Add rule to the disabled pem policy is not allowed 17.0.0, 16.1.3.1, 15.1.7


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
832133-7 3-Major BT832133 In-TMM monitors fail to match certain binary data in the response from the server 17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050273-1 3-Major BT1050273 ERR_BOUNDS errors observed with HTTP service in SSL Orchestrator. 17.0.0, 16.1.3.1, 15.1.5



Cumulative fixes from BIG-IP v16.1.3 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
996233-1 CVE-2022-33947 K38893457, BT996233 Tomcat may crash while processing TMUI requests 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
972489-7 CVE-2022-35243 K11010341, BT972489 BIG-IP Appliance Mode iControl hardening 17.0.0, 16.1.3, 15.1.5.1, 14.1.5
1079505-4 CVE-2022-33203 K52534925, BT1079505 TMM may consume excessive resources while processing SSL Orchestrator traffic 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1081201-1 CVE-2022-41694 K64829234, BT1081201 MCPD certification import hardening 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1078821-1 2-Critical BT1078821 Upgrade tomcat with OpenJDK 1.7 32bit to OpenJDK 1.8 32bit 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1036285-1 3-Major BT1036285 Enforce password expiry after local user creation 17.0.0, 16.1.3


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
947905-4 1-Blocking BT947905 Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails 16.1.3, 16.0.1
1101705-2 1-Blocking BT1101705 RSA-KEX ciphers list are removed from httpd configuration in FIPS mode since these are non-approved ciphers for FIPS 140-3 certification 17.1.0, 17.0.0.1, 16.1.3
1083977-1 1-Blocking BT1083977 MCPD crashes when changing HTTPD configuration, all secondary blades of clustered system remain offline 17.0.0, 16.1.3
943109-4 2-Critical BT943109 Mcpd crash when bulk deleting Bot Defense profiles 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
940225-4 2-Critical BT940225 Not able to add more than 6 NICs on VE running in Azure 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1108181-2 2-Critical BT1108181 iControl REST call with token fails with 401 Unauthorized 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
1079817-1 2-Critical BT1079817 Java null pointer exception when saving UCS with iAppsLX installed 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
950149 3-Major BT950149 Add configuration to ccmode for compliance with the Common Criteria STIP PPM. 17.0.0, 16.1.3
896941 3-Major BT896941 Common Criteria ccmode script updated 17.0.0, 16.1.3
886649-5 3-Major BT886649 Connections stall when dynamic BWC policy is changed via GUI and TMSH 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1
724653-5 3-Major BT724653 In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync. 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1106325 3-Major BT1106325 Upgrade from BIG-IP 16.1.3 to BIG-IP 17.0 does not work when FIPS mode is enabled 16.1.3
1089849 3-Major BT1089849 NIST SP800-90B compliance 17.1.0, 17.0.0.1, 16.1.3
1064357-1 3-Major BT1064357 execute_post_install: EPSEC: Installation of EPSEC package failed 17.0.0, 16.1.3, 15.1.7
1061481-1 3-Major BT1061481 Denied strings were found in the /var/log/ folder after an update or reboot 17.1.0, 17.0.0.1, 16.1.3
1004833 3-Major BT1004833 NIST SP800-90B compliance 17.0.0, 16.1.3, 15.1.4, 14.1.4.2
1100609 4-Minor BT1100609 Length Mismatch in DNS/DHCP IPv6 address in logs and pcap 17.1.0, 16.1.3


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1071689-1 2-Critical BT1071689 SSL connection not immediately closed with HTTP2 connection and lingers until idle timeout 17.0.0, 16.1.3
987077-3 3-Major BT987077 TLS1.3 with client authentication handshake failure 17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6
945357 3-Major BT945357 BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH. 17.0.0, 16.1.3
934697-5 3-Major BT934697 Route domain is not reachable (strict mode) 17.0.0, 16.1.3, 15.1.6.1, 14.1.5
1082505 3-Major BT1082505 TLS ciphersuites including RSA-KEX are non-approved ciphers for FIPS 140-3 certification 17.1.0, 17.0.0.1, 16.1.3
1063977-3 3-Major BT1063977 Tmsh load sys config merge fails with "basic_string::substr" for non-existing key. 17.1.0, 16.1.3
1071269 4-Minor BT1071269 SSL C3D enhancements introduced in BIG-IP version 16.1.3 will not be available in 17.0.0. 16.1.3


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1084173-1 3-Major BT1084173 Unable to specify "no caching desired" for ephemeral DNS resolvers (i.e. RESOLV::lookup). 17.0.0, 16.1.3, 15.1.6.1


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1070833-2 3-Major BT1070833 False positives on FileUpload parameters due to default signature scanning 17.1.0, 16.1.3, 15.1.6.1


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
849029-7 3-Major BT849029 No configurable setting for maximum entries in CRLDP cache 17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4
1097821-2 3-Major BT1097821 Unable to create apm policy customization image using tmsh or VPE in the configuration utility command when source-path is specified 17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5
1053309-1 3-Major BT1053309 Localdbmgr leaks memory while syncing data to sessiondb and mysql. 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
945853-4 2-Critical BT945853 Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession 16.1.3, 15.1.3
990461-5 3-Major BT990461 Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade 17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4
1079637-1 3-Major BT1079637 Incorrect Neuron rule order 17.0.0, 16.1.3, 15.1.5.1
1012581-1 3-Major BT1012581 Evidence of hardware syncookies triggered but no stats after tcp half-open is triggered 17.0.0, 16.1.3, 15.1.6.1, 14.1.5


iApp Technology Fixes

ID Number Severity Links to More Info Description Fixed Versions
1094177-4 1-Blocking BT1094177 Analytics iApp installation fails 17.0.0, 16.1.3, 15.1.6.1, 14.1.5.1
1023721 3-Major BT1023721 iapp_restricted_key not available on fresh installation and overwrites the peer device's master key during config sync 17.0.0, 16.1.3
1004665 3-Major BT1004665 Secure iAppsLX Restricted Storage issues. 17.0.0, 16.1.3



Cumulative fixes from BIG-IP v16.1.2.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
965853-6 CVE-2022-28695 K08510472, BT965853 IM package file hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
964489-7 CVE-2022-28695 K08510472, BT964489 Protocol Inspection IM package hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1051561-7 CVE-2022-1388 K23605346, BT1051561 BIG-IP iControl REST vulnerability CVE-2022-1388 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
993981-3 CVE-2022-28705 K52340447, BT993981 TMM may crash when ePVA is enabled 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982697-7 CVE-2022-26071 K41440465, BT982697 ICMP hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
951257-5 CVE-2022-26130 K82034427, BT951257 FTP active data channels are not established 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
946325-7 CVE-2022-28716 K25451853, BT946325 PEM subscriber GUI hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
830361-9 CVE-2012-6711 K05122252, BT830361 CVE-2012-6711 Bash Vulnerability 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1087201-6 CVE-2022-0778 K31323265, BT1087201 OpenSSL Vulnerability: CVE-2022-0778 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1078721-1 CVE-2022-27189 K16187341, BT1078721 TMM may consume excessive resources while processing ICAP traffic 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1078053-1 CVE-2022-28701 K99123750, BT1078053 TMM may consume excessive resources while processing STREAM traffic 17.0.0, 16.1.2.2
1071593-4 CVE-2022-32455 K16852653, BT1071593 TMM may crash while processing TLS traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1069629-4 CVE-2022-32455 K16852653, BT1069629 TMM may crash while processing TLS traffic 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1067993-4 CVE-2022-28714 K54460845, BT1067993 APM Windows Client installer hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1059185-1 CVE-2022-26415 K81952114, BT1059185 iControl REST Hardening 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1057801-6 CVE-2022-28707 K70300233, BT1057801 TMUI does not follow current best practices 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056933-3 CVE-2022-26370 K51539421, BT1056933 TMM may crash while processing SIP traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1055737-1 CVE-2022-35236 K79933541, BT1055737 TMM may consume excessive resources while processing HTTP/2 traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1051797 CVE-2018-18281 K36462841, BT1051797 Linux kernel vulnerability: CVE-2018-18281 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1047053-3 CVE-2022-28691 K37155600, BT1047053 TMM may consume excessive resources while processing RTSP traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1032513-3 CVE-2022-35240 K28405643, BT1032513 TMM may consume excessive resources while processing MRF traffic 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1002565-1 CVE-2021-23840 K24624116, BT1002565 OpenSSL vulnerability CVE-2021-23840 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
992073-2 CVE-2022-27181 K93543114, BT992073 APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982757-3 CVE-2022-26835 K53197140 APM Access Guided Configuration hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
982341-7 CVE-2022-26835 K53197140, BT982341 iControl REST endpoint hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
915981-4 CVE-2022-26340 K38271531, BT915981 BIG-IP SCP hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
823877-7 CVE-2019-10098
CVE-2020-1927
K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1071365-5 CVE-2022-29474 K59904248, BT1071365 iControl SOAP WSDL hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1066729-1 CVE-2022-28708 K85054496, BT1066729 TMM may crash while processing DNS traffic 17.0.0, 16.1.2.2, 15.1.5.1
1057809-6 CVE-2022-27659 K41877405, BT1057809 Saved dashboard hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047089-2 CVE-2022-29491 K14229426, BT1047089 TMM may terminate while processing TLS/DTLS traffic 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1001937-1 CVE-2022-27634 K57555833, BT1001937 APM configuration hardening 17.0.0, 16.1.2.2, 15.1.5.1
1000021-7 CVE-2022-27182 K31856317, BT1000021 TMM may consume excessive resources while processing packet filters 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
1020609-7 CVE-2022-23032 K30525503, BT1020609 BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 16.1.2.2
713754-3 CVE-2017-15715 K27757011 Apache vulnerability: CVE-2017-15715 16.1.2.2, 15.1.5.1, 14.1.4.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
435231 2-Critical K79342815, BT435231 Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters 17.0.0, 16.1.2.2
1050537-1 2-Critical BT1050537 GTM pool member with none monitor will be part of load balancing decisions. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
882709-6 3-Major BT882709 Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors 17.0.0, 16.1.2.2, 15.1.6.1
874941-4 3-Major BT874941 HTTP authentication in the access policy times out after 60 seconds 16.1.2.2, 15.1.6.1, 14.1.5
669046-7 3-Major BT669046 Handling large replies to MCP audit_request messages 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1046669-1 3-Major BT1046669 The audit forwarders may prematurely time out waiting for TACACS responses 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1033837-1 4-Minor K23605346, BT1033837 REST authentication tokens persist on reboot 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1070009 1-Blocking BT1070009 iprepd, icr_eventd and tmipsecd restarts continuously after installing FIPS 140-3 license in BIG-IP cloud platform 17.0.0, 16.1.2.2
976669-5 2-Critical BT976669 FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade 17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6
935177-3 2-Critical BT935177 IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm 17.0.0, 16.1.2.2, 15.1.6.1
1059165-1 2-Critical BT1059165 Multiple virtual server pages fail to load. 17.0.0, 16.1.2.2
1048141-3 2-Critical BT1048141 Sorting pool members by 'Member' causes 'General database error' 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1047213-1 2-Critical BT1047213 VPN Client to Client communication fails when clients are connected to different TMMs. 17.0.0, 16.1.2.2
1007901-1 2-Critical BT1007901 Support for FIPS 140-3 Module identifier service. 17.0.0, 16.1.2.2
999125-1 3-Major BT999125 After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
992865-3 3-Major BT992865 Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances 17.1.0, 16.1.2.2, 15.1.4
988165-3 3-Major BT988165 VMware CPU reservation is now enforced. 17.0.0, 16.1.2.2, 15.1.5.1
984585-3 3-Major BT984585 IP Reputation option not shown in GUI. 17.0.0, 16.1.2.2, 15.1.5.1
963541-1 3-Major BT963541 Net-snmp5.8 crash 17.0.0, 16.1.2.2, 15.1.5.1
959985-3 3-Major BT959985 Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi. 17.0.0, 16.1.2.2, 15.1.6.1
943669-4 3-Major BT943669 B4450 blade reboot 16.1.2.2, 15.1.2
943577-1 3-Major BT943577 Full sync failure for traffic-matching-criteria with port list under certain conditions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
912253-2 3-Major BT912253 Non-admin users cannot run show running-config or list sys 17.0.0, 16.1.2.2, 15.1.5.1
907549-6 3-Major BT907549 Memory leak in BWC::Measure 17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5
901669-6 3-Major BT901669 Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
755976-9 3-Major BT755976 ZebOS might miss kernel routes after mcpd deamon restart 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1083537 3-Major BT1083537 FIPS 140-3 Certification 17.1.0, 17.0.0.1, 16.1.2.2
1076377-3 3-Major BT1076377 OSPF path calculation for IA and E routes is incorrect. 17.0.0, 16.1.2.2, 15.1.9
1074113-1 3-Major BT1074113 IPsec IKEv2: Selectors incorrectly marked up after disable ike-peer 17.0.0, 16.1.2.2
1071609-2 3-Major BT1071609 IPsec IKEv1: Log Key Exchange payload in racoon.log. 17.0.0, 16.1.2.2, 15.1.6.1
1066285-4 3-Major BT1066285 Master Key decrypt failure - decrypt failure. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1065585-1 3-Major BT1065585 System does not halt on on FIPS/entropy error threshold for BIG-IP Virtual Edition 17.0.0, 16.1.2.2
1064461-4 3-Major BT1064461 PIM-SM will not complete RP registration over tunnel interface when floating IP address is used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1060625-1 3-Major BT1060625 Wrong INTERNAL_IP6_DNS length. 17.1.0, 17.0.0, 16.1.2.2
1060149-2 3-Major BT1060149 BIG-IP vCMP guest data-plane failure with turboflex-adc selected on the host. 17.0.0, 16.1.2.2, 15.1.5.1
1059853 3-Major BT1059853 Long loading configuration time after upgrade from 15.1.3.1 to 16.1.2. 17.0.0, 16.1.2.2
1056993-2 3-Major BT1056993 404 error is raised on GUI when clicking "App IQ." 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056741-2 3-Major BT1056741 ECDSA certificates signed by RSA CA are not selected based by SNI. 17.0.0, 16.1.2.2, 15.1.5.1
1052893-4 3-Major BT1052893 Configuration option to delay reboot if dataplane becomes inoperable 17.1.1, 16.1.2.2
1048541-1 3-Major BT1048541 Certificate Order Manager: renew requests to the Comodo (now Sectigo) CA are unsuccessful. 17.0.0, 16.1.2.2, 15.1.5.1
1047169-1 3-Major BT1047169 GTM AAAA pool can be deleted from the configuration despite being in use by an iRule. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1022637-1 3-Major BT1022637 A partition other than /Common may fail to save the configuration to disk 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1020789-4 3-Major BT1020789 Cannot deploy a four-core vCMP guest if the remaining cores are in use. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1019357-2 3-Major BT1019357 Active fails to resend ipsec ikev2_message_id_sync if no response received 17.0.0, 16.1.2.2, 15.1.6.1
1008837-1 3-Major BT1008837 Control plane is sluggish when mcpd processes a query for virtual server and address statistics 17.0.0, 16.1.2.2, 15.1.4, 14.1.4.4
1008269-1 3-Major BT1008269 Error: out of stack space 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
976337-2 4-Minor BT976337 i40evf Requested 4 queues, but PF only gave us 16. 16.1.2.2, 15.1.5.1
742753-8 4-Minor BT742753 Accessing the BIG-IP system's WebUI via special proxy solutions may fail 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
528894-5 4-Minor BT528894 Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5
1072237-1 4-Minor BT1072237 Retrieval of policy action stats causes memory leak 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1067617-4 4-Minor BT1067617 BGP default route not advertised after mid-session OPEN. 17.0.0, 16.1.2.2, 15.1.6.1
1062333-6 4-Minor   Linux kernel vulnerability: CVE-2019-19523 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1061797-1 4-Minor BT1061797 Upgraded AWS CloudFormation Helper Scripts which now support IMDSv2 17.0.0, 16.1.2.2, 15.1.5.1
1058677-2 4-Minor BT1058677 Not all SCTP connections are mirrored on the standby device when auto-init is enabled. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1046693-4 4-Minor BT1046693 TMM with BFD confgured might crash under significant memory pressure 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1045549-4 4-Minor BT1045549 BFD sessions remain DOWN after graceful TMM restart 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1040821-4 4-Minor BT1040821 Enabling an iRule or selecting a pool re-checks the "Address Translation" and "Port Translation" checkboxes 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034589-1 4-Minor BT1034589 No warning is given when a pool or trunk that was in use by an high availability (HA) Group is deleted from the configuration. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1034329-1 4-Minor BT1034329 SHA-512 checksums for BIG-IP Virtual Edition (VE) images available on downloads.f5.com 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1031425-3 4-Minor BT1031425 Provide a configuration flag to disable BGP peer-id check. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1030645-4 4-Minor BT1030645 BGP session resets during traffic-group failover 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1024621-4 4-Minor BT1024621 Re-establishing BFD session might take longer than expected. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1011217-5 4-Minor BT1011217 TurboFlex Profile setting reverts to turboflex-base after upgrade 17.0.0, 16.1.2.2, 15.1.6.1
1002809-4 4-Minor BT1002809 OSPF vertex-threshold should be at least 100 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
968929-2 2-Critical BT968929 TMM may crash when resetting a connection on an APM virtual server 17.0.0, 16.1.2.2
910213-7 2-Critical BT910213 LB::down iRule command is ineffective, and can lead to inconsistent pool member status 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1071449-4 2-Critical BT1071449 The statsd memory leak on platforms with license disabled processors. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064617-1 2-Critical BT1064617 DBDaemon process may write to monitor log file indefinitely 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1059053-2 2-Critical BT1059053 Tmm crash when passing traffic over some configurations with L2 virtual wire 17.0.0, 16.1.2.2, 15.1.5.1
1047581-3 2-Critical BT1047581 Ramcache can crash when serving files from the hot cache 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
999901-1 3-Major K68816502, BT999901 Certain LTM policies may not execute correctly after a system reboot or TMM restart. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
993517-1 3-Major BT993517 Loading an upgraded config can result in a file object error in some cases 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
977761 3-Major BT977761 Connections are dropped if a certificate is revoked. 17.1.0, 16.1.2.2
967101-1 3-Major BT967101 When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
955617-8 3-Major BT955617 Cannot modify properties of a monitor that is already in use by a pool 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
953601-4 3-Major BT953601 HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
936441-7 3-Major BT936441 Nitrox5 SDK driver logging messages 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
912517-7 3-Major BT912517 Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
902377-4 3-Major BT902377 HTML profile forces re-chunk even though HTML::disable 17.0.0, 16.1.2.2, 15.1.5.1
883049-9 3-Major BT883049 Statsd can deadlock with rrdshim if an rrd file is invalid 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
803109-4 3-Major BT803109 Certain configuration may result in zombie forwarding flows 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
794385-6 3-Major BT794385 BGP sessions may be reset after CMP state change 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
672963-1 3-Major BT672963 MSSQL monitor fails against databases using non-native charset 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1083989-1 3-Major BT1083989 TMM may restart if abort arrives during MBLB iRule execution 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1073973-1 3-Major BT1073973 Gateway HTTP/2, response payload intermittently not forwarded to client. 17.0.0, 16.1.2.2
1072953-2 3-Major BT1072953 Memory leak in traffic management interface. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1071585-1 3-Major BT1071585 BIG-IP system does not respond to an arp from a SelfIP configured in virtual wire mode 17.0.0, 16.1.2.2
1068561-1 3-Major BT1068561 Can't create key on the second netHSM partition. 17.0.0, 16.1.2.2, 15.1.5.1
1068353-1 3-Major BT1068353 Unexpected event sequence may cause HTTP/2 flow stall during shutdown 16.1.2.2
1064157-1 3-Major BT1064157 Http_proxy_opaque_get should constrain search to local/spawn flows, not looped flows 17.0.0, 16.1.2.2, 15.1.6.1
1063453-1 3-Major BT1063453 FastL4 virtual servers translating between IPv4 and IPv6 may crash on fragmented packets. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1058469-1 3-Major BT1058469 Disabling strict-updates for an iApp service which includes a non-default NTLM profile will cause virtual servers using that profile to stop working. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1056401-4 3-Major BT1056401 Valid clients connecting under active syncookie mode might experience latency. 17.0.0, 16.1.2.2, 15.1.5.1
1055097-1 3-Major BT1055097 TCP proxy with ramcache and OneConnect can result in out-of-order events, which stalls the flow. 17.0.0, 16.1.2.2
1052929-4 3-Major BT1052929 MCPD logs "An internal login failure is being experienced on the FIPS card" when FIPS HSM is uninitialized. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1043357-4 3-Major BT1043357 SSL handshake may fail when using remote crypto client 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043017-4 3-Major BT1043017 Virtual-wire with standard-virtual fragmentation 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1042913-2 3-Major BT1042913 Pkcs11d CPU utilization jumps to 100% 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1042509-1 3-Major BT1042509 On an HTTP2 gateway virtual server, TMM does not ever update the stream's window for a large POST request 17.0.0, 16.1.2.2
1029897-1 3-Major K63312282, BT1029897 Malformed HTTP2 requests can be passed to HTTP/1.1 server-side pool members. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1024841-2 3-Major BT1024841 SSL connection mirroring with ocsp connection failure on standby 17.0.0, 16.1.2.2, 15.1.5.1
1024225-3 3-Major BT1024225 BIG-IP sends "Transfer-Encoding: chunked" to http/2 client after HEAD request 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1020549-1 3-Major BT1020549 Server-side connections stall with zero window with OneConnect profile 17.0.0, 16.1.2.2
1017721-5 3-Major BT1017721 WebSocket does not close cleanly when SSL enabled. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5.1
1017533-3 3-Major BT1017533 Using TMC might cause virtual server vlans-enabled configuration to be ignored 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6
1016449-3 3-Major BT1016449 After certain configuration tasks are performed, TMM may run with stale Self IP parameters. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008501-1 3-Major BT1008501 TMM core 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1008009-3 3-Major BT1008009 SSL mirroring null hs during session sync state 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1006781-2 3-Major BT1006781 Server SYN is sent on VLAN 0 when destination MAC is multicast 17.0.0, 16.1.2.2, 15.1.4.1
1004897-5 3-Major BT1004897 'Decompression' is logged instead of 'Max Headers Exceeded' GoAway reason 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.4
1004689-4 3-Major BT1004689 TMM might crash when pool routes with recursive nexthops and reselect option are used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
838305-9 4-Minor BT838305 BIG-IP may create multiple connections for packets that should belong to a single flow. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
717806-8 4-Minor BT717806 In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1080341-4 4-Minor BT1080341 Changing an L2-forward virtual to any other virtual type might not update the configuration. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1075205-1 4-Minor BT1075205 Using TCP::close after HTTP::redirect/HTTP::respond causes HTTP response not to be delivered to the client. 17.0.0, 16.1.2.2
1064669-1 4-Minor BT1064669 Using HTTP::enable iRule command in RULE_INIT event might cause TMM to crash. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1026605-6 4-Minor BT1026605 When bigd.mgmtroutecheck is enabled monitor probes may be denied for non-mgmt routes 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1026005-1 4-Minor BT1026005 BIG-IP Virtual Edition (VE) does NOT preserve the order of NICs 5-10 defined in the VMware ESXi hypervisor and NSXT platforms. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1016441-4 4-Minor K11342432, BT1016441 RFC Enforcement Hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1016049-6 4-Minor BT1016049 EDNS query with CSUBNET dropped by protocol inspection 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
968581-4 5-Cosmetic BT968581 TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1062513-4 2-Critical BT1062513 GUI returns 'no access' error message when modifying a GTM pool property. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1030881-1 2-Critical BT1030881 [GTM] Upgrade failure - 01070022:3: The monitor template min was not found. 17.0.0, 16.1.2.2
1027657-4 2-Critical BT1027657 Monitor scheduling is sometimes inconsistent for "require M from N" monitor rules. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
1011433-1 2-Critical BT1011433 TMM may crash under memory pressure when performing DNS resolution 17.0.0, 16.1.2.2, 15.1.6.1
1010617-1 2-Critical BT1010617 String operation against DNS resource records cause tmm memory corruption 17.0.0, 16.1.2.2, 15.1.5.1
876677-2 3-Major BT876677 When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup. 17.0.0, 16.1.2.2, 15.1.6.1
1076401-5 3-Major BT1076401 Memory leak in TMM (ldns) when exceeding dnssec.maxnsec3persec. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1064189-1 3-Major BT1064189 DoH proxy and server listeners from GUI with client-ssl profile and server-ssl profile set to None produces undefined warning 17.0.0, 16.1.2.2
1046785-1 3-Major BT1046785 Missing GTM probes when max synchronous probes are exceeded. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5, 13.1.5
1044425-1 3-Major K85021277, BT1044425 NSEC3 record improvements for NXDOMAIN 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1020337-2 3-Major BT1020337 DNS msg_ObjType can cause buffer overrun due to lack of NUL terminator 17.0.0, 16.1.2.2, 15.1.5.1
1018613-1 3-Major BT1018613 Modify wideip pools with replace-all-with results pools with same order 0 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1079909-1 2-Critical K82724554, BT1079909 The bd generates a core file 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.4.6, 13.1.5
1069501-1 2-Critical K22251611, BT1069501 ASM may not match certain signatures 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1069449-1 2-Critical K39002226, BT1069449 ASM attack signatures may not match cookies as expected 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1068237-1 2-Critical BT1068237 Some attack signatures added to policies are not used. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1000789-1 2-Critical BT1000789 ASM-related iRule keywords may not work as expected 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
965785-4 3-Major BT965785 Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
961509-5 3-Major BT961509 ASM blocks WebSocket frames with signature matched but Transparent policy 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
926845-7 3-Major BT926845 Inactive ASM policies are deleted upon upgrade 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
923221-8 3-Major BT923221 BD does not use all the CPU cores 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
818889-1 3-Major BT818889 False positive malformed json or xml violation. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1077281-2 3-Major BT1077281 Import xml policy fails with “Malformed xml” error when session awareness configuration contains login pages 17.1.0, 16.1.2.2, 15.1.6.1
1072197-1 3-Major K94142349, BT1072197 Issue with input normalization in WebSocket. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1070273-1 3-Major BT1070273 OWASP Dashboard does not calculate Disallow DTDs in XML content profile protection properly. 17.0.0, 16.1.2.2, 15.1.6.1
1069133-4 3-Major BT1069133 ASMConfig memory leak 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1067285-1 3-Major BT1067285 Re-branding - Change 'F5 Networks, Inc.' to 'F5, Inc.' 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1066829-1 3-Major BT1066829 Memory leak for xml/json auto-detected parameter with signature patterns. 17.0.0, 16.1.2.2, 15.1.5.1
1061617-4 3-Major BT1061617 Some of the URL Attack signatures are not detected in the URL if "Handle Path Parameters" is configured "As Parameters". 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1060933-1 3-Major K49237345 Issue with input normalization. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1059621-2 3-Major BT1059621 IP Exceptions feature and SSRF feature do not work as expected if both the entries are configured with the same IP/IPs. 17.0.0, 16.1.2.2
1056365-1 3-Major BT1056365 Bot Defense injection does not follow best SOP practice. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1052173-1 3-Major BT1052173 For wildcard SSRF hosts "Matched Disallowed Address" field is wrong in the SSRF violation. 17.0.0, 16.1.2.2
1052169 3-Major BT1052169 Traffic is blocked on detection of an SSRF violation even though the URI parameter is in staging mode 16.1.2.2
1051213-1 3-Major BT1051213 Increase default value for violation 'Check maximum number of headers'. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1051209-1 3-Major K53593534, BT1051209 BD may not process certain HTTP payloads as expected 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1047389-4 3-Major BT1047389 Bot Defense challenge hardening 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1043533-3 3-Major BT1043533 Unable to pick up the properties of the parameters from audit reports. 17.0.0, 16.1.2.2, 15.1.5.1
1043385-4 3-Major BT1043385 No Signature detected If Authorization header is missing padding. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1042605-1 3-Major BT1042605 ASM Critical Warnings during UCS load after upgrade to v15.1.0 or above 17.0.0, 16.1.2.2, 15.1.5.1
1041149-1 3-Major BT1041149 Staging of URL does not affect apply value signatures 17.0.0, 16.1.2.2, 15.1.5.1
1038733-4 3-Major BT1038733 Attack signature not detected for unsupported authorization types. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1037457-1 3-Major BT1037457 High CPU during specific dos mitigation 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1033017-1 3-Major BT1033017 Policy changes learning mode to automatic after upload and sync 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1030853-1 3-Major BT1030853 Route domain IP exception is being treated as trusted (for learning) after being deleted 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1028473-1 3-Major BT1028473 URL sent with trailing slash might not be matched in ASM policy 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1023993-4 3-Major BT1023993 Brute Force is not blocking requests, even when auth failure happens multiple times 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1021521-1 3-Major BT1021521 JSON Schema is not enforced if OpenAPI media-type is wild card. 17.0.0, 16.1.2.2
1019721-1 3-Major BT1019721 Wrong representation of JSON/XML validation files in template based (minimal) JSON policy export 17.0.0, 16.1.2.2
1012221-1 3-Major BT1012221 The childInheritanceStatus is not compatible with parentInheritanceStatus 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1011069-1 3-Major BT1011069 Group/User R/W permissions should be changed for .pid and .cfg files. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1008849-4 3-Major BT1008849 OWASP "A4 XML External Entities (XXE)" is not reflecting the XXE signatures configuration. 17.0.0, 16.1.2.2, 15.1.5.1
844045-4 4-Minor BT844045 ASM Response event logging for "Illegal response" violations. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1066377-1 4-Minor BT1066377 OpenAPI - Content profile is not consistent with wildcard configuration 17.0.0, 16.1.2.2
1050697-4 4-Minor BT1050697 Traffic learning page counts Disabled signatures when they are ready to be enforced 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1048445-1 4-Minor BT1048445 Accept Request button is clickable for unlearnable violation illegal host name 17.1.0, 16.1.2.2, 15.1.6.1
1039245-2 4-Minor BT1039245 Policy Properties screen does not load and display 17.0.0, 16.1.2.2
1038741-4 4-Minor BT1038741 NTLM type-1 message triggers "Unparsable request content" violation. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1036521-1 4-Minor BT1036521 TMM crash in certain cases 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1035361-4 4-Minor BT1035361 Illegal cross-origin after successful CAPTCHA 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.5
1034941-1 4-Minor BT1034941 Exporting and then re-importing "some" XML policy does not load the XML content-profile properly 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1021637-4 4-Minor BT1021637 In some cases BD enforces CSRF on all URLs, ignoring CSRF URLs 17.1.0, 16.1.2.2, 15.1.6.1
1020717-4 4-Minor BT1020717 Policy versions cleanup process sometimes removes newer versions 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038913-4 3-Major BT1038913 The weekly ASM reporting "Security ›› Reporting : Application : Charts" filter "View By" as IP Intelligence shows only the "Safe" category 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
858005-1 3-Major BT858005 When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:" 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
423519-5 3-Major K74302282, BT423519 Bypass disabling the redirection controls configuration of APM RDP Resource. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1045229-1 3-Major BT1045229 APMD leaks Tcl_Objs as part of the fix made for ID 1002557 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1044121-3 3-Major BT1044121 APM logon page is not rendered if db variable "ipv6.enabled" is set to false 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1029397-4 2-Critical BT1029397 Tmm may crash with SIP-ALG deployment in a particular race condition 17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6
957905-1 3-Major BT957905 SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
1082885-1 3-Major BT1082885 MR::message route virtual asserts when configuration changes during ongoing traffic 17.0.0, 16.1.2.2, 15.1.6, 14.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
964625-5 3-Major BT964625 Improper processing of firewall-rule metadata 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
959609-4 3-Major BT959609 Autodiscd daemon keeps crashing 17.0.0, 16.1.2.2, 15.1.6.1
929909-3 3-Major BT929909 TCP Packets are not dropped in IP Intelligence 17.0.0, 16.1.2.2, 15.1.5.1
1008265-1 3-Major K92306170, BT1008265 DoS Flood and Sweep vector states are disabled on an upgrade to BIG-IP software versions 14.x and beyond 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1072057-1 4-Minor BT1072057 "ANY" appears despite setting an IP address or host as the source in Security->Network Firewall->Policy. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1086897-1 2-Critical BT1086897 PEM subcriber lookup can fail for internet side/subscriber side new connections 17.0.0, 16.1.2.2


Carrier-Grade NAT Fixes

ID Number Severity Links to More Info Description Fixed Versions
1028269-2 2-Critical BT1028269 Device using CGNAT + subscriber discovery license shows unknown for pem_subscriber-id. 17.0.0, 16.1.2.2, 15.1.5.1
1019613-5 2-Critical BT1019613 Unknown subscriber in PBA deployment may cause CPU spike 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6
1064217-1 3-Major BT1064217 Port bit not set correctly in the ipv6 destination address with 1:8 mapping for CGNAT MAP-T. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


Fraud Protection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038445-1 2-Critical BT1038445 During upgrade to 16.1, the previous FPS Engine live update remains active 17.0.0, 16.1.2.2
873617-1 3-Major BT873617 DataSafe is not available with AWAF license after BIG-IP startup or MCP restart. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1071181-2 3-Major BT1071181 Improving Signature Detection Accuracy 16.1.2.2, 15.1.6.1, 14.1.5
1060409-2 4-Minor BT1060409 Behavioral DoS enable checkbox is wrong. 17.1.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1033829-3 2-Critical BT1033829 Unable to load Traffic Classification package 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.5
1052153-2 3-Major BT1052153 Signature downloads for traffic classification updates via proxy fail 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1072733-4 2-Critical   Protocol Inspection IM package hardening 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
1070677-1 3-Major BT1070677 Learning phase does not take traffic into account - dropping all. 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5
940261-1 4-Minor BT940261 Support IPS package downloads via HTTP proxy. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


In-tmm monitors Fixes

ID Number Severity Links to More Info Description Fixed Versions
944121-4 3-Major BT944121 Missing SNI information when using non-default domain https monitor running in TMM mode. 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5
854129-6 3-Major BT854129 SSL monitor continues to send previously configured server SSL configuration after removal 17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1050969-1 1-Blocking BT1050969 After running clear-rest-storage you are logged out of the UI with a message - Your login credentials no longer valid 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5
969297 3-Major BT969297 Virtual IP configured on a system with SelfIP on vwire becomes unresponsive 16.1.2.2
1058401-1 3-Major BT1058401 SSL Bypass does not work for inbound traffic 17.0.0, 16.1.2.2
1048033-1 3-Major BT1048033 Server-speaks-first traffic might not work with SSL Orchestrator 17.0.0, 16.1.2.2
1047377-1 3-Major BT1047377 "Server-speak-first" traffic might not work with SSL Orchestrator 17.0.0, 16.1.2.2
1029869-1 3-Major BT1029869 Use of ha-sync script may cause gossip communications to fail 17.0.0, 16.1.2.2, 15.1.6.1
1029585-1 3-Major BT1029585 Use of ha-sync script may cause platforms in a sync-failover device group to fall out of sync 17.0.0, 16.1.2.2, 15.1.6.1



Cumulative fixes from BIG-IP v16.1.2.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
1045101-4 CVE-2022-26890 K03442392, BT1045101 Bd may crash while processing ASM traffic 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6, 13.1.5
940185-7 CVE-2022-23023 K11742742, BT940185 icrd_child may consume excessive resources while processing REST requests 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1065789-1 CVE-2023-24594 K000133132, BT1065789 TMM may send duplicated alerts while processing SSL connections 17.0.0, 16.1.2.1, 15.1.5
1063389-6 CVE-2015-5191 K84583382, BT1063389 open-vm-tools vulnerability: CVE-2015-5191 17.0.0, 16.1.2.1, 14.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
1015133-5 3-Major BT1015133 Tail loss can cause TCP TLP to retransmit slowly. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
749332-1 2-Critical BT749332 Client-SSL Object's description can be updated using CLI and with REST PATCH operation 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4
996001-5 3-Major BT996001 AVR Inspection Dashboard 'Last Month' does not show all data points 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
994305-3 3-Major BT994305 The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5 17.0.0, 16.1.2.1, 15.1.5.1
968657-1 3-Major BT968657 Added support for IMDSv2 on AWS 17.0.0, 16.1.2.1, 15.1.5.1
1032949-1 3-Major BT1032949 Dynamic CRL configured with client authentication profile as "Request" causes connection termination without certificate. 17.0.0, 16.1.2.1, 15.1.5
1041765-2 4-Minor BT1041765 Racoon may crash in rare cases 17.0.0, 16.1.2.1, 15.1.10


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
999097-1 3-Major BT999097 SSL::profile may select profile with outdated configuration 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
910673-6 3-Major BT910673 Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM' 17.0.0, 16.1.2.1, 15.1.5.1
898929-6 3-Major BT898929 Tmm might crash when ASM, AVR, and pool connection queuing are in use 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1038629-4 3-Major BT1038629 DTLS virtual server not performing clean shutdown upon reception of CLOSE_NOTIFY from client 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
1031609-1 3-Major BT1031609 Improve nethsm-thales-install.sh and nethsm-thales-rfs-install.sh to be compatible with Entrust Client v12.60.10 package. 17.0.0, 16.1.2.1, 15.1.5.1
1019609-1 3-Major BT1019609 No Error logging when BIG-IP device's IP address is not added in client list on netHSM. 17.0.0, 16.1.2.1, 15.1.5.1
1017513-5 3-Major BT1017513 Config sync fails with error Invalid monitor rule instance identifier or monitors are in a bad state such as checking 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
1007749-2 3-Major BT1007749 URI TCL parse functions fail when there are interior segments with periods and semi-colons 17.0.0, 16.1.2.1, 15.1.5
1048433-1 4-Minor BT1048433 Improve Extract logic of thales-sync.sh to support VIPRION cluster to support 12.6.10 client installation. 16.1.2.1, 15.1.5.1
1024761-1 4-Minor BT1024761 HTTP adds Transfer-Encoding and terminating chunk to responses that cannot have a body 17.0.0, 16.1.2.1, 15.1.5
1005109-4 4-Minor BT1005109 TMM crashes when changing traffic-group on IPv6 link-local address 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
935249-3 3-Major BT935249 GTM virtual servers have the wrong status 17.0.0, 16.1.2.1, 15.1.5
1039553-1 3-Major BT1039553 Non-200 HTTP status codes fail to be matched by GTM HTTP(S) monitors 17.0.0, 16.1.2.1, 15.1.5
1021061-4 3-Major BT1021061 Config fails to load for large config on platform with Platform FIPS license enabled 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
993613-7 2-Critical BT993613 Device fails to request full sync 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
984593-1 3-Major BT984593 BD crash 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5
921697-1 3-Major BT921697 Attack signature updates fail to install with Installation Error. 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6
907025-5 3-Major BT907025 Live update error" 'Try to reload page' 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
885765-1 3-Major BT885765 ASMConfig Handler undergoes frequent restarts 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
830341-5 3-Major BT830341 False positives Mismatched message key on ASM TS cookie 17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
1043205-1 3-Major BT1043205 SSRF Violation should be shown as a Parameter Entity Reference. 16.1.2.1
1042069-1 3-Major   Some signatures are not matched under specific conditions. 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5, 13.1.5
1002385-1 4-Minor K67397230, BT1002385 Fixing issue with input normalization 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.6


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
1009093-2 2-Critical BT1009093 GUI widgets pages are not functioning correctly 17.0.0, 16.1.2.1, 15.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
969317-4 3-Major BT969317 "Restrict to Single Client IP" option is ignored for vmware VDI 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5
828761-5 3-Major BT828761 APM OAuth - Auth Server attached iRule works inconsistently 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
827393-5 3-Major BT827393 In rare cases tmm crash is observed when using APM as RDG proxy. 17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5
738593-3 3-Major BT738593 Vmware Horizon session collaboration (shadow session) feature does not work through APM. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1007677-2 3-Major BT1007677 Artifact resolution on SAML IdP fails with error 'SAML SSO: Cannot find SP connector' 17.0.0, 16.1.2.1, 15.1.4.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039329-2 3-Major BT1039329 MRF per peer mode is not working in vCMP guest. 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5
1025529-2 3-Major BT1025529 TMM generates core when iRule executes a nexthop command and SIP traffic is sent 17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5


Policy Enforcement Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
956013-4 3-Major BT956013 System reports{{validation_errors}} 16.1.2.1, 15.1.5, 14.1.4.5


Anomaly Detection Services Fixes

ID Number Severity Links to More Info Description Fixed Versions
1023437-1 3-Major   Buffer overflow during attack with large HTTP Headers 17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1055361-1 2-Critical BT1055361 Suspending iRule command in L7CHECK_CLIENT_DATA can lead to a tmm crash. 17.0.0, 16.1.2.1, 15.1.5.1



Cumulative fixes from BIG-IP v16.1.2 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
991421-2 CVE-2022-23016 K91013510, BT991421 TMM may crash while processing TLS traffic 17.0.0, 16.1.2, 15.1.4.1
989701-8 CVE-2020-25212 K42355373, BT989701 CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
988549-10 CVE-2020-29573 K27238230, BT988549 CVE-2020-29573: glibc vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
968893-3 CVE-2022-23014 K93526903, BT968893 TMM crash when processing APM traffic 17.0.0, 16.1.2, 15.1.4.1
940317-9 CVE-2020-13692 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
1037181-1 CVE-2022-23022 K96924184, BT1037181 TMM may crash while processing HTTP traffic 17.0.0, 16.1.2
1032405-1 CVE-2021-23037 K21435974, BT1032405 TMUI XSS vulnerability CVE-2021-23037 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1031269 CVE-2022-23020 K17514331, BT1031269 TMM may consume excessive resources when processing logging profiles 17.0.0, 16.1.2
1030689-1 CVE-2022-23019 K82793463, BT1030689 TMM may consume excessive resources while processing Diameter traffic 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
1029629-1 CVE-2022-28706 K03755971, BT1029629 TMM may crash while processing DNS lookups 17.0.0, 16.1.2, 15.1.5.1
1028669-7 CVE-2019-9948 K28622040, BT1028669 Python vulnerability: CVE-2019-9948 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1028573-6 CVE-2020-10878 K40508224, BT1028573 Perl vulnerability: CVE-2020-10878 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1028497-7 CVE-2019-15903 K05295469, BT1028497 libexpat vulnerability: CVE-2019-15903 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1021713-1 CVE-2022-41806 K00721320, BT1021713 TMM may crash when processing AFM NAT64 policy 17.0.0, 16.1.2, 15.1.5.1
1012365-4 CVE-2021-20305 K33101555, BT1012365 Nettle cryptography library vulnerability CVE-2021-20305 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1007489-7 CVE-2022-23018 K24358905, BT1007489 TMM may crash while handling specific HTTP requests 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
974341-6 CVE-2022-23026 K08402414, BT974341 REST API: File upload 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
973409-6 CVE-2020-1971 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
941649-8 CVE-2021-23043 K63163637, BT941649 Local File Inclusion Vulnerability 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
803965-10 CVE-2018-20843 K51011533, BT803965 Expat Vulnerability: CVE-2018-20843 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1035729-1 CVE-2022-23021 K57111075, BT1035729 TMM may crash while processing traffic http traffic 17.0.0, 16.1.2
1009725-1 CVE-2022-23030 K53442005, BT1009725 Excessive resource usage when ixlv drivers are enabled 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
985953-6 4-Minor BT985953 GRE Transparent Ethernet Bridging inner MAC overwrite 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039049-2 1-Blocking BT1039049 Installing EHF on particular platforms fails with error "RPM transaction failure" 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
997313-2 2-Critical BT997313 Unable to create APM policies in a sync-only folder 17.0.0, 16.1.2, 15.1.4.1
1031357-2 2-Critical BT1031357 After reboot of standby and terminating peer, some IPsec traffic-selectors are still online 17.0.0, 16.1.2
1029949-2 2-Critical BT1029949 IPsec traffic selector state may show incorrect state on high availability (HA) standby device 17.0.0, 16.1.2
998221-1 3-Major BT998221 Accessing pool members from configuration utility is slow with large config 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3
946185-3 3-Major BT946185 Unable to view iApp component due to error 'An error has occurred while trying to process your request.' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
922185-3 3-Major BT922185 LDAP referrals not supported for 'cert-ldap system-auth' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
881085-4 3-Major BT881085 Intermittent auth failures with remote LDAP auth for BIG-IP managment 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1045421-1 3-Major K16107301, BT1045421 No Access error when performing various actions in the TMOS GUI 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1032737-2 3-Major BT1032737 IPsec: tmm SIGSEGV in getlocaladdr in ikev2_initiate 17.0.0, 16.1.2, 15.1.4.1
1032077-1 3-Major BT1032077 TACACS authentication fails with tac_author_read: short author body 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1028969-1 3-Major BT1028969 An unused traffic-selector can prevent an IKEv2 IPsec tunnel from working 17.0.0, 16.1.2
1026549-1 3-Major BT1026549 Incorrect BIG-IP Virtual Edition interface state changes may be communicated to mcpd 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1022757-2 3-Major BT1022757 Tmm core due to corrupt list of ike-sa instances for a connection 17.0.0, 16.1.2, 15.1.9
1021773-1 3-Major BT1021773 Mcpd core. 17.0.0, 16.1.2, 15.1.7
1020377-1 3-Major BT1020377 Missing IKEv2 listeners can send IKE packets to the IKEv1 racoon daemon 17.0.0, 16.1.2
1015645-2 3-Major BT1015645 IPSec SA's missing after reboot 17.0.0, 16.1.2
1009949-4 3-Major BT1009949 High CPU usage when upgrading from previous version 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
1003257-6 3-Major BT1003257 ZebOS 'set ipv6 next-hop' and 'set ipv6 next-hop local' do not work as expected 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
921365-2 4-Minor BT921365 IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby 17.0.0, 16.1.2, 15.1.4
1034617-1 4-Minor BT1034617 Login/Security Banner text not showing in console login. 17.0.0, 16.1.2
1030845-1 4-Minor BT1030845 Time change from TMSH not logged in /var/log/audit. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1022417-1 4-Minor BT1022417 Ike stops with error ikev2_send_request: [WINDOW] full window 17.0.0, 16.1.2, 15.1.9


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039041 1-Blocking BT1039041 Log Message: Clock advanced by <number> ticks 17.0.0, 16.1.2
1040361-1 2-Critical BT1040361 TMM crashes during its startup when TMC destination port list attached/deleted to virtual server. 17.0.0, 16.1.2, 15.1.5, 14.1.4.5
915773-7 3-Major BT915773 Restart of TMM after stale interface reference 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4
1023365-2 3-Major BT1023365 SSL server response could be dropped on immediate client shutdown. 17.0.0, 16.1.2, 15.1.4.1
1021481-1 3-Major BT1021481 'http-tunnel' and 'socks-tunnel' (which are internal interfaces) should be hidden. 17.0.0, 16.1.2
1020957-1 3-Major BT1020957 HTTP response may be truncated by the BIG-IP system 17.0.0, 16.1.2
1018577-4 3-Major BT1018577 SASP monitor does not mark pool member with same IP Address but different Port from another pool member 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1016113-1 3-Major BT1016113 HTTP response-chunking 'sustain' profile option may not rechunk responses when also using a web acceleration profile. 17.0.0, 16.1.2, 15.1.4
1008017-2 3-Major BT1008017 Validation failure on Enforce TLS Requirements and TLS Renegotiation 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
895557-5 4-Minor BT895557 NTLM profile logs error when used with profiles that do redirect 17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2
1031901-2 4-Minor BT1031901 In HTTP2 deployment, RST_STREAM sent to client if server in CLOSING state is picked 17.0.0, 16.1.2, 15.1.4.1
1018493-1 4-Minor BT1018493 Response code 304 from TMM Cache always closes TCP connection. 17.0.0, 16.1.2, 15.1.4, 14.1.4.5, 13.1.5
1002945-4 4-Minor BT1002945 Some connections are dropped on chained IPv6 to IPv4 virtual servers. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1035853-1 2-Critical K41415626, BT1035853 Transparent DNS Cache can consume excessive resources. 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1028773-1 2-Critical BT1028773 Support for DNS Over TLS 17.0.0, 16.1.2
1009037-1 2-Critical BT1009037 Tcl resume on invalid connection flow can cause tmm crash 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1021417-1 3-Major BT1021417 Modifying GTM pool members with replace-all-with results in pool members with order 0 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
912149-7 2-Critical BT912149 ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476' 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1019853-1 2-Critical K30911244, BT1019853 Some signatures are not matched under specific conditions 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1017153-4 2-Critical BT1017153 Asmlogd suddenly deletes all request log protobuf files and records from the database. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1011065-1 2-Critical K39002226, BT1011065 Certain attack signatures may not match in multipart content 17.0.0, 16.1.2, 15.1.4.1
1011061-4 2-Critical K39002226, BT1011061 Certain attack signatures may not match in multipart content 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
947341-4 3-Major BT947341 MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files. 17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1
932133-1 3-Major BT932133 Payloads with large number of elements in XML take a lot of time to process 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
842013-1 3-Major BT842013 ASM Configuration is Lost on License Reactivation 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1042917-1 3-Major BT1042917 Using 'Full Export' of security policy should result with no diffs after importing it back to device. 17.0.0, 16.1.2
1028109-1 3-Major BT1028109 Detected attack signature is reported with the wrong context. 17.0.0, 16.1.2
1022269-1 3-Major BT1022269 False positive RFC compliant violation 17.0.0, 16.1.2, 15.1.4, 14.1.4.4, 13.1.5
1004069-4 3-Major BT1004069 Brute force attack is detected too soon 17.0.0, 16.1.2, 15.1.5, 14.1.4.5, 13.1.5
1004537-2 4-Minor BT1004537 Traffic Learning: Accept actions for multiple suggestions not localized 17.0.0, 16.1.2, 15.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
932137-7 3-Major BT932137 AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
922105-1 3-Major BT922105 Avrd core when connection to BIG-IQ data collection device is not available 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5
1035133-4 3-Major BT1035133 Statistics data are partially missing in various BIG-IQ graphs under "Monitoring" tab 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
948113-1 4-Minor BT948113 User-defined report scheduling fails 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1020705-2 4-Minor BT1020705 tmsh show analytics dos-l3 report view-by attack-id" shows "allowed-requests-per-second" instead "attack_type_name 17.0.0, 16.1.2, 15.1.3.1, 14.1.4.4


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1027217-1 1-Blocking BT1027217 Script errors in Network Access window using browser. 17.0.0, 16.1.2, 15.1.4.1
1006893-4 2-Critical BT1006893 Use of ACCESS::oauth after ACCESS::session create/delete may result in TMM core 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
993457-1 3-Major BT993457 TMM core with ACCESS::policy evaluate iRule 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1021485-3 3-Major BT1021485 VDI desktops and apps freeze with Vmware and Citrix intermittently 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1017233-2 3-Major BT1017233 APM uses wrong session key when iRule for ActiveSync is used resulting in passwords corruption 17.0.0, 16.1.2, 15.1.4.1
939877-3 4-Minor BT939877 OAuth refresh token not found 17.0.0, 16.1.2, 15.1.4, 14.1.4.4


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
1007113-3 2-Critical BT1007113 Pool member goes DOWN if the time difference between SCTP INIT and SCTP ABORT is less than two seconds 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5
1018285-2 4-Minor BT1018285 MRF DIAMETER to select automatic removal of a persistence entry on completion of a transaction 17.0.0, 16.1.2, 15.1.4.1
1003633-1 4-Minor BT1003633 There might be wrong memory handling when message routing feature is used 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1049229-1 2-Critical BT1049229 When you try to create a sub-rule under the Network Firewall rule list, the error: 'No Access' displays. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


Traffic Classification Engine Fixes

ID Number Severity Links to More Info Description Fixed Versions
1013629-4 3-Major BT1013629 URLCAT: Scan finds many Group/User Read/Write (666/664/662) files 17.0.0, 16.1.2, 15.1.9
686783-1 4-Minor BT686783 UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters. 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5
1032689 4-Minor BT1032689 UlrCat Custom db feedlist does not work for some URLs 16.1.2, 15.1.4.1, 14.1.4.5


Device Management Fixes

ID Number Severity Links to More Info Description Fixed Versions
929213-2 3-Major BT929213 iAppLX packages not rolled forward after BIG-IP upgrade 17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


SSL Orchestrator Fixes

ID Number Severity Links to More Info Description Fixed Versions
1038669-1 3-Major BT1038669 Antserver keeps restarting. 17.0.0, 16.1.2, 15.1.5
1032797-1 3-Major BT1032797 Tmm continuously cores when parsing custom category URLs 17.0.0, 16.1.2, 15.1.5



Cumulative fixes from BIG-IP v16.1.1 that are included in this release


Vulnerability Fixes

ID Number CVE Links to More Info Description Fixed Versions
979877-9 CVE-2020-1971 K42910051, BT979877 CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information 16.1.1, 15.1.4, 14.1.5.1
954425-4 CVE-2022-23031 K61112120, BT954425 Hardening of Live-Update 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
797797-7 CVE-2019-11811 K01512680, BT797797 CVE-2019-11811 kernel: use-after-free in drivers 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.3
1013569-1 CVE-2022-31473 K34893234, BT1013569 Hardening of iApps processing 17.0.0, 16.1.1, 15.1.4
1008561-4 CVE-2022-23025 K44110411, BT1008561 In very rare condition, BIG-IP may crash when SIP ALG is deployed 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


Functional Change Fixes

ID Number Severity Links to More Info Description Fixed Versions
911141-1 3-Major BT911141 GTP v1 APN is not decoded/encoded properly 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


TMOS Fixes

ID Number Severity Links to More Info Description Fixed Versions
974241-3 2-Critical BT974241 Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades 17.0.0, 16.1.1, 15.1.4
887117-4 3-Major BT887117 Invalid SessionDB messages are sent to Standby 17.0.0, 16.1.1, 15.1.4.1
1019829-2 3-Major BT1019829 Configsync.copyonswitch variable is not functioning on reboot 16.1.1
1018309-5 3-Major BT1018309 Loading config file with imish removes the last character 17.0.0, 16.1.1, 15.1.4.1


Local Traffic Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1023341-1 1-Blocking   HSM hardening 17.0.0, 16.1.1, 15.1.5.1, 14.1.4.6, 13.1.5
995405-1 2-Critical BT995405 After upgrade, the copied SSL vhf/vht profile prevents traffic from passing 17.0.0, 16.1.3, 16.1.1
1040677 2-Critical BT1040677 BIG-IP D120 platform reports page allocation failures in N3FIPS driver 17.0.0, 16.1.1
980617-1 3-Major BT980617 SNAT iRule is not working with HTTP/2 and HTTP Router profiles 17.0.0, 16.1.1, 15.1.10
912945-3 4-Minor BT912945 A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed 17.0.0, 16.1.1, 15.1.4, 14.1.4.4


Global Traffic Manager (DNS) Fixes

ID Number Severity Links to More Info Description Fixed Versions
1039069-1 1-Blocking BT1039069 Multiple issues affecting the RESOLV::lookup iRule command following the fix to ID1007049. 17.0.0, 16.1.1, 15.1.4
993489-1 3-Major BT993489 GTM daemon leaks memory when reading GTM link objects 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5


Application Security Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
996381-1 2-Critical K41503304, BT996381 ASM attack signature may not match as expected 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1
970329-1 2-Critical K70134152, BT970329 ASM hardening 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
965229-5 2-Critical BT965229 ASM Load hangs after upgrade 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
986937-3 3-Major BT986937 Cannot create child policy when the signature staging setting is not equal in template and parent policy 17.0.0, 16.1.1, 16.0.1.2, 15.1.4
981069-3 3-Major BT981069 Reset cause: "Internal error ( requested abort (payload release error))" 17.0.0, 16.1.1, 15.1.4
962589-4 3-Major BT962589 Full Sync Requests Caused By Failed Relayed Call to delete_suggestion 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
951133-4 3-Major BT951133 Live Update does not work properly after upgrade 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4
920149-3 3-Major BT920149 Live Update default factory file for Server Technologies cannot be reinstalled 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4
888289-8 3-Major BT888289 Add option to skip percent characters during normalization 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
1005105-3 3-Major BT1005105 Requests are missing on traffic event logging 17.0.0, 16.1.1, 15.1.4, 14.1.4.5
1000741-1 3-Major K67397230, BT1000741 Fixing issue with input normalization 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
941625-3 4-Minor BT941625 BD sometimes encounters errors related to TS cookie building 17.0.0, 16.1.1, 15.1.4


Application Visibility and Reporting Fixes

ID Number Severity Links to More Info Description Fixed Versions
924945-5 3-Major BT924945 Fail to detach HTTP profile from virtual server 17.0.0, 16.1.1, 16.0.1.2, 15.1.3
913085-6 3-Major BT913085 Avrd core when avrd process is stopped or restarted 17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1
909161-1 3-Major BT909161 A core file is generated upon avrd process restart or stop 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


Access Policy Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
1024101-1 3-Major BT1024101 SWG as a Service license improvements 17.0.0, 16.1.3, 16.1.1
1022625-2 3-Major BT1022625 Profile type 'swg-transparent' should be selected on create page when 'create-new' is selected for SwgAsService in SSL Orchestrator 17.0.0, 16.1.1


Service Provider Fixes

ID Number Severity Links to More Info Description Fixed Versions
993913-4 2-Critical BT993913 TMM SIGSEGV core in Message Routing Framework 17.0.0, 16.1.1, 15.1.4, 14.1.4.4
1012721-4 2-Critical BT1012721 Tmm may crash with SIP-ALG deployment in a particular race condition 17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4, 13.1.5
1007821-3 2-Critical BT1007821 SIP message routing may cause tmm crash 17.0.0, 16.1.1, 15.1.4
996113-2 3-Major BT996113 SIP messages with unbalanced escaped quotes in headers are dropped 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
805821-1 3-Major BT805821 GTP log message contains no useful information 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
919301-1 4-Minor BT919301 GTP::ie count does not work with -message option 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913413-1 4-Minor BT913413 'GTP::header extension count' iRule command returns 0 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913409-1 4-Minor BT913409 GTP::header extension command may abort connection due to unreasonable TCL error 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5
913393-1 5-Cosmetic BT913393 Tmsh help page for GTP iRule contains incorrect and missing information 17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


Advanced Firewall Manager Fixes

ID Number Severity Links to More Info Description Fixed Versions
992213-3 3-Major BT992213 Protocol Any displayed as HOPTOPT in AFM policy view 17.0.0, 16.1.1, 15.1.4, 14.1.4.2
1000405-1 3-Major BT1000405 VLAN/Tunnels not listed when creating a new rule via GUI 17.0.0, 16.1.1, 15.1.4


Protocol Inspection Fixes

ID Number Severity Links to More Info Description Fixed Versions
1018145 3-Major BT1018145 Firewall Manager user role is not allowed to configure/view protocol inspection profiles 16.1.1, 15.1.4

 

Cumulative fix details for BIG-IP v16.1.5.1.0.13.7 that are included in this release

1622609-1 : Blast-RADIUS CVE-2024-3596

Links to More Info: K000141008

Component: Access Policy Manager

Symptoms:
Refer K000141008 for more details.

Conditions:
Refer K000141008 for more details.

Impact:
Refer K000141008 for more details.

Workaround:
None

Fixed Versions:
16.1.5.1.0.13.7


1621249-2: CVE-2024-3596

Links to More Info: K000141008

Component: TMOS

Symptoms:
Refer K000141008 for more details.

Conditions:
Refer K000141008 for more details.

Impact:
Refer K000141008 for more details.

Workaround:
None

Fix:
As part of the fix, a new cli option 'require_message_authenticator' in system auth is introduced. require_message_authenticator is false by default and it should be set true to mitigate this vulnerability. To configure it to true, below command should be used, tmsh modify sys db radius.messageauthenticator value true

Fixed Versions:
16.1.5.1.0.13.7



1678649-2: CVE-2024-3596

Links to More Info: K000141008

Component: TMOS

Symptoms:
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature

Conditions:
Radius authentication must be configured in BIG-IP to be vulnerable to CVE-2024-3596.

Impact:
BIG-IP may be susceptible to forgery attacks.

Workaround:
None

Fix:
As part of the fix, a new cli option 'require_message_authenticator' in system auth is introduced. require_message_authenticator is false by default and it should be set true to mitigate this vulnerability. To configure it to true, below command should be used, tmsh modify sys db radius.messageauthenticator value true

Fixed Versions:
16.1.5.1.0.13.7


999901-1 : Certain LTM policies may not execute correctly after a system reboot or TMM restart.

Links to More Info: K68816502, BT999901

Component: Local Traffic Manager

Symptoms:
After a system reboot or TMM restart, LTM policies referencing an external data-group may not execute correctly, regardless of a successful matching condition.

This can cause a wide range of issues, including misrouted traffic, unshaped traffic, the bypassing of ASM, or complete traffic failure (based on the policy actions).

Note that if a virtual server references multiple LTM policies, and only some of those policies reference an external data-group, all LTM policies attached to the virtual server will be affected.

Conditions:
-- LTM policy with an external data-group configured on a virtual server.
-- System reboot or TMM restart.

Impact:
LTM policies may be unable to execute the appropriate action on a successful matching condition, leading to a wide range of traffic-impacting consequences.

Workaround:
Remove and re-add the affected policy to the desired virtual-server. Alternatively, to fix a wider number of affected virtual servers in one go, reload the system configuration by executing 'tmsh load sys config'.

Fix:
TMM now loads LTM policies with external data-groups as expected.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


999881-6 : Tcl command 'string first' not working if payload contains Unicode characters.

Links to More Info: BT999881

Component: Local Traffic Manager

Symptoms:
Tcl command 'string first' returns an incorrect value when Unicode characters are present in the payload.

Conditions:
-- Tcl command 'string first' is used in iRules.
-- Payload contains Unicode characters.

Impact:
Traffic processing with iRules that contains the 'string first' command might not work as expected.

Workaround:
You can use any of the following workarounds:

-- Use iRuleLX.
-- Do not use Unicode characters in the payload.
-- Use a custom Tcl proc to iterate through the string using lindex

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


999125-1 : After changing management IP addresses, devices can be stuck indefinitely in improper Active/Active or Standby/Standby states.

Links to More Info: BT999125

Component: TMOS

Symptoms:
After a device (or multiple devices) in a sync-failover device-group undergoes a management IP change, multiple devices in the group can be stuck indefinitely in improper Active/Active or Standby/Standby failover states.

Conditions:
-- One or more devices belonging to a sync-failover device-group undergo a management IP change.

Impact:
-- The affected units are unable to pass traffic, as they are either both Standby or Active (resulting in either no service availability or IP address conflicts in the network).

Workaround:
If you are planning to change management IP addresses on your devices, consider doing so during a maintenance window, in order to account for the eventuality this issue might occur.

Then, if this issue does occur, you can restore correct system functionality by restarting the sod daemon on all units that had their management IP address changed. To do so, run the following command:

tmsh restart sys service sod

Note: This is a one-time workaround, and the issue may re-occur if the devices undergo further management IP address changes in the future.

Fix:
Redundant devices remain in the correct failover state following a management IP address change.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


999097-1 : SSL::profile may select profile with outdated configuration

Links to More Info: BT999097

Component: Local Traffic Manager

Symptoms:
Under some circumstances, an iRule-selected SSL profile may a send previously configured certificate to the peer.

Conditions:
iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made in the profile's cert-key-chain field.

Impact:
The TLS client may receive an outdated certificate that does not match with the current configuration, potentially leading to handshake failures.

Workaround:
Avoid making changes to a profile that is actively being used by the iRule command.

Fix:
The system now makes sure that SSL profiles are properly reloaded after changes are made.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


998957-1 : MCPD consumes excessive CPU while collecting statistics

Links to More Info: BT998957

Component: TMOS

Symptoms:
MCPD CPU utilization is 100%.

Conditions:
This condition can occur when the BIG-IP system has a large number of virtual servers, pools, and pool members for which statistics are being collected. The CPU impact is proportional to the number of objects configured. It appears unlikely to see a significant impact when under 1000 objects.

Impact:
CPU utilization by MCPD is excessive.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.1.0, 16.1.5


998225-6 : TMM crash when disabling/re-enabling a blade that triggers a primary blade transition.

Links to More Info: BT998225

Component: TMOS

Symptoms:
TMM crashes during the primary blade transition.

Conditions:
-- Using bidirectional forwarding detection.
-- Primary blade transition occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes on primary blade transition.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


998221-1 : Accessing pool members from configuration utility is slow with large config

Links to More Info: BT998221

Component: TMOS

Symptoms:
Accessing the pool members page from the BIG-IP Configuration Utility/GUI is slow compared with accessing Pool members from TMSH/CLI.

Conditions:
-- Accessing pool member information through the BIG-IP configuration utility.
-- Thousands of pools and pool members in the configuration.

Impact:
In the GUI, it takes approximately 20-30 seconds, whereas the CLI returns results in less than 1 second,

Managing pool members from configuration utility is very slow causing performance impact.

Workaround:
None

Fix:
Optimized the GUI query used for retrieving pool members data.

Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.3


997793-3 : Error log: Failed to reset strict operations; disconnecting from mcpd

Links to More Info: K34172543, BT997793

Component: TMOS

Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.

Failed to reset strict operations; disconnecting from mcpd.

Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.

Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.

An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.

Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:

1. Stop the overdog daemon first by issuing the command:
   systemctl stop overdog.

2. Restart all services by issuing the command:
   bigstart restart.

3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.

4. Start the overdog daemon after the system is online
   systemctl start overdog.

Impact of workaround: it is possible that the EPSEC rpm database is or could be corrupted. If you find that you cannot access the GUI after appying this workaround, see https://cdn.f5.com/product/bugtracker/ID1188857.html

Fix:
After rebooting the device, you can now access the GUI without a 'Failed to reset' error.

Fixed Versions:
16.1.5


997561-5 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

Links to More Info: BT997561

Component: TMOS

Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.

In some circumstances, handling this traffic should not require maintaining state across TMMs.

Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.

Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.

Workaround:
None

Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


997429-1 : When (DoS Detection threshold = DoS Mitigation threshold) for a vector, logging is erratic when hardware offload is enabled

Links to More Info: BT997429

Component: Advanced Firewall Manager

Symptoms:
Some DoS-related log messages may be missing

Conditions:
-- Static DDoS vector is configured with the same mitigation threshold and detection threshold setpoint.
-- The platform supports Hardware DDoS mitigation and hardware mitigation and hardware mitigation is not disabled.

Impact:
Applications dependent on log frequency may be impacted.

Workaround:
Configure the mitigation limit about 10% over the attack limit.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


997313-2 : Unable to create APM policies in a sync-only folder

Links to More Info: BT997313

Component: TMOS

Symptoms:
Unable to configure an APM policy in a sync-only folder, or the configuration fails to load after an upgrade, with an error message similar to:

-- err mcpd[mcpd_pid]: 01070734:3: Configuration error: Invalid Devicegroup Reference. The customization_group (/Common/sync-only/example_apm_customization) requires customization_source (/Common/standard) to be syncd to the same devices

Conditions:
-- Multiple BIG-IP devices configured in a sync-only device group, but different/non-overlapping failover device groups
-- APM policy being created in a folder or partition associated with sync-only device group.

Impact:
-- Unable to create the access policy.
-- The configuration fails to load and the device remains inoperative.

Workaround:
You can use either of the following strategies to prevent the issue:

--Do not create APM policies in a sync-only folder.

--Disable MCPD device-group reference validation for the sync-only folder, e.g.:
    tmsh modify sys folder /Common/sync-only no-ref-check true
    tmsh save sys config

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1


997269-1 : The management-dhcp contextual help for supersede-options is not available

Links to More Info: BT997269

Component: TMOS

Symptoms:
In TMSH, unable to view the contextual help for supersede-options of management-dhcp.

Conditions:
In TMSH, configuring DHCP settings for the management interface.

Impact:
The help text is not available on usage of supersede-options.

Workaround:
None

Fix:
Added missing contextual help for supersede-options.

Fixed Versions:
17.0.0, 16.1.5


996649-6 : Improper handling of DHCP flows leading to orphaned server-side connections

Links to More Info: BT996649

Component: Local Traffic Manager

Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.

Conditions:
Regular DHCP virtual server in use.

Impact:
Traffic is not passed to the client.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


996381-1 : ASM attack signature may not match as expected

Links to More Info: K41503304, BT996381

Component: Application Security Manager

Symptoms:
When processing traffic with ASM, attack signature 200000128 may not match as expected.

Conditions:
- Attack signature 200000128 enabled.

Impact:
Processed traffic may not match all expected attack signatures

Workaround:
N/A

Fix:
Attack signature 200000128 now matches as expected.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.4.1


996233-1 : Tomcat may crash while processing TMUI requests

Links to More Info: K38893457, BT996233


996113-2 : SIP messages with unbalanced escaped quotes in headers are dropped

Links to More Info: BT996113

Component: Service Provider

Symptoms:
Dropped SIP messages.

Conditions:
-- MRF SIP virtual server
-- SIP Header Field has an escaped quote

Impact:
Certain SIP messages are not being passed via MRF.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


996001-5 : AVR Inspection Dashboard 'Last Month' does not show all data points

Links to More Info: BT996001

Component: TMOS

Symptoms:
A daily-based report (report with resolution of one day in each data-point) can be provided to only request with up-to 30 days. A request with 31 days shows only 2 entries.

Conditions:
This occurs when generating a 'Last Month' report for a month that contains 31 days of data.

Impact:
AVR Inspection Dashboard displays less data than expected: 2 points instead of 31 points.

Workaround:
None

Fix:
Viewing a 'Last Month' graph now reports ~30 days worth of data, rather than a variable amount of data based on actual calendar periods.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


995849-1 : Tmm crash SIGSEGV - rcs_getsalen() in lib/rc_net.c

Links to More Info: BT995849

Component: TMOS

Symptoms:
Tmm crashes while processing a large number of tunnels.

Conditions:
-- A large number of ipsec tunnels

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Memory allocation failures are handled.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


995405-1 : After upgrade, the copied SSL vhf/vht profile prevents traffic from passing

Links to More Info: BT995405

Component: Local Traffic Manager

Symptoms:
After an RPM upgrade, SSL Orchestrator traffic does not pass

Conditions:
Upgrading SSL Orchestrator via RPM

Impact:
Traffic will not pass.

Workaround:
Bigstart restart tmm

Fix:
Fixed an issue that was preventing from passing after an RPM upgrade.

Fixed Versions:
17.0.0, 16.1.3, 16.1.1


995097-1 : Certain management-dhcp supersede options fail to restore correctly when the configuration is reloaded from a file.

Links to More Info: BT995097

Component: TMOS

Symptoms:
After reloading the configuration from a file, management-dhcp supersede options whose values contained a double quote character (") no longer contain the character.

For instance, after reloading the configuration, the following section:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { "example.com" }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { "example.com" }
        }
    }
}

Becomes:

# tmsh list sys management-dhcp sys-mgmt-dhcp-config supersede-options
sys management-dhcp sys-mgmt-dhcp-config {
    supersede-options {
        domain-name {
            value { example.com }
        }
        domain-name-servers {
            value { 8.8.8.8 }
        }
        domain-search {
            value { example.com }
        }
    }
}

This also affects the configuration file for the dhclient/dhclient6 daemons that the system automatically generates from the aforementioned config stanza.

Conditions:
This issue occurs when the following statements apply:
--- The values of management-dhcp supersede options contain double quote characters.
--- The configuration is reloaded from file.

The BIG-IP system reloads the configuration from file in the following cases:
-- When you issue the 'tmsh load sys config' command.
-- After an upgrade, as the mcpd binary database does not exist yet.
-- When troubleshooting requires removing the mcpd binary database and reloading the config from file.
-- When the system is relicensed.
-- When system provisioning changes.
-- When a UCS/SCF archive is restored.
-- When someone merges in config from file or terminal (but this is limited to the actual contents being merged in, not the entire configuration).

Impact:
The in-memory mcpd configuration relating to management-dhcp supersede options is incorrect.

The /etc/dhclient.conf file that is automatically generated contains incorrect syntax.

As a result of this, the dhclient/dhclient6 daemons fail to parse the file and run with an incomplete configuration.

Ultimately, the system does not behave as configured in regard to its management-dhcp configuration.

Workaround:
Reapply the desired management-dhcp supersede-options configuration using the tmsh utility.

For example, to restore the intended in-memory configuration shown under Symptoms, you would run within tmsh:

# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options none
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name { value add { \"example.com\" } } }
# modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-name-servers { value add { 8.8.8.8 } } }
# save sys config

On versions earlier than 15.0.0, you must also restart the dhclient/dhclient6 daemons by running:

bigstart restart dhclient dhclient6

Note that the workaround is not permanent and will be invalidated the next time the config is loaded from file again.

Fix:
The BIG-IP system user is no longer responsible for knowing which dhcp-options require quoting and which do not. This determination is now done internally by mcpd, which uses the correct syntax for each supersede-option when writing the /etc/dhclient.conf file. This means that, as the BIG-IP system user, you are not required to quote anything when manipulating management-dhcp supersede-options in tmsh.

For instance, you can enter the following command:

tmsh modify sys management-dhcp sys-mgmt-dhcp-config supersede-options add { domain-search { value add { one.example.com two.example.com } } }

And the system inserts the following instruction in the /etc/dhclient.conf file:

supersede domain-search "one.example.com", "two.example.com" ;

Fixed Versions:
17.0.0, 16.1.4, 15.1.10


994973-1 : TMM crash with do_drivers_probe()

Links to More Info: BT994973

Component: Local Traffic Manager

Symptoms:
During the TMM shutdown time, TMM crashes. And the TMM core is created by SIGABRT using the xnet drivers. SIGABRT source is located within the do_drivers_probe()function.

Conditions:
Occurs while,
-- using the xnet drivers
-- rebooting TMM

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash.

Fixed Versions:
16.1.5


994305-3 : The version of open-vm-tools included with BIG-IP Virtual Edition is 10.1.5

Links to More Info: BT994305

Component: TMOS

Symptoms:
Features supported in newer versions of open-vm-tools are not available.

Conditions:
This issue may be seen when running in VMware environments.

Impact:
Features that require a later version of open-vm-tools are not available.

Workaround:
None.

Fix:
The version of open-vm-tools has been updated to 11.1.5.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1


994033-3 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


993981-3 : TMM may crash when ePVA is enabled

Links to More Info: K52340447, BT993981


993913-4 : TMM SIGSEGV core in Message Routing Framework

Links to More Info: BT993913

Component: Service Provider

Symptoms:
TMM crashes on SIGSEGV.

Conditions:
This can occur while passing traffic through the message routing framework.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4


993613-7 : Device fails to request full sync

Links to More Info: BT993613

Component: Application Security Manager

Symptoms:
Devices remain out of sync and ASM REST/GUI becomes unresponsive. asm_config_server may create many unique PIDs

Conditions:
-- A manual sync device group is configured and ASM sync is enabled.
-- Sync pushes are typically performed in one direction, and then a sync attempt is made in the opposite direction.

Impact:
-- The device that is meant to receive the config sync never requests or receives it.
-- The devices become unsynchronized which may cause unexpected traffic enforcement or dropped traffic.
-- ASM GUI becomes unresponsive.
-- Large number of asm_config_server processes increases host memory usage

Workaround:
Halting asm_config_server on the stuck device restores the working state and request a new sync.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


993517-1 : Loading an upgraded config can result in a file object error in some cases

Links to More Info: BT993517

Component: Local Traffic Manager

Symptoms:
After an upgrade from a version prior to 13.1.0, when loading a configuration that has had an HTTPS monitor in it, if that configuration has not yet been saved, you may see errors like this in the LTM log:

-- 0107134a:3: File object by name (DEFAULT) is missing.

If you run 'tmsh load sys config verify' on this configuration, the system also posts the error on the screen.

Conditions:
-- Upgrading from a version prior to 13.1.0.
-- At least one HTTPS monitor that has the kEDH cipher in its cipherlist.
-- Upgrading to version 13.1.1.4 or later.
-- Loading the configuration (either automatically on startup, or manually).

Impact:
Other than the error message, there is no impact.

Workaround:
After the initial reboot, save the configuration.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


993489-1 : GTM daemon leaks memory when reading GTM link objects

Links to More Info: BT993489

Component: Global Traffic Manager (DNS)

Symptoms:
The gtmd process memory consumption is higher than expected.

Conditions:
DNS is provisioned and a provisioned GTM link object has been loaded.

Impact:
Increased memory usage of the GTM daemon. This may impact other capabilities, such as starting sync operations.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4, 13.1.5


993481-1 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500

Fix:
Skipped initialization of structures.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


993457-1 : TMM core with ACCESS::policy evaluate iRule

Links to More Info: BT993457

Component: Access Policy Manager

Symptoms:
TMM segfaults in packtag_literal_pointer_release() during TCLRULE_CLIENT_CLOSED event attempting a session release.

Conditions:
-- The ACCESS::policy evaluate is still in progress when TCLRULE_CLIENT_CLOSED event is triggered.
-- While the TCLRULE_CLIENT_CLOSED is in process, the ACCESS::policy evaluation completes.

Impact:
This triggers a race condition and causes the tmm crash. Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM no longer crashes and generates a core file during the ACCESS::policy evaluate iRule under these conditions.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


993269-3 : DoS timestamp cookies are incompatible with FastL4 TCP timestamp rewrite option

Links to More Info: BT993269

Component: Advanced Firewall Manager

Symptoms:
Using DoS timestamp cookies together with a FastL4 profile with the timestamp rewrite option enabled might lead to traffic failures.

DoS timestamp cookies might also lead to problems with traffic generated by the Linux host.

Conditions:
-- DoS timestamp cookies are enabled, and either of the following:

-- FastL4 profile with the timestamp rewrite option enabled.
-- Traffic originating from Linux host.

Impact:
Traffic is dropped due to incorrect timestamps.

Workaround:
Disable timestamp cookies on the affected VLAN.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


992865-3 : Virtual server may not enter hardware SYN cookie mode on BIG-IP i11000 and i15000 series appliances

Links to More Info: BT992865

Component: TMOS

Symptoms:
On particular platforms, virtual servers do not correctly enter hardware SYN cookie mode. Software SYN cookie mode still functions correctly.

Conditions:
-- Virtual server under SYN flood attack.
-- One of the following platforms
  + BIG-IP i11000 series (C123)
  + BIG-IP i15000 series (D116)

Impact:
Software SYN cookies are enabled, this has a performance impact compared to the hardware mode.

Workaround:
None

Fix:
Virtual servers correctly enter hardware SYN cookie mode on all platforms.

Fixed Versions:
17.1.0, 16.1.2.2, 15.1.4


992813-7 : The list of dhcp-options known to mcpd is outdated, leading to the inability to instantiate certain management-dhcp configurations.

Links to More Info: BT992813

Component: TMOS

Symptoms:
The mcpd daemon performs validation of the request-options and supersede-options a BIG-IP administrator specifies via the tmos.sys.management-dhcp endpoint in tmsh.

As the list of dhcp-options known to mcpd is outdated, it is possible you may be returned an error when attempting to configure valid request-options or supersede-options.

For example, you may be returned the following error when attempting to supersede the domain-search option:

01071627:3: Management Dhcp resource supersede-option - Invalid dhcp option: domain-search

Conditions:
You attempt to configure a dhcp-option unknown to mcpd as part of the request-options or supersede-options properties.

Note: A common dhcp-option of which mcpd has no knowledge is domain-search. You are unlikely to experience this issue unless you are requesting or superseding this particular dhcp-option.

Impact:
You are unable to instantiate the desired management-dhcp configuration.

Workaround:
None

Fix:
The list of dhcp-options known to mcpd has been updated.

Fixed Versions:
17.0.0, 16.1.4, 15.1.10


992213-3 : Protocol Any displayed as HOPTOPT in AFM policy view

Links to More Info: BT992213

Component: Advanced Firewall Manager

Symptoms:
The 'any' option for the AFM policy rule protocol is displayed incorrectly in the GUI.

Conditions:
-- Create a rule and set protocol as 'any'.
-- Navigate to active rules.

Impact:
GUI shows an incorrect value.

Workaround:
None

Fix:
GUI Shows correct value for rule protocol option.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.2


992121-4 : REST "/mgmt/tm/services" endpoint is not accessible

Links to More Info: BT992121

Component: TMOS

Symptoms:
Accessing "/mgmt/tm/services" failed with a null exception and returned 400 response.

Conditions:
When accessing /mgmt/tm/services through REST API

Impact:
Unable to get services through REST API, BIG-IQ needs that call for monitoring.

Workaround:
None

Fix:
/mgmt/tm/services through REST API is accessible and return the services successfully.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


992073-2 : APM NTLM Front End Authentication errors ECA_ERR_INPROGRESS

Links to More Info: K93543114, BT992073


991457-1 : The mpidump should show sequence number and higher precision date/time

Links to More Info: BT991457

Component: Local Traffic Manager

Symptoms:
The mpidump command does not some data that would be useful in a troubleshooting situation.

Conditions:
Running mpidump to gather data.

Impact:
Comparing tcpdumps with mpidumps is almost impossible due to the lack of timestamp precision in the mpidump tool's verbose text output. When doing analysis, it makes it extremely difficult, if not impossible without this precision

Workaround:
None

Fix:
None

Fixed Versions:
16.1.5


991421-2 : TMM may crash while processing TLS traffic

Links to More Info: K91013510, BT991421


990461-5 : Per virtual server SYN cookie threshold is not preserved or converted during a software upgrade

Links to More Info: BT990461

Component: Advanced Firewall Manager

Symptoms:
If the original per virtual server SYN cookie threshold value was greater than 4095, the value is not preserved or converted correctly after a software upgrade from v12.x to a later version.

Conditions:
-- Per virtual server SYN cookie threshold is set.
-- SYN cookie threshold is set to a value higher than 4095.

Impact:
A change in the SYN cookie threshold value in the virtual server context may result in a change in DoS behavior, depending on your configuration.

Workaround:
Manually update the SYN cookie threshold values after an upgrade.

Fixed Versions:
17.1.0, 16.1.3, 15.1.6.1, 14.1.4.4


989701-8 : CVE-2020-25212 Kernel: A flaw was found in the NFSv4 implementation where when mounting a remote attacker controlled server it could return specially crafted response

Links to More Info: K42355373, BT989701


989529-1 : AFM IPS engine takes action on unspecified services

Links to More Info: BT989529

Component: Protocol Inspection

Symptoms:
Specific ports configured in the IPS profile are not taken into account during the matching action exercised by the IPS subsystem. As a result, all ports are matched.

Conditions:
Service ports specified under Security :: Protocol Security : Inspection Profiles :: service type (e.g., HTTP).

Impact:
Increased resource usage and excessive logging.

Workaround:
None.

Fixed Versions:
16.1.5


989517-3 : Acceleration section of virtual server page not available in DHD

Links to More Info: BT989517

Component: TMOS

Symptoms:
Cannot use Advanced Menu to create a virtual server for HTTP/2 on systems with DHD licenses. This occurs because the Acceleration section is not available.

You can via TMSH then it works, but at as soon as you use the GUI to modify the virtual server, it loses the HTTP/2 configuration.

Conditions:
The Acceleration section is not visible in case 'DoS' is provisioned (available with the DHD license).

Impact:
1) You are unable to use the GUI to modify any parameters of the Acceleration table in the virtual server page.

2) Loss of configuration items if making changes via the GUI.

Workaround:
A virtual server with parameters present in the Acceleration table can still be created using TMSH. However, do not edit that virtual server in the GUI, or the Acceleration parameters will be lost.

Fix:
The Acceleration table is now visible, and there is no loss of configuration items if making changes via the GUI.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1


989501-2 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.

Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


989373-7 : CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem

Links to More Info: K67830124, BT989373


988549-10 : CVE-2020-29573: glibc vulnerability

Links to More Info: K27238230, BT988549


988165-3 : VMware CPU reservation is now enforced.

Links to More Info: BT988165

Component: TMOS

Symptoms:
CPU reservation is not enabled which can result in insufficient CPU resource for virtual edition guest.

Conditions:
BIG-IP Virtual Edition running in VMware.

Impact:
Performance may be lower than expected particularly if ESXi is over subscribed and traffic volume is high.

Workaround:
Manually enforce the 2GHz per core rule when provisioning VMware instances to ensure that your VMware hosts are not oversubscribed.

Fix:
The VMware CPU reservation of 2GHz per core is now automatically enabled in the OVF file. The CPU reservation can be up to 100 percent of the defined virtual machine hardware. For example, if the hypervisor has 2.0 GHz cores, and the VE is set to 4 cores, you will see 4 x 2.0 GHz reserved for 8GHz (or 8000 MHz).

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


987977-3 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None

Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.

Fixed Versions:
17.1.1, 16.1.5


987885-6 : Half-open unclean SSL termination might not close the connection properly

Links to More Info: BT987885

Component: Local Traffic Manager

Symptoms:
Upon receiving TCP FIN from the client in the middle of the SSL Application Data, the BIG-IP system does not close the connection on either client- or server-side (i.e., it does not 'forward' the FIN on the server-side as it normally does) causing the connection to go stale until the timeout is reached.

Conditions:
-- TCP and SSL profiles configured on a virtual server.
-- Client terminates the connection in the middle of an SSL record.

Impact:
Connection termination does not happen. Connection remains in the connection table until idle timeout is reached.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


987341-1 : BIG-IP OpenID Connect Discovery process does not support strong TLS ciphers.

Links to More Info: BT987341

Component: Access Policy Manager

Symptoms:
BIG-IP discovers and updates JSON Web Keys (JWK) in OpenID Connect (OIDC) deployments using a Java Runtime Environment (JRE). The JRE in BIG-IP does not support strong TLS ciphers, so the discovery/update process can fail against OIDC providers that enforce strong encryption requirements.

Conditions:
Using an OpenID Connect provider that allows only strong TLS ciphers. and using an APM configuration that validates incoming JWTs against a dynamic JWK list in Internal Validation Mode.

Impact:
This might cause discovery to fail against certain OpenID Connect auth providers that enforce strong cipher requirements. It could lead to JWT validation failure as the JWK expire and cannot be updated by BIG-IP.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5


987301-3 : Software install on vCMP guest via block-device may fail with error 'reason unknown'

Links to More Info: BT987301

Component: TMOS

Symptoms:
When installing an engineering hotfix (EHF) on a vCMP guest via block-device, sometimes it fails with 'reason unknown'.

-- /var/log/liveinstall may contain an error similar to:

I/O error : Input/output error
/tmp/lind_util.voCQOs/BIGIP1610/install/fsinfo.xml:1: parser error : Document is empty

-- /var/log/kern.log may contain an error similar to:

Aug 14 14:15:54 bigip1 info kernel: attempt to access beyond end of device
Aug 14 14:15:54 bigip1 info kernel: sr0: rw=0, want=3560560, limit=312712

Conditions:
This might occur after multiple attempts to install an EHF on a vCMP guest via block-device:

 tmsh install sys software block-device-hotfix Hotfix-BIGIP-14.1.2.6.0.77.2-ENG.iso volume HD1.3

Impact:
Sometimes the EHF installation fails on the guest.

Workaround:
-- Retry the software installation.
-- If the software installation continues to fail, copy the ISO images into the vCMP guest, and use those to perform the installation.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


987077-3 : TLS1.3 with client authentication handshake failure

Links to More Info: BT987077

Component: Local Traffic Manager

Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.

Conditions:
-- LTM authentication profile using OCSP and TLS1.3.
-- Client application data arrives during LTM client authentication iRule.

Impact:
-- A handshake failure occurs.
-- Client certificate authentication may pass without checking its validity via OCSP.

Workaround:
Use TLS1.2 or use TLS1.3 without the LTM authentication profile.

Fix:
Handshake completes if using TLS1.3 with client authentication and LTM auth profile.

Fixed Versions:
17.0.0, 16.1.3, 15.1.5.1, 14.1.4.6


986937-3 : Cannot create child policy when the signature staging setting is not equal in template and parent policy

Links to More Info: BT986937

Component: Application Security Manager

Symptoms:
When trying to create a child policy, you get an error:

FAILURE: "Could not update the Policy policy1. Inherited values may not be changed."

Conditions:
-- Parent policy created with signature staging disabled.
-- Creating a new child policy with that policy as a parent.

Impact:
You are unable to create the child policy and the system presents an error.

Workaround:
Create the policy without assigning it to the parent, and then assign it to the parent policy on the Inheritance Settings page.

Fix:
The error no longer occurs on child policy creation.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4


985953-6 : GRE Transparent Ethernet Bridging inner MAC overwrite

Links to More Info: BT985953

Component: TMOS

Symptoms:
Traffic not being collected by virtual server and therefore not being forwarded to the nodes.

Conditions:
Encapsulated dest-mac is not equal to the Generic Routing Encapsulation (GRE) tunnel mac-address.

Impact:
Virtual server is not collecting decapsulated packets from the GRE Transparent Bridge tunnel unless the dest-mac of the encapsulated packet is the same as the mac-address of the GRE tunnel.

Workaround:
None

Fix:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

Set the DB key to 'enable' to cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Behavior Change:
Added a new DB key 'iptunnel.mac_overwrite'. This DB key defaults to 'disable'.

To cause the BIG-IP system to overwrite the destination MAC of the encapsulated traffic, set the DB key to 'enable' and save the config:

tmsh modify sys db iptunnel.mac_overwrite value enable
tmsh save sys config

This allows virtual servers on the BIG-IP system to process traffic.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


985925-3 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Links to More Info: BT985925

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None

Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


985329-2 : Saving UCS takes longer when iControl LX extension is installed

Links to More Info: BT985329

Component: Device Management

Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed.

You may also see errors logged in /var/log/restjavad.0.log:

[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
        at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
        at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
        at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
        at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
        at java.lang.Thread.run(Thread.java:748)


Errors logged in /var/log/ltm:

err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery

Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.

Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).

Workaround:
None

Fixed Versions:
16.1.5


984965-4 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash

Links to More Info: BT984965

Component: Advanced Firewall Manager

Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.

In the file /var/log/sshplugin.start, errors may be logged including these lines:

shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor

Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.

Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.

Workaround:
First, attempt a clean process restart:

    # bigstart restart sshplugin

If that is not effective, rebooting the entire system may clear the condition.

Fixed Versions:
16.1.5


984749-1 : Discrepancy between DNS cache statistics "Client Summary" and "Client Cache."

Links to More Info: BT984749

Component: Global Traffic Manager (DNS)

Symptoms:
"show ltm dns cache", shows difference between "Client Summary" and "Client Cache".

Conditions:
Create a resolver type DNS cache, attach to a DNS profile, and attach to a virtual server. Send queries to virtual server. Compare/review result of "show ltm dns cache."

Impact:
Client Cache Hit/Miss Statistics ratio affected.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


984657 : Sysdb variable not working from tmsh

Links to More Info: BT984657

Component: Traffic Classification Engine

Symptoms:
When cloud_only system db variable is enabled, urlcat_query returns categorization from webroot from tmsh

Conditions:
The following sys db variable is enabled: cloud_only

You attempt to run the following command:

tmsh list sys db urlcat_query

Impact:
Sysdb variables does not work from tmsh

Fix:
After the fix able to verify sysdb variables from tmsh

Fixed Versions:
16.1.5, 16.0.1.2, 15.1.4.1


984593-1 : BD crash

Links to More Info: BT984593

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


984585-3 : IP Reputation option not shown in GUI.

Links to More Info: BT984585

Component: TMOS

Symptoms:
Cannot configure IP Reputation option from the GUI.

Conditions:
Configuring the LTM policy type 'IP Reputation' using the GUI, when the 'IP Intelligence' module is licensed in time-limited modules.

Impact:
The IP Reputation option is not shown in GUI configuration list. Cannot create LTM policies with IP Reputation.

Workaround:
Use tmsh to configure IP Reputation.

Fix:
The IP Reputation option is now shown in the GUI.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


983073-3 : Certain traffic to ixlv & iavf can cause memory leak.

Links to More Info: K000138833


982785-2 : Guided Configuration hardening

Links to More Info: K52322100


982777-9 : APM hardening

Links to More Info: K21317311, BT982777


982769-12 : Appliance mode hardening

Links to More Info: K68647001, BT982769


982757-3 : APM Access Guided Configuration hardening

Links to More Info: K53197140


982753-2 : Appliance mode hardening

Links to More Info: K68647001, BT982753


982745-5 : Appliance mode hardening

Links to More Info: K68647001, BT982745


982697-7 : ICMP hardening

Links to More Info: K41440465, BT982697


982341-7 : iControl REST endpoint hardening

Links to More Info: K53197140, BT982341


981917-4 : CVE-2020-8286 - cUrl Vulnerability

Links to More Info: K15402727


981069-3 : Reset cause: "Internal error ( requested abort (payload release error))"

Links to More Info: BT981069

Component: Application Security Manager

Symptoms:
An unexpected RST occurs on inbound traffic. The RST cause shows "Internal error ( requested abort (payload release error))"

Conditions:
When all the following conditions are met:
- The system was upgraded to a version where ID910253 is fixed
- TS cookie coming from a previous version
- data guard in non blocking (masking)
- response that is not zipped and has a textual content type

Impact:
Traffic is affected.

Workaround:
Any of the following actions can resolve the issue:

1. Turn off data guard or change it to blocking.
2. Make the server reply with zipped responses (perhaps by adding the accept-encoding: gzip using an iRule).
3. Add an additional response related feature.
4. Use the following iRule in case there aren't cookie related enforcement:
when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Fix:
Fixed an issue that was triggering resets on traffic.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4


980617-1 : SNAT iRule is not working with HTTP/2 and HTTP Router profiles

Links to More Info: BT980617

Component: Local Traffic Manager

Symptoms:
On HTTP/2 full-proxy virtual servers, the snatpool command in an iRule is accepted but the source address server-side is not changed.

Conditions:
1.) Basic HTTP profile and HTTP/2 profile is configured on BIG-IP systems
2.) iRule with snatpool <pool_name>, snat <IP> is configured

Impact:
Unable to use snatpool (and possibly snat) in iRule to control the server-side source address.

Workaround:
Configure SNAT under the virtual server configuration, rather than in an iRule.

Fixed Versions:
17.0.0, 16.1.1, 15.1.10


979877-9 : CVE-2020-1971 OpenSSL: EDIPARTYNAME NULL pointer de-reference vulnerability description and available information

Links to More Info: K42910051, BT979877


979213-1 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

Links to More Info: BT979213

Component: Local Traffic Manager

Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.

The spikes may report unrealistically high levels of traffic.

Note: Detailed throughput graphs are not affected by this issue.

Conditions:
This issue occurs when the following conditions are met:

-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.

Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


977761 : Connections are dropped if a certificate is revoked.

Links to More Info: BT977761

Component: Local Traffic Manager

Symptoms:
SSL handshake failures occur with the backend server revoked certificate in case of reverse proxy.

Conditions:
1. BIG-IP LTM configured as SSL reverse proxy.
2. revoked-cert-status-response-control set to ignore in the server ssl profile.
3. server certificate authentication set to "require" in the server ssl profile.

Impact:
Ssl handshake failures due to revoked server certificate

Workaround:
1. Set the server certificate authentication to ignore in the server ssl profile.

Fix:
Added checks to validate the certificate as well as the flags set (ignore/drop) for the revoked certificate.

Fixed Versions:
17.1.0, 16.1.2.2


977153-3 : Packet with routing header IPv6 as next header in IP layer fails to be forwarded

Links to More Info: BT977153

Component: Advanced Firewall Manager

Symptoms:
BIG-IP systems fail to follow RFC 5095, which specifies the traffic should be forwarded.

Conditions:
This symptom is found when the following conditions are met:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
This failure in forwarding ICMP error message prevents the BIG-IP AFM product from completing certification.

Workaround:
None.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


976669-5 : FIPS Integrity check fails for other secondary blades after rebooting/replacing secondary blade

Links to More Info: BT976669

Component: TMOS

Symptoms:
After rebooting or replacing a secondary blade, the FIPS integrity check fails for other secondary blades and they fail to fully boot.

Conditions:
This can occur after rebooting or replacing a secondary blade.

Impact:
When the FIPS integrity checks fail the blades won't fully boot.

Workaround:
On the secondary blade reboot, the following critical files are deleted from other secondary blades which leads to FIPS integrity check failure:

/root/.ssh/authorized_keys
/root/.ssh/known_hosts

To mitigate, copy the missing files from the primary blade to the secondary blade.

From the primary blade, issue the following command towards the secondary blade(s).

rsync -avz -e ssh /root/.ssh/* root@<Secondary Blade>:/root/.ssh/

Fix:
Critical files are not deleted during secondary blade reboot.

Fixed Versions:
17.0.0, 16.1.2.2, 16.1.0, 15.1.5.1, 14.1.4.6


976525-5 : Transparent monitors can have the incorrect source address when snat.hosttraffic is enabled

Links to More Info: BT976525

Component: Local Traffic Manager

Symptoms:
In BIG-IP v13.1.3.2 and later, there is new functionality to SNAT the traffic coming from the host system. When there are multiple routes to a destination address and transparent monitors are in use, tmm occasionally picks the wrong source IP for these connections.

Conditions:
-- The db variable snat.hosttraffic is enabled.
-- Gateway pool with multiple members.
-- Transparent monitors.

Impact:
The system chooses the wrong source IP address for the egress interface. That incorrect source IP address might cause traffic to return on the wrong VLAN.

Workaround:
Use either of the following workarounds:

-- Disable VLAN keyed connections: modify sys db connection.vlankeyed value disable

-- Upgrade to a version with a fix for ID 826905 (https://cdn.f5.com/product/bugtracker/ID826905.html) and disable snat.hosttraffic.

Fix:
Transparent monitors now have the correct source IP addresses when gateway pools are in use and snat.hosttraffic is enabled.

Fixed Versions:
17.0.0, 16.1.4, 15.1.6.1, 14.1.5


976337-2 : i40evf Requested 4 queues, but PF only gave us 16.

Links to More Info: BT976337

Component: TMOS

Symptoms:
During BIG-IP system boot, a message is logged:

i40evf 0000:05:00.0: Requested 4 queues, but PF only gave us 16.

Conditions:
-- BIG-IP Virtual Edition configured for SR-IOV
-- E810 virtual functions (VFs)

Impact:
A message is logged but it is benign and can be ignored.

Fixed Versions:
16.1.2.2, 15.1.5.1


974985-6 : Dosl7/bot does not ignore non-http traffic even when disabled via iRule DOSL7::disable

Links to More Info: BT974985

Component: Application Security Manager

Symptoms:
Non http traffic isn't forwarded to the backend server

Conditions:
- ASM provisioned
- DoS Application or Bot Defense profile assigned to a virtual server
- DOSL7::disable applied at when CLIENT_ACCEPTED {}

Impact:
Broken webapps with non-http traffic

Workaround:
Instead of using DOSL7::disable, redirect non-http traffic to non-http aware virtual server using the iRule command virtual <virtual_server_name>

Fix:
Fix DOSL7::disable command handler in the tmm code

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


974341-6 : REST API: File upload

Links to More Info: K08402414, BT974341


974241-3 : Creation of access policy with modern customization may lead to failover in a VIPRION or vCMP guest with multiple blades

Links to More Info: BT974241

Component: TMOS

Symptoms:
Mcpd exists with error similar to:

01070734:3: Configuration error: Configuration from primary failed validation: 010713cf:3: Configuration group '/Common/test1_end_deny_ag' has invalid source '/Common/standard'

Conditions:
1. VIPRION or vCMP guest with multiple blades in a cluster
2. Create a access policy with modern customization enabled

Impact:
Mcpd restarts leading to failover.

Workaround:
Use standard customization and not modern customization.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4


974205-5 : Unconstrained wr_urldbd size causing box to OOM

Links to More Info: BT974205

Component: Traffic Classification Engine

Symptoms:
The wr_urldbd processes' memory grows and can exceed 4 GB. This might cause an out-of-memory (OOM) condition when processing URLCAT requests.

Conditions:
This occurs when processing a large volume of distinct and valid URLCAT requests.

Impact:
The device eventually runs out of memory (OOM condition).

Workaround:
Restart the wr_urldbd process:
 restart sys service wr_urldbd

Fix:
Constrained the cache with Least Recently Used-based caching to prevent this issue from occurring.

Added two sys DB variables:

-- wr_urldbd.cloud_cache.log.level

Value Range:
sys db wr_urldbd.cloud_cache.log.level {
    value "debug"
    default-value "none"
    value-range "debug none"
}

-- wr_urldbd.cloud_cache.limit

Value Range:
sys db wr_urldbd.cloud_cache.limit {
    value "5500000"
    default-value "5500000"
    value-range "integer min:5000000 max:10000000"
}

Note: Both these variables are introduced for debugging purpose.

Fixed Versions:
17.1.0, 16.1.4, 15.1.4, 14.1.4.4, 12.1.6


973409-6 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


972545-7 : iApps LX does not follow best practices in appliance mode

Links to More Info: K91054692, BT972545


972517-7 : Appliance mode hardening

Links to More Info: K41072952, BT972517


972489-7 : BIG-IP Appliance Mode iControl hardening

Links to More Info: K11010341, BT972489


970329-1 : ASM hardening

Links to More Info: K70134152, BT970329

Component: Application Security Manager

Symptoms:
Under certain conditions, ASM does not follow current best practices.

Conditions:
- ASM provisioned

Impact:
Attack detection is not triggered as expected

Workaround:
N/A

Fix:
Attack detection is now triggered as expected

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


969345-1 : Temporary TMSH files not always removed after session termination

Links to More Info: BT969345

Component: TMOS

Symptoms:
Temporary TMSH-related subdirectories and files located in /var/system/tmp/tmsh may not be properly cleaned up after a TMSH session is terminated. These files can accumulate and eventually cause disk-space issues.

Conditions:
A TMSH session is terminated abruptly rather than ended gracefully.

Impact:
The /var filesystem may fill up, causing any of a variety of problems as file-I/O operations fail for various software subsystems.

Workaround:
The BIG-IP software includes a shell script (/usr/local/bin/clean_tmsh_tmp_dirs) which can be run by the system administrator to clean up excess temporary files in the directories /var/tmp/tmsh and /var/system/tmp/tmsh.

Fixed Versions:
16.1.5


969317-4 : "Restrict to Single Client IP" option is ignored for vmware VDI

Links to More Info: BT969317

Component: Access Policy Manager

Symptoms:
The Restrict to Single Client IP option in the Access Policy is not being honored for VMware VDI.

Conditions:
- Configure APM Webtop with vmware VDI.
- Set "Restrict to Single Client IP" option in Access Profile.
- Try to launch vmware desktop on one client. Copy the launch URI
- Try to launch vmware desktop from other client using the copied URI.

Impact:
A connection from the second client is allowed, but it should not be allowed.

Fix:
Restrict to Single Client IP is honored for VMware VDI for both PCOIP and Blast protocols.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.4.1, 14.1.4.5


969297 : Virtual IP configured on a system with SelfIP on vwire becomes unresponsive

Links to More Info: BT969297

Component: SSL Orchestrator

Symptoms:
Virtual IP ARP does not get resolved when a SelfIP is configured on a virtual-wire.

Conditions:
Issue happens when a SelfIP address is configured and a Virtual IP address is configured for a Virtual Server.

Impact:
The virtual server is unreachable.

Workaround:
None

Fix:
ARP forwarding to peer is decided based on whether Virtual IP and self-IP is configured or not.

Fixed Versions:
16.1.2.2


968929-2 : TMM may crash when resetting a connection on an APM virtual server

Links to More Info: BT968929

Component: Local Traffic Manager

Symptoms:
TMM crashes.

Conditions:
- HTTP profile without fallback host.
- iRules.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Configure fallback host to an HTTP profile that redirects the request to a specified location.

Fixed Versions:
17.0.0, 16.1.2.2


968893-3 : TMM crash when processing APM traffic

Links to More Info: K93526903, BT968893


968657-1 : Added support for IMDSv2 on AWS

Links to More Info: BT968657

Component: TMOS

Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:

get_dossier call on the command line fails with:
        01170003:3: halGetDossier returned error (1): Dossier generation failed.

This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.

Conditions:
AWS instances started with IMDSv2.

Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.

Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
 
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1


968581-4 : TMSH option max-response for "show /ltm profile ramcache" command may not comply with its description

Links to More Info: BT968581

Component: Local Traffic Manager

Symptoms:
The TMSH command "show /ltm profile ramcache" has a max-response option to output a number of records designated in this parameter. Due to calculation algorithm, the command may output less records than RAMCACHE stores or more records than the limit prescribes.

Conditions:
-- A virtual server is configured on BIG-IP.
-- A webacceleration profile with no web application is attached to the virtual server.
-- Traffic is sent over the virtual server with a number of unique cacheable documents that exceed a designated limit.

Impact:
Output of the command may not match to actual list of stored documents in RAMCACHE.

Fix:
Command "show /ltm /profile ramcache" respects a limit defined as "max-response" parameter.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


967905-5 : Attaching a static bandwidth controller to a virtual server chain can cause tmm to crash

Links to More Info: BT967905

Component: TMOS

Symptoms:
Tmm crashes.

Conditions:
-- static bwc
-- virtual to virtual chain

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not use the static bwc on a virtual chain.

Fix:
Fixed a tmm crash.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.3, 13.1.4.1


967101-1 : When all of the interfaces in the trunk are brought up, Gratuitous ARP is not being sent out.

Links to More Info: BT967101

Component: Local Traffic Manager

Symptoms:
Gratuitous ARP (GARP) messages are dropped at the time of sending GARP because the number of links up in the trunk is 0 (which returns "error 18" ... ERR_NOT_FOUND)

Conditions:
-- Two BIG-IP systems with switchless configuration, such as i2xxx and i4xxx.
-- Bring down and up the interfaces at the same time in the trunk.

Impact:
Neighboring device arp table is not updated about the BIG-IP interface status, because no gratuitous ARP message is sent out.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


966949-6 : Multiple FQDN ephemeral nodes not deleted upon deleting FQDN template node

Links to More Info: BT966949

Component: TMOS

Symptoms:
If an FQDN template node is configured with "autopopulate enabled" and the FQDN name resolves to multiple IP addresses, multiple FQDN ephemeral nodes will be created.
If the FQDN template node is then deleted, the associated FQDN ephemeral nodes (sharing the same FQDN name) will not be deleted as expected.

Conditions:
This may occur under the following conditions:
-- An FQDN template node is configured with "autopopulate enabled"
-- The configured DNS server resolves the FQDN name to multiple IP addresses
-- You are running an Affected Version of BIG-IP, or an Engineering Hotfix based on a non-Affected Version of BIG-IP which contains a fix for ID 722230

This issue does not occur if only one FQDN ephemeral node is created for the associated FQDN template node.

Impact:
Unused FQDN ephemeral nodes may remain in the active configuration.
-- Since is it not possible to delete an FQDN template node if there are any FQDN template pool members referring to that node, it is not possible for any FQDN ephemeral pool members to remain when the steps that lead to this issue occur.
-- Since traffic can only be passed to FQDN ephemeral pool members, the existence of the unused FQDN ephemeral nodes does not lead to traffic being passed to such nodes.

Workaround:
It is possible to work around this issue by one of the following methods:
-- Manually deleting the remaining FQDN ephemeral nodes using the "tmsh" command-line interface (CLI)
(Note that this is normally not possible. It is possible to manually delete an FQDN ephemeral node only if the corresponding FQDN template node no longer exists.)
-- Restarting BIG-IP (for example, using the command "bigstart restart")

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


966541-1 : Improper data logged in plaintext

Links to More Info: K06110200, BT966541


966461-7 : Tmm memory leak

Links to More Info: BT966461

Component: Global Traffic Manager (DNS)

Symptoms:
Tmm leaks memory for DNSSEC requests.

Conditions:
NetHSM is configured but disconnected.

or

Internal FIPS card is configured and tmm receives more DNSSEC requests than the FIPS card is capable of handling.

Impact:
Tmm memory utilization increases over time.

Workaround:
None

Fix:
A new DB variable dnssec.fipswaitingqueuecap is introduced to configure the capacity of the FIPS card.

You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests in netHSM/Internal FIPS queue.

tmsh modify sys db dnssec.fipswaitingqueuecap value <value>
this value sets the capacity per tmm process.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


965897-4 : Disruption of mcpd with a segmentation fault during config sync

Links to More Info: BT965897

Component: Local Traffic Manager

Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop

Numerous messages may be logged in the "daemon" logfile of the following type:

emerg logger[2020]: Re-starting mcpd

Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs

Impact:
Continuous restarts of mcpd process on the peer device.

Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.

  # tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


965853-6 : IM package file hardening

Links to More Info: K08510472, BT965853


965837-4 : When BIG-IP is configured with PingAccess profile, tmm can core when there is an active connection

Links to More Info: BT965837

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with a PingAccess profile and an SSL profile is associated with both the BIG-IP virtual server and a ping access configuration, an active connection to the virtual server may lead to a TMM crash.

Conditions:
-- SSL is configured on both the BIG-IP virtual server that contains the ping access profile and ping access configuration.
-- Active connection to the BIG-IP virtual server
-- Config sync is triggered or "tmsh load sys config" is triggered

Impact:
Traffic disrupted while tmm restarts.

Workaround:
No workaround.

Fix:
Fixed a TMM crash related to ping access.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


965785-4 : Active/Standby sync process fails to populate table DCC.HSL_DATA_PROFILES on standby machine

Links to More Info: BT965785

Component: Application Security Manager

Symptoms:
DCC.HSL_DATA_PROFILES table on standby machine stay empty after sync process. Error for DB insert failure into table DCC.HSL_DATA_PROFILES thrown in asm_config_server.log.

Conditions:
There is no specific condition, the problem occurs rarely.

Impact:
Sync process requires an additional ASM restart

Workaround:
Restart ASM after sync process finished

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


965229-5 : ASM Load hangs after upgrade

Links to More Info: BT965229

Component: Application Security Manager

Symptoms:
ASM upgrade hangs, and you see the following in
var/log/ts/asm_start.log:
-------------------------
asm_start|DEBUG|Nov 15 07:04:41.751|25365|F5::ConfigSync::restore_active_policies,,Restoring active policy - policy /Common/my_portal (id = 603)
... END OF FILE ...
-------------------------

In /var/log/asm:
-----------------------------
2020-11-15T06:01:23+00:00 localhost notice boot_marker : ---===[ HD1.cm6250 - BIG-IP 13.1.3.4 Build 0.255.5 <HD1.cm6250> ]===---
 info set_ibdata1_size.pl[20499]: Setting ibdata1 size finished successfully, a new size is: 9216M
 info tsconfig.pl[24675]: ASM initial configration script launched
 info tsconfig.pl[24675]: ASM initial configration script finished
 info asm_start[25365]: ASM config loaded
 err asm_tables_dump.pl[31430]: gave up waiting for ASM to start, please try again later
-----------------------------

Conditions:
-- ASM provisioned
-- 600 or more security policies
-- Performing an upgrade

Impact:
ASM post upgrade config load hangs and there are no logs or errors

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


964625-5 : Improper processing of firewall-rule metadata

Links to More Info: BT964625

Component: Advanced Firewall Manager

Symptoms:
The 'mcpd' process may suffer a failure and be restarted.

Conditions:
Adding very large firewall-policy rules, whether manually, or from config-sync, or from BIG-IQ.

Impact:
-- MCPD crashes, which disrupts both control-plane and data-plane processing while services restart.
-- Inability to configure firewall policy.

Workaround:
Reduce the number of firewall policy rules.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


964533-2 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.

Fix:
Log level has been changed so this issue no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


964489-7 : Protocol Inspection IM package hardening

Links to More Info: K08510472, BT964489


964125-6 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Links to More Info: BT964125

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


963625-3 : Appliance mode hardening

Links to More Info: K68647001, BT963625


963541-1 : Net-snmp5.8 crash

Links to More Info: BT963541

Component: TMOS

Symptoms:
Snmpd crashes.

Conditions:
This does not always occur, but it may occur after a subagent (bgpd) is disconnected.

Impact:
Snmpd crashes.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


962589-4 : Full Sync Requests Caused By Failed Relayed Call to delete_suggestion

Links to More Info: BT962589

Component: Application Security Manager

Symptoms:
When using parent policies with learning enabled in an auto-sync device group, in some use cases deleting an ignored suggestion on a parent policy will cause a full sync to occur.
This can cause unexpected delays in configuration being synchronized between peers, and in the event of repeated instances in quick succession could fill the /var partition

Conditions:
1) Device Group with ASM and auto-sync enabled
2) Parent Policies with learning are in use.
3) Ignored Suggestions are deleted on the parent policy after they have 0 suggesting children left.

Impact:
ASM configuration requests a full sync which can cause unexpected slowness in config synchronization and may fill the /var partition if done multiple times in quick succession.
A full /var partition can lead to bd cores.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4


962177-6 : Results of POLICY::names and POLICY::rules commands may be incorrect

Links to More Info: BT962177

Component: Local Traffic Manager

Symptoms:
When a traffic policy is applied to a virtual server, the iRule commands POLICY::names and POLICY::rules returns incorrect results.

Conditions:
-- BIG-IP has a virtual server with one or more traffic policies having more than one rule.
-- An iRule with POLICY::names and/or POLICY::rules is applied to virtual server to run on multiple transactions over the same connection.

Impact:
Traffic processing may not provide expected results.

Fix:
POLICY::names and POLICY::rules provide atomic results per transaction going over a same connection.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4, 13.1.4.1


961509-5 : ASM blocks WebSocket frames with signature matched but Transparent policy

Links to More Info: BT961509

Component: Application Security Manager

Symptoms:
WebSocket frames receive a close frame

Conditions:
-- ASM provisioned
-- ASM policy attached to a virtual server
-- WebSocket profile attached to a virtual server
-- ASM policy transparent mode enabled

Impact:
WebSocket frame blocked in transparent mode

Workaround:
Change signatures blocking settings to Learn = Yes, Alarm = Yes, Block = No

Fix:
WebSocket frame blocking condition now takes into account global transparent mode setting.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


960677-1 : Improvement in handling accelerated TLS traffic

Links to More Info: BT960677

Component: Local Traffic Manager

Symptoms:
Rare aborted TLS connections.

Conditions:
None

Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.

Workaround:
None

Fix:
The aborted connections will no longer be aborted and will complete normally.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


959985-3 : Update VMware hardware version templates for BIG-IP Virtual Edition (VE) from v10 to v13 in order to support VMs deployed in more versions of vSphere ESXi.

Links to More Info: BT959985

Component: TMOS

Symptoms:
Virtual hardware version setting for BIG-IP VE VMware templates (virtualHW.version) are set to version 10 and must change to version 13, so more versions of vSphere ESXi (for example, ESXi v6.0 and later) can support deploying BIG-IP Virtual Edition.

Conditions:
Using BIG-IP Virtual Edition VMware hardware templates set to v10 running in most, later versions of VMware ESXi.

Impact:
BIG-IP Virtual Edition VMware hardware templates result in performance issues and deployment errors/failures.

Workaround:
None

Fix:
Changed the BIG-IP Virtual Edition VMware hardware template version setting (virtualHW.version) to 13 and deployed them successfully using later versions of VMware ESXi.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


959609-4 : Autodiscd daemon keeps crashing

Links to More Info: BT959609

Component: Advanced Firewall Manager

Symptoms:
Autodiscd daemon keeps crashing.

Conditions:
Issue is happening when high speed logging and auto discovery configuration are configured and send the traffic.

Impact:
Auto discovery feature is not working as expected

Workaround:
None.

Fix:
Auto discovery feature now works as expected.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


959153-3 : Appliance mode hardening

Links to More Info: K68647001, BT959153


957905-1 : SIP Requests / Responses over TCP without content_length header are not aborted by BIG-IP.

Links to More Info: BT957905

Component: Service Provider

Symptoms:
SIP Requests that don't contain a content_length header are accepted and forwarded by the BIG-IP to the server.

SIP Responses that don't contain a content_length header are accepted and forwarded to the client.

The sipmsg parser does not treats the content_length header as a required header as part of the SIP Request / Response.

Conditions:
SIP request / response without content_length header.

Impact:
RFC 6731 non compliance.

Workaround:
N/A

Fix:
BIG-IP now aborts the connection of any TCP SIP request / response that does not contain a content_length header.

content_length header is treated as optional for UDP and SCTP.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


957637-1 : The pfmand daemon can crash when it starts.

Links to More Info: BT957637

Component: TMOS

Symptoms:
The pfmand process crashes and writes out a core file during bootup (or if the process is manually restarted by an Administrator for any reason) on certain platforms.

The crash may happen more than once, until the process finally settles and is able to start correctly.

Conditions:
-- Platforms i4000/i2000/i4800/i2800/i4600/i2600/i850.

Impact:
Network connection lost while pfmand restarts.

Workaround:
None

Fix:
The issue causing the pfmand daemon to occasionally crash has been resolved.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7, 14.1.5.1


957453-1 : Javascript parser incompatible with ECMAScript 6/7+ javascript versions

Links to More Info: BT957453

Component: Access Policy Manager

Symptoms:
A web application failed to function on the client side.

Conditions:
-- APM proxying a web application.
-- Web application uses ES6/7 or higher javascript.

Impact:
The web application failed to function.

Workaround:
None

Fix:
The fix is implemented in two steps:

STEP 1:
Initial implementation with bug ID 592353, added support for Javascript ECMA6/7+. Optional internal wrapping is added into client-side includes.

With this fix, a custom iRule workaround can be applied to fix a limited set of possible cases.
 
STEP 2:
With bug ID 957453, the implementation of the light rewriter on the server side is also completed.

No iRule workaround is required to support ES6/7+ javascript versions after the implementation of bug ID 957453.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


956645-4 : Per-request policy execution may timeout.

Links to More Info: BT956645

Component: Access Policy Manager

Symptoms:
When attempting to access a resource that requires subsession validation, the client may receive an HTTP 503 "Service Unavailable" response, and the logs indicate that per-request policy execution time has expired.

Conditions:
Multiple connections are accessing the same subsession, triggering subsession lock contention.

Impact:
Some clients will fail to connect to their destination.

Workaround:
Add criteria to the gating criteria to enable more fine-grained subroutines to reduce subsession contention. For example, add category, or application name, to the gating criteria. In the case of API protection, consider concatenating credentials with the resource hostname (plus port).

Increase the per-request policy execution timeout value, controlled by the variable tmm.access.prp_global_timeout, to a higher value.

Fix:
Subesssion lock contention wait time is reduced. Clients will not fail to connect due to subsession lock contention.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9, 14.1.4.5


956373-4 : ASM sync files not cleaned up immediately after processing

Links to More Info: BT956373

Component: Application Security Manager

Symptoms:
Some ASM sync files remain on disk after config sync finishes. They remain until periodic clean-up tasks activate

Conditions:
-- ASM provisioned
-- BIG-IP devices are in a sync group
-- Relatively small "/var" partition

Impact:
If the files are large it may lead to "lack of disk space" problem.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.3, 14.1.4.1


956133-2 : MAC address might be displayed as 'none' after upgrading.

Links to More Info: BT956133

Component: Local Traffic Manager

Symptoms:
The MAC Address of a BIG-IP Virtual Edition network interface is displayed as 'none' after upgrading.

Conditions:
1. The VLAN MTU is set to less than 1280 bytes on a BIG-IP network interface.
2. Upgrade BIG-IP to 14.1.0 or above from BIG-IP versions below 14.1.0.

Impact:
Traffic disrupted when the MAC address is set to 'none'.

Workaround:
N/A

Fix:
IPv6 link-local addresses are now created with MTU greater than 1280, so this issue is resolved.

Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.4


956013-4 : System reports{{validation_errors}}

Links to More Info: BT956013

Component: Policy Enforcement Manager

Symptoms:
A {{validation_errors}} at Subscriber Management :: Control Plane Listeners and Data Plane Listeners with ipv6 addresses

Conditions:
Specifying an IPv6 address in the expression in Subscriber Management :: Control Plane Listeners and Policy Enforcement :: Data Plane Listeners.

Impact:
Cannot access the BIG-IP GUI through IPv6 address from any web browser. Admin/User cannot enter input through GUI.

Workaround:
None.

Fixed Versions:
16.1.2.1, 15.1.5, 14.1.4.5


955953-5 : iRule command 'table' fails to resume when used with Diameter 'irule_scope_msg'

Links to More Info: BT955953

Component: TMOS

Symptoms:
'table' command fails to resume causing processing of traffic to halt due to 'irule_scope_msg' causing iRule processing to proceed in a way that 'table' does not expect.

Conditions:
- iRule using 'table' command
- Diameter 'irule_scope_msg' enabled

Impact:
Traffic processing halts (no crash)

Fixed Versions:
17.0.0, 16.1.5, 15.1.10


955617-8 : Cannot modify properties of a monitor that is already in use by a pool

Links to More Info: BT955617

Component: Local Traffic Manager

Symptoms:
If the monitor is associated with a node or pool, then modifying monitor properties other than the destination address is displaying incorrect error. For example, modifying the receive string results in following error:

0107082c:3: Cannot modify the destination address of monitor /Common/my_monitor

This error should only be generated if the destination address of an associated monitor is being modified, but this error message is generated when other parameters are modified.

Conditions:
-- Monitor with alias address field as default properties.
-- Pool containing a node or pool member.
-- Monitor is attached to the pool.

Impact:
Monitor properties cannot be modified if they are in use by a pool.

Workaround:
Remove the monitor, modify it, and then add it again.

Fix:
Monitor properties can be modified even when the monitor is attached to the node or pool, updated values reflect in the node or pool.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


954425-4 : Hardening of Live-Update

Links to More Info: K61112120, BT954425


954001-7 : REST File Upload hardening

Component: Device Management

Symptoms:
REST file upload does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Only upload trusted files to the BIG-IP.

Fix:
REST file uploads now follow best security practices.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


953601-4 : HTTPS monitors marking pool member offline when restrictive ciphers are configured for all TLS protocol versions

Links to More Info: BT953601

Component: Local Traffic Manager

Symptoms:
HTTPS monitor marks pool member/nodes as down and they remain down until bigd is restarted or the monitor instance is removed and created again.

Conditions:
BIG-IP is configured with restrictive ciphers that are only compatible with TLS 1.2 (ECDH+AESGCM) but all of the TLS protocol versions are allowed. When HTTPS monitor TLS 1.0 handshake fails, due to incompatible ciphers with the server being monitored. It does not try TLS 1.2 version and marks pool members or nodes as down.

Impact:
HTTPS monitor shows pool members or nodes down when they are up.

Workaround:
Restart bigd or remove and add monitors.

Fix:
In case of handshake failure, BIG-IP will try TLS 1.2 version.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


952521-1 : Memory allocation error while creating an address list with a large range of IPv6 addresses

Links to More Info: BT952521

Component: Advanced Firewall Manager

Symptoms:
When trying to create a large IPv6 address-list IP range either via the GUI, tmsh, or from loading a previously saved config, MCPd will temporarily experience memory exhaustion and report an error "01070711:3: Caught runtime exception, std::bad_alloc"

Conditions:
When adding an IPv6 address range that contains a very large number of IPs. This does not affect IPv4.

Impact:
The IP address range cannot be entered. If upgrading from a non-affected version of TMOS where an IP range of this type has been saved to the config, a std::bad_alloc error will be printed when loading the config after upgrading.

Workaround:
Use CIDR notation or multiple, smaller IP ranges.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


951257-5 : FTP active data channels are not established

Links to More Info: K82034427, BT951257


951133-4 : Live Update does not work properly after upgrade

Links to More Info: BT951133

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP version the Live Update "Check for Update" button does not respond.

Conditions:
Upgrading from a version that did not have Live Update to a new version which includes Live Update

Impact:
Live Update can't query for new updates.

Workaround:
Restart tomcat process:
> bigstart restart tomcat

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.4


950917-4 : Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Links to More Info: BT950917

Component: Application Security Manager

Symptoms:
Following Signature Update (-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error:

01310027:2: subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. )

Conditions:
Signature Update -SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Impact:
Apply policy fails.

Workaround:
You can use any of the following workarounds:

-- Install an older signature update -SignatureFile_20200917_175034

-- Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied.

-- Run the following SQL command to correct all affected policies on the device:
----------------------------------------------------------------------
UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = '';
----------------------------------------------------------------------

Fixed Versions:
17.0.0, 16.1.4, 15.1.4, 14.1.4.2, 13.1.4.1


950605-6 : Openssh insecure client negotiation CVE-2020-14145

Links to More Info: K48050136, BT950605


950201-3 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.

Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


950153-3 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
        AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
    AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


950149 : Add configuration to ccmode for compliance with the Common Criteria STIP PPM.

Links to More Info: BT950149

Component: TMOS

Symptoms:
To comply with configuration requirements for the Common Criteria STIP PPM, the ccmode script must be updated.

Conditions:
Required compliance with Common Criteria STIP PPM configuration.

Impact:
Without these updates, the BIG-IP will not be compliant with the Common Criteria STIP requirements.

Workaround:
Follow the instructions in the Common Criteria Guidance document.

Fix:
This fix added configuration elements for compliance to Common Criteria STIP PPM requirements.

Fixed Versions:
17.0.0, 16.1.3


950069-1 : Zonerunner can't edit TXT records containing a + symbol - "Resolver returned no such record"

Links to More Info: BT950069

Component: Global Traffic Manager (DNS)

Symptoms:
When attempting to use zonerunner to edit a TXT record that contains a plus character, BIG-IP DNS presents the error message 'Resolver returned no such record'.

Conditions:
A TXT record exists with RDATA (the value of the TXT record) containing one or more + symbols

Impact:
Unable to edit the record.

Workaround:
Two workarounds available:

1. Use zonerunner to delete the record and then recreate it with the desired RDATA value

2. Manually edit the bind zone file (see K7032)

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1


949857-7 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync

Links to More Info: K32544615, BT949857


948985-3 : Workaround to address Nitrox 3 compression engine hang

Links to More Info: BT948985

Component: Local Traffic Manager

Symptoms:
Occasionally the Nitrox3 compression engine hangs.

In /var/log/ltm:
 
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Nitrox 3, Hang Detected: compression device was reset (pci 02:00.1, discarded 1).
crit tmm[12404]: 01010025:2: Device error: n3-compress0 Zip engine ctx eviction (comp_code=0): ctx dropped.

Conditions:
The BIG-IP system uses Nitrox 3 hardware compression chips: 5xxx, 7xxx, 12250, and B2250.

You can check if your platform has nitrox3 by running the following command:

tmctl -w 200 compress -s provider

provider
--------
bzip2
lzo
nitrox3 <--------
zlib

Impact:
The Nitrox3 hardware compression system becomes unavailable, and the compression mode switches to software compression. This can lead to high CPU usage.

Workaround:
Disable HTTP compression or use software compression.

Fix:
Added db key compression.nitrox3.dispatchsize to control the request size.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1


948725-7 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users

Links to More Info: K10438187, BT948725


948241-4 : Count Stateful anomalies based only on Device ID

Links to More Info: BT948241

Component: Application Security Manager

Symptoms:
Currently when Device ID is enabled, the BIG-IP system counts stateful anomalies on both IP and Device ID. When a client has a proxy (without XFF), and many requests arrive with the same IP, this can cause false positives

Conditions:
- Bot Defense profile is attached to a virtual server.
- Bot Defense profile has "Browser Verification" set to "Verify After Access" or "Device ID Mode" set to "Generate After Access".

Impact:
False positives may occur in case of a proxy without XFF

Workaround:
None

Fix:
Stateful anomalies are no longer counted on IP when Device ID is enabled

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


948113-1 : User-defined report scheduling fails

Links to More Info: BT948113

Component: Application Visibility and Reporting

Symptoms:
A scheduled report fails to be sent.

An error message with the following format may appear on /var/log/avr/monpd.log file (some parts of the error message were replaced with '.....' in here to leave only the common parts):
     DB|ERROR|....... Error (err-code 1054) executing SQL string :
.....
.....
.....
 Because : Unknown column ....... in 'order clause'

Conditions:
1. Using predefined-report in scheduled-report.
2. Predefined-report has more than one measure.
3. Sort-by value is different from the first measure on predefined-report

Impact:
Internal error for AVR report for ASM pre-defined.

Workaround:
First, remount /usr to read-write:
mount -o remount,rw /usr

Next, open file /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm and change the following line:
push(@measures,@{$base_request->{measures}}[0]);
to this:
push(@measures,@{$base_request->{sort_by}}[0]->{measure});

The above can be achieved with the following script-line (please first backup the Client.pm file and then verify it changed it correctly):
sed -i 's/push(@measures,@{\$base_request->{measures}}\[0\])/push(@measures,@{$base_request->{sort_by}}[0]->{measure})/' /usr/share/perl5/vendor_perl/F5/AVReporter/Client.pm

Lastly, remount /usr back to read-only:
mount -o remount,ro /usr

Fix:
Using 'sort-by' measure when building PDF (instead of the first value on measure-list)

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


948065-1 : DNS Responses egress with an incorrect source IP address.

Links to More Info: BT948065

Component: Local Traffic Manager

Symptoms:
DNS responses over a certain size egress the BIG-IP with an incorrect source IP address set.

Conditions:
Large responses of ~2460 bytes from local BIND

Impact:
The response to the client appears to be coming from the wrong source IP address, and the request fails.

Workaround:
Change 'max-udp-size' in BIND to a smaller value reduces the size of response, which stops the fragmentation.

Note: This workaround has limitations, as some records in 'Additional Section' are truncated.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


947905-4 : Upgrade from 13.1.4, 14.1.4, or 15.1.1 to 14.0.x, 15.0.x, 16.0.0 or 16.0.0.1 fails

Links to More Info: BT947905

Component: TMOS

Symptoms:
Loading configuration process fails after an upgrade from 13.1.4, 14.1.4, or 15.1.1 to release 14.0.0, 15.0.0, 16.0.0 or 16.0.0.1.

The system posts errors similar to the following:

-- info tmsh[xxxx]: cli schema (15.1.1) has been loaded from schema data files.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (user-account.session_limit) : framework/SchemaCmd.cpp, line 825.
-- crit tmsh[xxxx]: 01420001:2: Can't load keyword definition (system-settings.ssh_max_session_limit) : framework/SchemaCmd.cpp, line 825
-- emerg load_config_files[xxxx]: "/usr/bin/tmsh -n -g -a load sys config partitions all base " - failed. -- Loading schema version: 15.1.1.
-- err mcpd[xxxx]: 01070422:3: Base configuration load failed.
-- Unexpected Error: "Can't load keyword definition (user-account.session_limit)".
-- Unexpected Error: "Can't load keyword definition (system-settings.ssh_max_session_limit)"
-- Syntax Error:(/config/bigip_user.conf at line: 10) "session-limit" unknown property

Conditions:
Upgrade from one of the following release:

-- v13.1.4 or later within the v13.1.x branch
-- v14.1.4 or later within the v14.1.x branch
-- v15.1.1 or later within the v15.1.x branch

to one of the following releases:

-- v14.0 through v14.1.3.1
-- v15.0 through v15.1.0.5
-- v16.0.0 and v16.0.0.1

Impact:
After upgrade, config does not load. The system hangs at the base configuration load failure status.

Workaround:
Although there is no workaround, you can avoid this issue by upgrading to the most recent maintenance or point release in v14.1.x, v15.1.x, or v16.x.

You can find a list of most current software releases in K5903: BIG-IP software support policy :: https://support.f5.com/csp/article/K5903

Fixed Versions:
16.1.3, 16.0.1


947341-4 : MySQL generates multiple error 24 (too many files open) for PRX.REQUEST_LOG DB tables files.

Links to More Info: BT947341

Component: Application Security Manager

Symptoms:
1) var/lib/mysql/mysqld.err is filled with log entries that contain:
------------
  200824 11:04:43 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:18:46 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
  200824 11:35:58 [ERROR] mysqld: Can't open file: './PRX/REQUEST_LOG.frm' (errno: 24)
------------

2) There are a lot of PRX.REQUEST_LOG partitions, in some cases up to 1024, many of which are empty.

Conditions:
ASM/AVR provisioned

Impact:
MySQL runs out of resources when opening the file
PRX.REQUEST_LOG and an error message states the file is corrupt.

Workaround:
1. If the /appdata partition is filled to 100% and MySQL restarts continuously, refer to the following Knowledge Articles:
   https://support.f5.com/csp/article/K14956
   https://support.f5.com/csp/article/K42497314

2. To identify the empty partitions, look into:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "SELECT * FROM INFORMATION_SCHEMA.PARTITIONS WHERE table_name = 'REQUEST_LOG' AND table_schema = 'PRX'\G"

3. For every partition that is empty, manually (or via shell script) execute this sql:
   mysql -su root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e "ALTER TABLE PRX.REQUEST_LOG DROP PARTITION <empty_partition_name>;"

   Note: <empty_partition_name> must be substituted with the partition name, for example p100001.


4. Increase 'open_files_limit' to '10000'.
--------------------------------

   In the /etc/my.cnf file:
   1. Change the value of the 'open_files_limit' parameter to 10000.
   2. Restart MySQL:
   bigstart restart mysql
--------------------------------

5. pkill asmlogd

Note: This workaround does not survive upgrade. It must be reapplied after every upgrade until the upgraded version contains a fix.

Fix:
This release increases the default 'open_files_limit' to '10000'.

Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.3, 14.1.4.1


947333-2 : Irrelevant content profile diffs in Policy Diff

Links to More Info: BT947333

Component: Application Security Manager

Symptoms:
Defense attributes' grayed out values are shown in the policy diff even if "any" is selected

Conditions:
-- Import a policy
-- Perform a policy diff

Impact:
Policy diff showing irrelevant diffs

Workaround:
None

Fix:
Removed grayed out diffs from policy diff content profile section

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1


946325-7 : PEM subscriber GUI hardening

Links to More Info: K25451853, BT946325


946185-3 : Unable to view iApp component due to error 'An error has occurred while trying to process your request.'

Links to More Info: BT946185

Component: TMOS

Symptoms:
When accessing the iApp Components tab, the system presents an error similar to the following:

An error has occurred while trying to process your request.

Conditions:
-- With or without Partitions configured.
-- Navigate to GUI iApps :: Application Services : Applications, to view a custom iApp.
-- More likely to occur after upgrade.

Impact:
Unable to view/modify iApps via GUI iApps :: Application Services : Applications screen.

Workaround:
To reconfigure the iApp, do the following:

1. Navigate to the following location in the GUI:
Local Traffic :: Virtual Server List

2. Click the Application Link :: Reconfigure.

Note: Although this allows you to reconfigure an iApp, it does not provide access to the iApp application details Components page.

Fix:
Viewing Application Service components now reports no errors in the GUI under these conditions.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


945853-4 : Tmm crash when multiple virtual servers are created, modified, or deleted in quick succession

Links to More Info: BT945853

Component: Advanced Firewall Manager

Symptoms:
TMM crashes during a configuration change.

Conditions:
This occurs under the following conditions:

-- Create/modify/delete multiple virtual servers in quick succession.

-- Perform back-to-back config loads / UCS loads containing a large number of virtual server configurations.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer crashes during a configuration change.

Fixed Versions:
16.1.3, 15.1.3


945357 : BIG-IP must be able to set CA=True when creating Certificate Signing Requests from TMSH.

Links to More Info: BT945357

Component: Local Traffic Manager

Symptoms:
A Certificate Signing Request (CSR) is generated on the BIG-IP device to be used to create a certificate. It is possible for the entity owning the just-created certificate to serve as a Certificate Authority (CA) and be able to issue certificates and private keys to other parties. However, that ability does not exist unless the certificate has the CA field set to True (by default it is set to False).

Conditions:
In the TMSH prompt on the Command Line Interface (CLI), an attempt is made to generate a Certificate Signing Request (CSR) to be used to eventually create a certificate and corresponding private key.

Impact:
Without this change, certificates and private keys generated on the BIG-IP device cannot be directly provided to certification authorities so they can be used to sign certificates they would issue to other parties.

Workaround:
This is a new facility, not provided before, and overcomes a limitation. Without this facility, existing users of the BIG-IP are not impacted at all. As such, there is no workaround applicable.

Fix:
This fix enables certificates and private keys generated on the BIG-IP device via CSR's to be directly provided to certification authorities for their use. Because the CA field is set to now True, this fix adds convenience for certification authorities.

Fixed Versions:
17.0.0, 16.1.3


944381-2 : Dynamic CRL checking for client certificate is not working when TLS1.3 is used.

Links to More Info: BT944381

Component: Local Traffic Manager

Symptoms:
In SSL reverse proxy, dynamic CRL checking for client certificate is not working when TLS 1.3 handshake is used.
The SSL handshake successfully completed even though the client certificate is revoked.

Conditions:
-- Dynamic CRL checking enabled on a client-ssl profile
-- The client-side SSL handshake uses TLS1.3.

Impact:
The handshake should fail but complete successfully

Fix:
The issue was due to Dynamic CRL revocation check has not been integrated to TLS 1.3.

After the Dynamic CRL checking is integrated to TLS 1.3, the TLS handshake will work as expected.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1


944121-4 : Missing SNI information when using non-default domain https monitor running in TMM mode.

Links to More Info: BT944121

Component: In-tmm monitors

Symptoms:
In-TMM https monitors do not send the SNI (Server Name Indication) information for non-default route domain pool members.

In-TMM monitors do not send any packet when TLS1.3 monitor is used.

Conditions:
-- SNI is configured in serverssl profile
-- serverssl profile is assigned to in-tmm https monitors
-- https monitors are monitoring pool members that are in a non-default route domain.

 - Another Condition :

TLS1.3 Monitor is used

Impact:
The TLS connection might fail in case of SNI

No SYN packet is sent in case of TLS1.3 monitor

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


943669-4 : B4450 blade reboot

Links to More Info: BT943669

Component: TMOS

Symptoms:
In a rare scenario, a B4450 blade suddenly reboots.

Conditions:
This occurs when there is heavy traffic load on VIPRION B4450 blades. The root cause is unknown. It happens extremely rarely.

Impact:
Traffic disrupted while the blade reboots.

Workaround:
None.

Fix:
The system now monitors the pause frames and reboots when needed.

Fixed Versions:
16.1.2.2, 15.1.2


943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Links to More Info: BT943577

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.

If the BIG-IP systems are using device groups with auto-sync enabled, disable auto-sync temporarily while performing this workaround.

1. On the source system (the system whose configuration you want to sync to peer), save the configuration and extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; echo "#"; echo "# $HOSTNAME"; echo "# generated $(date +"%F %T %z")"
    cat /config{/partitions/*,}/bigip{_base,}.conf |
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' ) > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config replace file /var/tmp/portlists-and-tmcs.txt

3a. If loading the config file on the target system fails with the same error message seen during a ConfigSync, follow the procedure in
K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

   tmsh save sys config
   clsh touch /service/mcpd/forceload
   clsh reboot

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


943257-3 : REST framework support for IPv6 ConfigSync addresses

Links to More Info: BT943257

Component: Device Management

Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.

Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Workaround:
None

Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.

Fixed Versions:
17.1.1, 16.1.5


943109-4 : Mcpd crash when bulk deleting Bot Defense profiles

Links to More Info: BT943109

Component: TMOS

Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.

Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.

Impact:
Crash of mcpd causing failover.

Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.

Fix:
There is no longer a crash of mcpd when deleting a large number of Bot Defense in a bulk using TMSH.

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5


942617-2 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable

Links to More Info: BT942617

Component: Application Security Manager

Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.

Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables

Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.

Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.

Fix:
Trim() to delete the whitspaces.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


942217-6 : Virtual server rejects connections even though the virtual status is 'available'

Links to More Info: BT942217

Component: TMOS

Symptoms:
With certain configurations, a virtual server keeps rejecting connections with reset cause 'VIP down' after 'trigger' events occur.

Conditions:
Required Configuration:

-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop' and 'connection-limit' to be any (not 0).

-- The pool member has rate-limit enabled.

Required Conditions:

-- Monitor flap, or adding/removing monitor or set the connection limit to be zero or configuration change made with service-down-immediate-action.

-- At that time, one of the above events occur, the pool member's rate-limit is active.

Impact:
Virtual server keeps rejecting connections.

Workaround:
Delete one of the conditions.

Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.

Fixed Versions:
16.1.5


941649-8 : Local File Inclusion Vulnerability

Links to More Info: K63163637, BT941649


941625-3 : BD sometimes encounters errors related to TS cookie building

Links to More Info: BT941625

Component: Application Security Manager

Symptoms:
BD sometimes print errors related to TS cookie building when receiving ASM cookies with account_id:

-- BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040.

-- IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Cookie protection is enabled.
-- The BIG-IP software is upgraded from a version that was earlier than 15.1.x.

Impact:
The cookie is not built and an error is logged.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4


940317-9 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317


940261-1 : Support IPS package downloads via HTTP proxy.

Links to More Info: BT940261

Component: Protocol Inspection

Symptoms:
IPS package download via HTTP proxy does not work.

2021-08-31 16:59:59,793 WARNING Download file failed. Retrying.
--
The error repeats continuously.

Conditions:
-- The global db key 'sys management-proxy-config' is configured
-- An IPS download is triggered

Impact:
The IPS IM package fails to download.

Workaround:
No workaround.

Fix:
IPS package downloads can now be successfully performed through an HTTP proxy.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


940225-4 : Not able to add more than 6 NICs on VE running in Azure

Links to More Info: BT940225

Component: TMOS

Symptoms:
Azure BIG-IP Virtual Edition (VE) with more than 6 NICs fails to boot.

Conditions:
-- Standard_DS4_v2 Azure instance type.
-- Mellanox ConnectX-3 ethernet controller.
-- A greater-than-2-NIC template is used, for example https://github.com/F5Networks/f5-azure-arm-templates/tree/master/supported/standalone/n-nic/existing-stack/byol with "numberOfAdditionalNics" set.
-- Accelerated networking is enabled on two or more NICs.

Impact:
Not able to boot BIG-IP VM with 8 NICs, which should be supported for Standard_DS4_v2 instance type:
8 vCPU
28 GiB
8 Max NICs

Adding more NICs to the instance makes the device fail to boot.

Workaround:
None

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1


940185-7 : icrd_child may consume excessive resources while processing REST requests

Links to More Info: K11742742, BT940185


939877-3 : OAuth refresh token not found

Links to More Info: BT939877

Component: Access Policy Manager

Symptoms:
When an OAuth client sends a refresh token to renew the access token, BIG-IP reports an error:

err tmm[13354]: 01990004:3: /Common/my_OAuth_v1:Common: Request Refresh Token from Source ID ... failed. Error Code (id_not_found) Error Description (The refresh token is not found)

Conditions:
-- The refresh token expiration interval is longer than authcode and accesstoken.
-- The Authorization code table entry does not exist because of an internal clearing/purging operation.
-- tmm restarts or failover to standby thus losing refresh-token value from primarydb

Impact:
OAuth APM client end user fails to renew the access token even with a valid refresh token.

Workaround:
Clear/reset the Authorization code column value manually:

As a root user run below BIG-IP shell
(tmos)# list apm oauth db-instance
apm oauth db-instance oauthdb { db-name <db_name> description "Default OAuth DB." }

Copy the value corresponding to <db_name>.

Log into mysql from the bash prompt:
# mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw)

mysql> use <db_name>;

mysql> update master set auth_code = NULL where refresh_token='affected_refresh_token_id';

(Substitute the affected refresh token ID with affected_refresh_token_id in the previous command.)

Fix:
Do not report error if the Authorization code does not exist when a valid refresh-token/access-token exists.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4, 14.1.4.4


939757-8 : Deleting a virtual server might not trigger route injection update.

Links to More Info: BT939757

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


939097-5 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests

Links to More Info: BT939097

Component: Application Security Manager

Symptoms:
bd.log shows error messages

Conditions:
Big chunked requests are sent

Impact:
Unexpected error messages seen in the bd.log

Workaround:
None

Fix:
The error messages related to long request allocation are no longer appearing.

Fixed Versions:
17.1.1, 16.1.5


937649-4 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Links to More Info: BT937649

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


936501-1 : Scp to /var/local/ucs or /var/local/scf is not allowed when fips140 or common criteria mode is enabled

Links to More Info: BT936501

Component: TMOS

Symptoms:
When attempting to Export/Import a file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf via SCP, you receive an error dialog:

"file not allowed"

Conditions:
-- fips140 or common criteria mode enabled
-- Export/Import file from the BIG-IP file path(s) /var/local/ucs or /var/local/scf

Impact:
Import/Export file using scp tool from/to the BIG-IP file path(s) /var/local/ucs or /var/local/scf not allowed when fips140 or cc mode enabled even if the file is encrypted.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.3.1, 15.1.9


936441-7 : Nitrox5 SDK driver logging messages

Links to More Info: BT936441

Component: Local Traffic Manager

Symptoms:
The system kernel started spontaneously logging messages at an extremely high rate (~3000 per second):

Warning kernel: EMU(3)_INT: 0x0000000000000020
warning kernel: sum_sbe: 0
warning kernel: sum_dbe: 0
warning kernel: sum_wd: 0
warning kernel: sum_gi: 0
warning kernel: sum_ge: 0
warning kernel: sum_uc: 1

The above set of messages seems to be logged at about 2900-3000 times a second.

These messages continue after TMM fails its heartbeat and is killed. The system is rebooted by the host watchdog.

Conditions:
These messages are triggered by Nitrox5 driver when EMU microcode cache errors corrected by hardware.

Impact:
High rate of logging messages. The tmm heartbeat eventually fails, and tmm is restarted. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


936093-5 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


935945-2 : GTM HTTP/HTTPS monitors cannot be modified via GUI

Links to More Info: BT935945

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:

01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.

Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.

Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.

Workaround:
If 'recv-status-code' has never been set, use tmsh instead.

Note: You can set 'recv-status-code' using tmsh, for example:

   tmsh modify gtm monitor http http-default recv-status-code 200

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


935249-3 : GTM virtual servers have the wrong status

Links to More Info: BT935249

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.

Fix:
The HTTP status code is now correctly searched only in the first line of the response.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5


935193-4 : With APM and AFM provisioned, single logout ( SLO ) fails

Links to More Info: BT935193

Component: Local Traffic Manager

Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms. The SAML module on the BIG-IP system reports following error messages:

-- SAML SSO: Error (12) Inflating SAML Single Logout Request
-- SAML SSO: Error (12) decoding SLO message
-- SAML SSO: Error (12) extracting SAML SLO message

Conditions:
Failures occur with Redirect SLO.

Impact:
SAML single logout does not work.

Workaround:
Use POST binding SLO requests.

Fixed Versions:
17.0.0, 16.1.4, 15.1.10


935177-3 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm

Links to More Info: BT935177

Component: TMOS

Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.

Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.

The settings can be changed while passing traffic, but TMM may crash very soon after the change. If the settings are changed and TMM does not crash soon after, then it will not spontaneously crash at some later point.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


934697-5 : Route domain is not reachable (strict mode)

Links to More Info: BT934697

Component: Local Traffic Manager

Symptoms:
Network flows are reset and following errors are found in /var/log/ltm:

Route domain not reachable (strict mode).

Conditions:
This might occur in either one of the following scenarios:
Scenario 1
==========
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.

or

Scenario 2
==========
-- LTM with an LTM policy configured.
-- The policy directs traffic to a node that is in a route domain.

Other
=====
Tunnel scenario's such as IPSec where client and encrypted traffic are in different route domains.

Impact:
Traffic is not sent to the node that is in a route domain.

The iRule 'node' method and/or LTM policy 'node' specification require a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Workaround:
Specify the node along with Route Domain ID.

-- For iRules, change from this:
when HTTP_REQUEST {
 node 10.10.10.10 80
}

To this (assuming route domain 1):
when HTTP_REQUEST {
 node 10.10.10.10%1 80
}


-- For LTM policies, change from this:
actions {
    0 {
        forward
        select
        node 10.2.35.20
    }
}

To this (assuming route domain 1):
actions {
    0 {
        forward
        select
        node 10.2.35.20%1
    }
}

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5


932485-5 : Incorrect sum(hits_count) value in aggregate tables

Links to More Info: BT932485

Component: Application Visibility and Reporting

Symptoms:
If the results gathered for sum(hits_count) are very large (e.g., 15000300000), the system does not report the correct values in the AVR tables.

Conditions:
-- Insert a very large amount of data (approximately 4.5 milliard or more) to one of AVR tables.
-- Review the value of the sum(hits_count) column.

Impact:
The system reports incorrect values in AVR tables when dealing with large numbers

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


932137-7 : AVR data might be restored from non-relevant files in /shared/avr_afm partition during upgrade

Links to More Info: BT932137

Component: Application Visibility and Reporting

Symptoms:
After upgrade, AFM statistics show non-relevant data.

Conditions:
BIG-IP system upgrade
-- Leftovers files remain in /shared/avr_afm partition from other versions.

Impact:
Non-relevant data are shown in AFM statistics.

Workaround:
Delete the non-relevant data manually from MariaDB/MySQL.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5


932133-1 : Payloads with large number of elements in XML take a lot of time to process

Links to More Info: BT932133

Component: Application Security Manager

Symptoms:
ASM experiences high CPU and latency usage while processing a large XML request.

Conditions:
-- ASM provisioned
-- HTTP request with a large XML payload (several MB) is sent to the backend server which triggers the XML parser.

Impact:
High CPU and latency occurs while bd processes the payload. This may cause a bottleneck for different requests that arrive concurrently with the large XML payload request.

Workaround:
None

Fix:
This fix includes performance improvements for large XML payloads.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5


930393-2 : IPsec tunnel does not start after an upgrade, first configuration, or reconfiguration

Links to More Info: BT930393

Component: TMOS

Symptoms:
-- IPsec tunnel does not start.
-- Remote IPsec networks unavailable.

Conditions:
-- Using IKEv1 and one of the following:
   + Performing an upgrade.
   + IPsec tunnel reconfiguration generally involving a change to, or addition of, a traffic-selector.

Impact:
IPsec tunnel is down permanently.

Workaround:
-- Reconfigure or delete and re-create the traffic selectors associated with the IPsec tunnel that does not start.

Special Notes:
-- This occurs rarely and does not happen spontaneously, without intentional changes (reconfiguration or upgrade).
-- A BIG-IP reboot or a restart of tmipsecd does not resolve this condition.
-- This symptom might also occur due to a genuine misconfiguration.
-- After major version upgrades, default ciphers can change, double-check the encryption and authentication ciphers for the tunnel.

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


929913-3 : External DNS logging does not differentiate between: all src_IP, Per-SrcIP and Per-DstIP events

Links to More Info: BT929913

Component: Advanced Firewall Manager

Symptoms:
DNS logs on LTM side do not print the all src_IP, per-srcIP, etc.

Conditions:
-- DNS logging is enabled
-- A DNS flood is detected

Impact:
Some information related to DNS attack event is missing such as src_IP, Per-SrcIP and Per-DstIP events.

Fix:
DNS now logs all src_IP, Per-SrcIP and Per-DstIP events.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


929909-3 : TCP Packets are not dropped in IP Intelligence

Links to More Info: BT929909

Component: Advanced Firewall Manager

Symptoms:
When an IP address is added to IP Intelligence under Denial-Of_service Category at a global level, and a TCP flood with that IP address occurs, IP Intelligence does not drop those packets

Conditions:
TCP traffic on BIG-IP with IP Intelligence enabled and provisioned

Impact:
When adding an IP address to an IP Intelligence category, UDP traffic from that IP address is dropped, but TCP traffic is not dropped.

Fix:
When adding an IP address to an IP Intelligence category, both TCP and UDP traffic from that IP address is dropped.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


929429-8 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


929213-2 : iAppLX packages not rolled forward after BIG-IP upgrade

Links to More Info: BT929213

Component: Device Management

Symptoms:
Certain iAppLX packages are not rolled forward after a BIG-IP upgrade or restoring a UCS file generated from an affected system, and will be unavailable for use.

1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

Conditions:
-> Installing any of the below iAppLX packages
1. f5-cloud-failover-1.4.0-0.noarch.rpm
2. f5-service-discovery-1.2.9-2.noarch.rpm
3. f5-telemetry-1.12.0-3.noarch.rpm

-> Performing an upgrade

-> Trying to access the LX packages from GUI by navigating to iApps -> Package Management LX

Impact:
After upgrading or restoring a UCS file generated from an affected system, the cloud-failover, service discovery, and telemetry iAppLX apps are not available for use, and will result in 404 error, while accessing them from GUI

Workaround:
The package needs to be uninstalled and installed again for use.

Steps:
-> From GUI, Navigate to iApps -> Package Management LX
-> select the package to uninstall and click on Uninstall
-> click on Import and provide the path of package to install again

Fix:
A new database key has been added, 'sys db iapplxrpm.timeout', which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300

tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

After increasing the timeout, the RPM build process that runs during a UCS save should be successful, and the resulting UCS should include the iAppsLX packages as expected.

Note: The maximum db key value of 600 may be needed in some cases.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


929077-4 : Bot Defense allow list does not apply when using default Route Domain and XFF header

Links to More Info: BT929077

Component: Application Security Manager

Symptoms:
When configuring an IP address allow list in Bot Defense Profile, using a default Route Domain, and a request with an X-Forwarded-For header the request might not be added to the allow list.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address allow list configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from an IP address that is on the allow list is blocked.

Workaround:
Allow the IP address using an iRule.

Fix:
The system now sets the correct route domain, and IP addresses on the allow list are allowed.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.1, 15.1.3, 14.1.4


928997-3 : Less XML memory allocated during ASM startup

Links to More Info: BT928997

Component: Application Security Manager

Symptoms:
Smaller total_xml_memory is selected during ASM startup.

For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.

Conditions:
Platforms with 16GiB, 32GiB, or more RAM

Impact:
Less XML memory allocated

Workaround:
Use this ASM internal parameter to increase XML memory size.

additional_xml_memory_in_mb

For more details, refer to the https://support.f5.com/csp/article/K10803 article.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


928653-1 : [tmsh]:list security nat policy rules showing automap though the value set is None

Links to More Info: BT928653

Component: Advanced Firewall Manager

Symptoms:
The tmsh command 'tmsh list security nat policy rules' shows automap even though the value is set to None

Conditions:
1. AFM provisioned
2. NAT rules configured

Impact:
The tmsh commands 'tmsh save sys config; and 'tmsh load sys config' modify the None value to automap on the NAT policy rules.

Workaround:
None

Fixed Versions:
16.1.5


927633-4 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic

Links to More Info: BT927633

Component: Local Traffic Manager

Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.

and to /var/log/tmmX:
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.

Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.

Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.

Workaround:
None.

Fixed Versions:
16.1.5


926845-7 : Inactive ASM policies are deleted upon upgrade

Links to More Info: BT926845

Component: Application Security Manager

Symptoms:
Upon upgrade, active ASM policies are preserved, and inactive policies are deleted.

Conditions:
-- Configuration contains active and inactive ASM policies.
-- Upgrade the BIG-IP system to any later version.
-- You can check existing ASM policies in tmsh:
tmsh list asm policy

Impact:
Only the active ASM policies are preserved; the inactive policies are deleted.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


926341-5 : RtIntervalSecs parameter in /etc/avr/avrd.cfg file is reset on version upgrade

Links to More Info: BT926341

Component: Application Visibility and Reporting

Symptoms:
Unusually high AVR CPU utilization occurs following an upgrade.

Conditions:
-- BIG-IP software upgrade to v13.0.x or later.
-- Running AVR.

Impact:
AVR CPU utilization can be unusually high for an unusually long period of time.

Workaround:
After upgrade manually edit /etc/avr/avrd.cfg to decrease AVR CPU usage is high by increasing the time period of real-time statistics collection. In order to do so:
1. Change value of RtIntervalSecs in /etc/avr/avrd.cfg file to 30 or 60 seconds.
2. Restart the system by running the following command at the command prompt:
bigstart restart.

When changing RtIntervalSecs please take into consideration two important limitations:
-- Value of RtIntervalSecs cannot be less than 10.
-- Value of RtIntervalSecs must be 10 on BIG-IP devices that are registered on BIG-IQ DCD nodes.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.4, 14.1.4.4, 13.1.5


925469-2 : SubjAltName (SAN) cannot be sent in the Certificate Order Manager for Comodo / Sectigo

Links to More Info: BT925469

Component: TMOS

Symptoms:
When using the Certificate Order Manager to request new Multi-Domain certificate from the Sectigo Certificate Authority (CA), the request the BIG-IP sends is missing the field 'subjectAltName'.

Conditions:
-- Certificate Order Manager is configured to send requests to the Comodo/Sectigo CA.

-- Configure a new key with Subject Alternative Name (SAN).

Impact:
The BIG-IP system sends a request to the Sectigo CA that is missing the 'subjectAltName' field. That makes Certificate Order Manager not suitable for requesting Multi-Domain certificates.

Workaround:
There is no workaround other than not using Certificate Order Manager for Multi-Domain certificates.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


924945-5 : Fail to detach HTTP profile from virtual server

Links to More Info: BT924945

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.3


923821-1 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None

Fix:
Captcha will now be triggered after successful CSI challenge.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


923221-8 : BD does not use all the CPU cores

Links to More Info: BT923221

Component: Application Security Manager

Symptoms:
Not all CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP software is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
Run the following commands from bash shell.

1. # mount -o remount,rw /usr

2. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm
   
   Important: Make a backup of the file before editing.

3. Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF',

   To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

4. # mount -o remount,ro /usr

5. Restart the asm process:
   # bigstart restart asm.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


922737-1 : TMM crashes with a sigsegv while passing traffic

Links to More Info: BT922737

Component: SSL Orchestrator

Symptoms:
TMM crashes with a sigsegv while passing traffic.

Conditions:
Virtual server with a Connector profile that redirects to an internal virtual server with service profile applied on the same BIG-IP system.

Impact:
Traffic is disrupted while TMM restarts.

Workaround:
None

Fixed Versions:
17.1.0, 16.1.4, 15.1.10


922413-8 : Excessive memory consumption with ntlmconnpool configured

Links to More Info: BT922413

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.

Fix:
When an NTLM Conn Pool profile is attached to a virtual server, it no longer causes memory pressure on a large number connections with NTLM authentication.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


922185-3 : LDAP referrals not supported for 'cert-ldap system-auth'

Links to More Info: BT922185

Component: TMOS

Symptoms:
Admin users are unable to log in.

Conditions:
-- Remote LDAP auth enabled.
-- Administrative users are authenticated with the 'cert-ldap' source.
-- The admin user tries to log in.

Impact:
The cert-ldap authentication does not work, so login fails.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


922105-1 : Avrd core when connection to BIG-IQ data collection device is not available

Links to More Info: BT922105

Component: Application Visibility and Reporting

Symptoms:
When a BIG-IP system is configured to work with BIG-IQ but cannot connect due to network problems, avrd restarts itself every 10 minutes. During such restarts, a core is sometimes generated.

Conditions:
BIG-IP system is registered on BIG-IQ, but there is no network connectivity for any number of reasons.

Impact:
No impact since there is no network connectivity with BIG-IQ, and the data from the BIG-IP system cannot be sent anywhere.

Workaround:
Attempts to connect to BIG-IQ can be disabled manually by the following command:

tmsh modify analytics global-settings use-offbox disabled

Fix:
Avrd no longer cores when the connection to the BIG-IQ data collection device is not available.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4, 13.1.5


921697-1 : Attack signature updates fail to install with Installation Error.

Links to More Info: BT921697

Component: Application Security Manager

Symptoms:
Installing a new Attack Signature Update (ASU) file on ASM/AWAF device that has large number of active policies can result in a failure due to memory exceptions. The following errors can be observed:

/var/log/ts/asm_config_server.log:
F5::ASMConfig::Handler::handle_error,,Code: 406 , Error message = Process size (232341504) has exceeded max size (200000000)

/var/log/asm
crit perl[19751]: 01310027:2: ASM subsystem error (apply_asm_attack_signatures ,F5::LiveUpdate::PayloadHandler::clean_fail): Fail load update files: TSocket: timed out reading 1024 bytes from n.n.n.n:9781

Conditions:
1. Adding and activating a large number of policies on a BIG-IP system configured with ASM/AWAF. It is not known exactly how many policies are required to encounter this, but it appears to be between 50 and 90 where this becomes a risk.

2. Installing a new ASU file

Impact:
The attack signature update fails.

Workaround:
Impact of workaround:
Performing this workaround requires restarting ASM, so it affects traffic processing briefly; therefore, it is recommended that you perform this during a maintenance window.

Increase 'max memory size' from the default ~200 MB (200000000) to 300 MB:

1. Take a backup of the original file.
# cp /etc/ts/tools/asm_config_server.cfg /var/tmp/asm_config_server.original.cfg

2. Add the following to the end of file /etc/ts/tools/asm_config_server.cfg:
# AsyncMaxMemorySize=314572800

3. Restart ASM.
# bigstart restart asm

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.6


921541-6 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Links to More Info: BT921541

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.

Fix:
The HTTP session hang no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


921441-4 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Links to More Info: BT921441

Component: Service Provider

Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.

There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

-- Traffic arrives containing CER and ULR messages.

Impact:
Using the iRule to change the host origin corrupts the diameter message.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


921365-2 : IKE-SA on standby deleted due to re-transmit failure when failing over from active to standby

Links to More Info: BT921365

Component: TMOS

Symptoms:
IKE-SAs are deleted on standby BIG-IP systems after a failover.

Conditions:
-- High availability (HA) environment
-- Dead-peer detection (DPD) / liveness checks are enabled
-- An HA failover occurs

This is a timing issue and can occur intermittently during a normal failover.

Impact:
Some of the IKE-SAs are missing on the standby device. When a failover happens, IPsec traffic will be dropped for those missing SAs.

Workaround:
Set IKE DPD interval time to ZERO (i.e., disable).

Fix:
When the BIG-IP system is in standby mode, the system no longer retries sending IKE/IPSEC control messages, which prevents this issue from occurring.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4


921149-6 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Links to More Info: BT921149

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server with the attached BWC policy is modified.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


920149-3 : Live Update default factory file for Server Technologies cannot be reinstalled

Links to More Info: BT920149

Component: Application Security Manager

Symptoms:
Live Update default factory file for Server Technologies cannot be reinstalled once it is no longer the currently installed update file.

Conditions:
This occurs:

-- Once another update file for Server Technologies has been installed (most likely, a newer file).
-- If the device has been upgraded from a prior release such that the currently installed Server Technologies file is from the previous release, and is not the default factory file for the current release.

Impact:
Live Update default factory file for Server Technologies cannot be reinstalled.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1, 14.1.4.4


919357-8 : iControl REST hardening

Links to More Info: K22505850, BT919357


919301-1 : GTP::ie count does not work with -message option

Links to More Info: BT919301

Component: Service Provider

Symptoms:
The 'GTP::ie count' iRule command does not work with the -message option. The command fails with an error:

wrong # args: should be "-type <ie-path>"

Conditions:
Issue the 'GTP::ie count' command with -message command, for example:

GTP::ie count -message $m -type apn

Impact:
iRules fails and it could cause connection abort.

Workaround:
Swap order of argument by moving -message to the end, for example:

GTP::ie count -type apn -message $m

There is a warning message due to iRules validation, but the command works in runtime.

Fix:
'GTP::ie' count is now working with -message option.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


915981-4 : BIG-IP SCP hardening

Links to More Info: K38271531, BT915981


915773-7 : Restart of TMM after stale interface reference

Links to More Info: BT915773

Component: Local Traffic Manager

Symptoms:
An assert is reported in the logs:
panic: ../net/ifc.c:975: Assertion "ifc ref valid" failed.

Conditions:
The conditions under which this occurs are unknown.

Impact:
Tmm crashes and restarts. Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.4


915221-6 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Links to More Info: BT915221

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.
-- Access to DoS dashboard.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.

Fixed Versions:
16.1.5


915005-3 : AVR core files have unclear names

Links to More Info: BT915005

Component: Application Visibility and Reporting

Symptoms:
If avrd fails a core file created in this case is named according to the thread name and has no indication that it belongs to avr, for example: SENDER_HTTPS.bld0.0.9.core.gz

Conditions:
Avrd fails with a core

Impact:
It is inconvenient for identifying the process that caused the core.

Fix:
Improved the avrd core file name.

Fixed Versions:
16.1.5


913413-1 : 'GTP::header extension count' iRule command returns 0

Links to More Info: BT913413

Component: Service Provider

Symptoms:
The 'GTP::header extension count' iRule command always returns 0 (zero).

Conditions:
This is encountered when using 'GTP::header extension count' in an iRule.

Impact:
The command returns false information.

Workaround:
None

Fix:
'GTP::header extension count' command now returns number of header extension correctly.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


913409-1 : GTP::header extension command may abort connection due to unreasonable TCL error

Links to More Info: BT913409

Component: Service Provider

Symptoms:
When running "GTP::header extension" iRule command with some conditions, it may cause a TCL error and abort the connection.

Conditions:
Running "GTP::header extension" iRule command is used with some specific arguments and/or specific condition of GTP message

Impact:
TCL error log is shown and connection is aborted

Workaround:
None

Fix:
GTP::header extension command no longer abort connection due to unreasonable TCL error

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


913393-1 : Tmsh help page for GTP iRule contains incorrect and missing information

Links to More Info: BT913393

Component: Service Provider

Symptoms:
In the tmsh help page for the GTP iRule command, it contains incorrect and missing information for GTP::header and GTP::respond command.

Conditions:
When running "tmsh help ltm rule command GTP::header", information regarding GTP::header and GTP::respond iRule command may be incorrect or missing.

Impact:
User may not be able to use related iRule command properly.

Workaround:
None

Fix:
Tmsh help page for GTP iRule is updated

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


913085-6 : Avrd core when avrd process is stopped or restarted

Links to More Info: BT913085

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.

Fix:
Avrd no longer cores when avrd process is stopped or restarted.

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


912945-3 : A virtual server with multiple client SSL profiles, the profile with CN or SAN of the cert matching the SNI is not selected if cert is ECDSA-signed

Links to More Info: BT912945

Component: Local Traffic Manager

Symptoms:
In a virtual configured with multiple client SSL profiles, the profile with ECDSA-signed cert is not selected even though its CN/SAN matching the SNI extension of ClientHello.

Conditions:
-- A virtual server with multiple client SSL profiles.
-- The SNI of,,lientHello does not match the 'server name' of any profile.
-- The cert in the profile is ECDSA-signed and its CN/SAN matches SNI extension of ClientHello.
-- That profile in is not selected.

Impact:
The incorrect client SSL profile is selected.

Workaround:
Configure the 'Server Name' option in the client SSL profile.

Fix:
Fixed an issue with client SSL profile selection.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4


912517-7 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Links to More Info: BT912517

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle, or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).

Fix:
For BIG-IP versions prior to 17.0.0, a database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


912253-2 : Non-admin users cannot run show running-config or list sys

Links to More Info: BT912253

Component: TMOS

Symptoms:
Lower-privileged users, for instance guests or operators, are unable to list the configuration in tmsh, and get an error:

Unexpected Error: Can't display all items, can't get object count from mcpd.

The list /sys or list /sys telemd commands trigger the following error:

01070823:3: Read Access Denied: user (oper) type (Telemd configuration).

Conditions:
User account with a role of guest, operator, or any role other than admin.

Impact:
You are unable to show the running config, or use list or list sys commands.

Workaround:
Logon with an account with admin access.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


912149-7 : ASM sync failure with Cgc::Channel error 'Failed to send a message, error:15638476'

Links to More Info: BT912149

Component: Application Security Manager

Symptoms:
The system exhibits various symptoms related to sync and control plane, and reports errors similar to the following:

/var/log/:

asm:
-- (asm_config_server.pl,F5::Cgc::Channel::send): Failed to send a message, error:15638476.

ts_debug.log:
-- |ZEROMQ|May 21 23:27:31.840|24813|25914|25914|epoll.cpp:0060|~epoll_t()|(zmq_assert) Assertion failed: load.get () == 0

Conditions:
-- Two devices in a sync-failover/sync-only device group.
-- Other conditions required to reproduce this issue are under investigation.

Note: The occurrences of the Cgc::Channel message in the /var/log/ and /var/log/ts/asm_config_server logs are the most reliable indicator of this issue.

Impact:
-- Config-sync does not work, resulting in a different configuration among the devices in a sync group.

-- Security log profile changes are not propagated to other devices.

-- Portions of the GUI hang, e.g.: Security module tab, and 'security' menu under virtual server.

-- Policies with learning enabled do not generate learning suggestions.

Workaround:
Restart asm_config_server on the units in the device group.

# pkill -f asm_config_server

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


911729-4 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value

Links to More Info: BT911729

Component: Application Security Manager

Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.

Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.

Impact:
Redundant learning suggestion is issued.

Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.

Fix:
Learning suggestion is no longer issued with already configured maximum parameter length value.

Fixed Versions:
17.0.0, 16.1.5, 16.0.1.2, 15.1.4, 14.1.4.2


911585-5 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Links to More Info: BT911585

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.

Fix:
Enhanced application to accept new sessions under problem conditions.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


911141-1 : GTP v1 APN is not decoded/encoded properly

Links to More Info: BT911141

Component: Service Provider

Symptoms:
GTP v1 APN element was decoded/encoded as octetstring and Only GTP v2 APN element is decoded/encoded as DNS encoding.

Conditions:
- GTP version 1.
- APN element.

Impact:
iRules become more complex when dealing with GTP v1 APN element, as it may need to convert between octetstring and dotted style domain name value after decoding or before encoding the data.

Workaround:
Use iRules to convert between octetstring and dotted style domain name values.

Fix:
GTP version 1 APN information element is now decoded/encoded as DNS encoding.

Behavior Change:
GTP v1 apn element is now decoded/encoded using DNS-like encoding. Previously, it was decoded/encoded as octetstring.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


910673-6 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Links to More Info: BT910673

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1


910213-7 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Links to More Info: BT910213

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect, or may result in pool members that are down for load balancing, but indicate up/available in the GUI and CLI.

Specifically, the pool member is marked down within the tmm instance executing the iRule, but the status change is not updated to mcpd, or to other tmm instances.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Note: If [event info] is logged in the LB_FAILED event, it will indicate that the load balancing decision failed due to "connection limit"

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
- Delete and recreate affected pool members
(or) Restart tmm
(or) Restart the BIG-IP.

There is no direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


909161-1 : A core file is generated upon avrd process restart or stop

Links to More Info: BT909161

Component: Application Visibility and Reporting

Symptoms:
Sometime when avrd process is stopped or restarted, a core is generated.

Conditions:
Avrd process is stopped or restarted.

Impact:
Avrd creates a core file but there is no other negative impact to the system.

Workaround:
None

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


907549-6 : Memory leak in BWC::Measure

Links to More Info: BT907549

Component: TMOS

Symptoms:
Memory leak in BWC calculator.

Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.

Impact:
A memory leak occurs.

Workaround:
None.

Fix:
Memory is not leaked.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.0.5, 14.1.5


907025-5 : Live update error" 'Try to reload page'

Links to More Info: BT907025

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

 CREATE SCHEMA PUBLIC AUTHORIZATION DBA
 CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
 CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
 CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
 CREATE USER SA PASSWORD ""
 GRANT DBA TO SA
 SET WRITE_DELAY 20
 SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


906273-1 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None

Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


905937-8 : TSIG key value logged in plaintext in log

Links to More Info: K98334513, BT905937


904661-4 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition

Links to More Info: BT904661

Component: TMOS

Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.

Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver

Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)

Fixed Versions:
17.1.0, 16.1.4


903313-4 : OWASP page: File Types score in Broken Access Control category is always 0.

Links to More Info: BT903313

Component: Application Security Manager

Symptoms:
Under Broken Access Control category, the contribution of Disallowed File Types seems to be 0 no matter what is the number of Disallowed File Types in policy. As a result, it is not possible to reach full compliance.

Conditions:
Security Policy is configured. Not Applicable for parent or child policy.

Impact:
For any OWASP configurable policy (i.e. not parent or child policy), the policy cannot reach the maximum score for Broken Access Control category

Fixed Versions:
17.0.0, 16.1.4


902377-4 : HTML profile forces re-chunk even though HTML::disable

Links to More Info: BT902377

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1


901669-6 : Error status in 'tmsh show cm failover-status', and stale data in some tmstat tables, after management IP address change.

Links to More Info: BT901669

Component: TMOS

Symptoms:
-- The 'tmsh show cm failover-status' command shows a status of 'Error' when the command is run on a peer of a device that underwent a management IP address change.

-- Should the sod_tg_conn_stat or sod_tg_msg_stat tmstat tables be inspected using the tmctl command, the tables show stale information in the entry_key column.

Note: Additionally, in certain cases, it is possible for failover functionality to be broken after the management IP address change, meaning devices remain stuck in an improper Active/Active or Standby/Standby state. This further aspect of the issue is tracked under ID999125. This ID tracks only the cosmetic defect.

Conditions:
-- Two or more devices in a sync-failover device-group.
-- The management IP address is changed on one of the devices.

The error appears under either of these conditions:
-- The 'tmsh show cm failover-status' is run on a peer of the device that underwent the management IP address change.
-- The sod_tg_conn_stat or sod_tg_msg_stat tmstat tables are inspected using the tmctl command.

Impact:
The 'tmsh show cm failover-status' command indicates an error.

Workaround:
You can work around this issue by running the following command on the peers of the device which underwent a management IP address change:

tmsh restart sys service sod

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


898929-6 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Links to More Info: BT898929

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5, 13.1.5


896941 : Common Criteria ccmode script updated

Links to More Info: BT896941

Component: TMOS

Symptoms:
Configuration of SSH must be done to support Common Criteria compliance. This is currently done by following instructions in the Common Criteria Guidance Document.

Conditions:
Common Criteria compliance configuration.

Impact:
This update automates the SSH configuration.

Workaround:
Continue to follow Common Criteria Guidance document instructions for SSH configuration.

Fix:
Added SSH configuration to meet Common Criteria requirements.

Fixed Versions:
17.0.0, 16.1.3


895557-5 : NTLM profile logs error when used with profiles that do redirect

Links to More Info: BT895557

Component: Local Traffic Manager

Symptoms:
As of BIG-IP version 14.1, HTTP iRule commands that inspect HTTP state after the commands HTTP::respond, HTTP::redirect, and HTTP::retry returns errors instead of returning corrupt data (https://support.f5.com/csp/article/K23237429).

When the NTLM profile is configured, it does the same through a built-in TCL rule where among several things, it tries to check if HTTP::cookie exists. If a profile like HTTP exists wherein a redirect/respond/retry is configured, it results in a TCL error informing the admin that they are accessing an invalid HTTP state.

Conditions:
-- NTLM profile is configured alongside HTTP profile
-- One of the redirect/respond/retry commands has been executed before the NTLM profile accesses the state of HTTP (for ex. HTTP::collect, HTTP::close, HTTP::cookie, etc.).

Impact:
Tcl error is seen in /var/log/ltm informing the admin that the iRule operation executed after HTTP::redirect/retry/respond is not supported.

For example -
TCL error: _plugin_rule_/Common/ntlm_default_iis <HTTP_REQUEST> - ERR_NOT_SUPPORTED (line 1) invoked from within "HTTP::cookie exists [PROFILE::ntlm insert_cookie_name]"

Fixed Versions:
17.0.0, 16.1.2, 16.0.1.2, 15.1.4, 14.1.4.2


890917-8 : Performance may be reduced while processing SSL traffic

Links to More Info: K56412001, BT890917


890169-4 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


890037-3 : Rare BD process core

Links to More Info: BT890037

Component: Application Security Manager

Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.

Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.

Impact:
Failover, traffic disturbance.

Workaround:
None

Fixed Versions:
16.1.5


889813-3 : Show net bwc policy prints bytes-per-second instead of bits-per-second

Links to More Info: BT889813

Component: TMOS

Symptoms:
The 'tmsh show net bwc policy' is printing out bits-per-second in the value field, but the name field says 'bytesPerSec'.

Conditions:
Running the tmsh command:
tmsh show net bwc policy

Impact:
The stats are in bits-per-second, but the label says bytesPerSec. Although there is no functional impact, the incorrect label could cause confusion.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 15.1.10, 14.1.4.5


889605-2 : iApp with Bot profile is unavailable if application folder includes a subpath

Links to More Info: BT889605

Component: iApp Technology

Symptoms:
iApp with Bot profile is unavailable if the application folder includes a subpath. If the subpath is not present then iApp with bot profile is available.

Conditions:
1) Create default "Bot Protection" or "Web Application Comprehensive Protection" with an enabled "Bot Defense" use case in WGC without a virtual server.
2) Go to "iApps >> Application Services: Applications" and refer to the created iApp.

Impact:
iApp cannot be loaded when tried to open through iApps >> Applications view in TMUI.

Workaround:
View the configuration created from Guided configuration as mentioned: iApps >> Application Services >> Applications LX menu

Fix:
Open the iApps >> Applications view in TMUI and load the iApp.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


888765-2 : After upgrading from 13.1.0 to 15.1.0.1 CGNAT is deprovisioned and tmm is restarted by reloaded config from text files

Links to More Info: BT888765

Component: TMOS

Symptoms:
After upgrading, CGNAT is de-provisioned and tmm is restarted after config load.

Conditions:
- CGNAT provisioned prior to upgrade
- Upgrade from 13.1.0 to 15.1.0.1 and reboot

Impact:
-- CGNAT is de-provisioned
-- Tmm restarts

Workaround:
After upgrading, re-provision CGNAT:

tmsh modify sys provision cgnat level <level>
tmsh save sys config

Fixed Versions:
16.1.4


888289-8 : Add option to skip percent characters during normalization

Links to More Info: BT888289

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.

Fix:
Added an internal parameter, normalization_remove_percents. Its default is 0 (zero), meaning that the previous behavior is maintained. When enabled, the normalization of the data before running the signature removes the percent characters (as it does to high ASCII and space characters).

Fixed Versions:
17.0.0, 16.1.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


887117-4 : Invalid SessionDB messages are sent to Standby

Links to More Info: BT887117

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4.1


886649-5 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Links to More Info: BT886649

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3, 15.1.6.1, 14.1.5.1


886533-5 : Icap server connection adjustments

Links to More Info: BT886533

Component: Application Security Manager

Symptoms:
Request getting to the ICAP server takes a long time to process (several seconds), which makes the whole transaction slower than expected. When testing the connection to the ICAP server itself, you determine that it is fast.

Conditions:
This happens especially with large file uploads that are mixed with smaller file uploads. The smaller uploads are waiting for the bigger upload.

Impact:
Slow responses to specific requests.

Workaround:
None.

Fix:
This release provides greater responsiveness of the internal queue to the ICAP thread.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


885765-1 : ASMConfig Handler undergoes frequent restarts

Links to More Info: BT885765

Component: Application Security Manager

Symptoms:
Under some settings and load the RPC handler for the tsconfd process restarts frequently.

Conditions:
When processing a large number of configuration updates.

Impact:
The RPC handler for the tsconfd process restarts frequently, causing unnecessary churn and noisy logs

Workaround:
None

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


884945-1 : Latency reduce in case of empty parameters.

Links to More Info: BT884945

Component: Application Security Manager

Symptoms:
Traffic load with many empty parameters may lead to increased latency.

Conditions:
Sending requests with many empty parameters

Impact:
Traffic load with many empty parameters may cause increased latency through the BIG-IP system.

Workaround:
None

Fix:
Ignore empty parameters

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


884541-9 : Improper handling of cookies on VIPRION platforms

Links to More Info: K29141800, BT884541


883049-9 : Statsd can deadlock with rrdshim if an rrd file is invalid

Links to More Info: BT883049

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd

Fix:
Now detecting and rectifying truncation of RRD files.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


882709-6 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors

Links to More Info: BT882709

Component: TMOS

Symptoms:
Traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.

Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.

Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).

Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.

Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:

    net vlan external {
        interfaces {
            1.1 {
                tagged
            }
        }
        tag 4000
    }

-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.

-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.

Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.

-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.

Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.

Behavior Change:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


881809-8 : Client SSL and Server SSL profile hardening

Links to More Info: K31523465, BT881809


881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Links to More Info: BT881085

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittent remote-auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5


878641-3 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected

Fix:
Certificate request message now may contain CAs

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


876677-2 : When running the debug version of TMM, an assertion may be triggered due to an expired DNS lookup.

Links to More Info: BT876677

Component: Global Traffic Manager (DNS)

Symptoms:
When running the debug version of TMM, if a particular DNS lookup takes more than 30 seconds, TMM may assert with a message in the /var/log/tmm file similar to the following example:

notice panic: ../modules/hudfilter/3dns/cache_resolver.c:2343: Assertion "standalone refcnt must be one" failed.

Conditions:
-- Using the debug TMM
-- Using the RESOLV::lookup iRule command
-- The DNS server targeted by the aforementioned command is running slowly or malfunctioning

Impact:
TMM crashes and, in redundant configurations, the unit fails over.

Workaround:
Do not use the debug TMM.

Fix:
The debug assert was removed and replaced by a debug log.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1


876569-2 : QAT compression codec produces gzip stream with CRC error

Links to More Info: BT876569

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.

Fix:
The system now handles gzip errors seen with QAT compression.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


874941-4 : HTTP authentication in the access policy times out after 60 seconds

Links to More Info: BT874941

Component: Access Policy Manager

Symptoms:
HTTP authentication in the access policy times out after 60 seconds, where previously, the timeout was 90 seconds.

Conditions:
Encountering the timeout of HTTP authentication in the access policy in this version of the software.

Impact:
HTTP authentication times out 30 seconds earlier than it did in previous versions. There is no way to configure this timeout value, so authentication fails for operations that require greater than 60 seconds to complete.

Workaround:
None.

Fix:
Added options to configure the HTTP connection and request timeouts in HTTP authentication.

1. A db key to configure Connection Timeout for HTTP Server configuration:

+[APM.HTTP.ConnectionTimeout]
+default=10
+type=integer
+min=0
+max=300
+realm=common
+scf_config=true
+display_name=APM.HTTP.ConnectionTimeout


2. A db key to configure Request Timeout for HTTP Server configuration:

+[APM.HTTP.RequestTimeout]
+default=60
+type=integer
+min=0
+max=600
+realm=common
+scf_config=true
+display_name=APM.HTTP.RequestTimeout

Behavior Change:
Added db variables APM.HTTP.ConnectionTimeout and APM.HTTP.RequestTimeout as options to configure the HTTP connection and request timeouts in HTTP authentication.

The APM.HTTP.ConnectionTimeout defaults to 10 seconds, and the APM.HTTP.RequestTimeout defaults to 60 seconds.

Note: These defaults are the same as the values in earlier releases, so there is no effective functional change in behavior.

Fixed Versions:
16.1.2.2, 15.1.6.1, 14.1.5


874877-4 : The bigd monitor reports misleading error messages

Links to More Info: BT874877

Component: Local Traffic Manager

Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.

Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.
- The BIG-IP system configured to monitor an HTTPS/TCP monitor.

Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.

This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Following is an example:

-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.

In this case, a message is logged on the BIG-IP system:

      notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]

The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and gets responses back, but they do not match the received string.

Workaround:
None

Fix:
None

Fixed Versions:
16.1.5


873617-1 : DataSafe is not available with AWAF license after BIG-IP startup or MCP restart.

Links to More Info: BT873617

Component: Fraud Protection Services

Symptoms:
DataSafe is not available with an AWAF license.

Conditions:
-- AWAF license
-- BIG-IP startup or MCP restart

Impact:
DataSafe is not available.

Workaround:
Reset to default license.antifraud.id variable.
tmsh modify sys db license.antifraud.id reset-to-default.

Fix:
Additional DataSafe license validation during MCP startup after license information is loaded.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


858005-1 : When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces runtime evaluation results in failure with error in /var/log/apm "Rule evaluation failed with error:"

Links to More Info: BT858005

Component: Access Policy Manager

Symptoms:
APM Access Policy evaluation failed.

Conditions:
When APM VPE “IP Subnet Match” agent configured with leading/trailing spaces there is no configuration error but runtime evaluation results in failure with error message in /var/log/apm:
"Rule evaluation failed with error:"

Impact:
APM end user’s session cannot be established.

Workaround:
Using APM VPE remove all leading/trailing spaces from config of “IP Subnet Match” agent

Fix:
This issue is fixed by trimming spaces from IP Subnet Match agent config in VPE

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


857045-4 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

Fixed Versions:
16.1.5


854129-6 : SSL monitor continues to send previously configured server SSL configuration after removal

Links to More Info: BT854129

Component: In-tmm monitors

Symptoms:
After an SSL profile has been removed from a monitor, a monitor instance continues to use settings from the previously-configured server SSL profile, such as client certificate or ciphers or supported TLS versions.

Conditions:
-- In-TMM monitors enabled.
-- SSL monitor configured with a server SSL profile.
-- Setting the monitor's 'SSL Profile' parameter to 'none'.

Impact:
The previously configured settings, such as certificate or cipher, continue to be used for monitoring pool members, which may result in unexpected health check behavior/pool member status.

Workaround:
An administrator can avoid this issue by ensuring the monitor's 'SSL Profile' parameter specifies a profile (i.e., is not 'none').

Note: In some software versions, changing a monitor's SSL profile from one profile to a different profile may not take effect. For information about this behavior, see https://cdn.f5.com/product/bugtracker/ID912425.html

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


852613-4 : Connection Mirroring and ASM Policy not supported on the same virtual server

Links to More Info: BT852613

Component: Application Security Manager

Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.

Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.

Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.

Workaround:
None.

Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.

Fixed Versions:
16.1.5, 14.1.2.7


851121-6 : Database monitor DBDaemon debug logging not enabled consistently

Links to More Info: BT851121

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.

Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
    debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.

Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.

In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.

The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


850141-2 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


849029-7 : No configurable setting for maximum entries in CRLDP cache

Links to More Info: BT849029

Component: Access Policy Manager

Symptoms:
There is no setting provided to configure maximum entries the in CRLDP cache.

Conditions:
In a configuration with tens of thousands of CRLDP and hundreds of thousands or millions of certificates, certain operations might encounter an internal limit, resulting in a number of revoked certificates.

Impact:
No settings exist. Cannot set maximum entries in CRLDP cache.

Workaround:
None.

Fix:
There is now a setting for configuring maximum entries in CRLDP cache.

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.4.4


844597-6 : AVR analytics is reporting null domain name for a dns query

Links to More Info: BT844597

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.

Fix:
The domain name is now reported correctly under these conditions.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


844045-4 : ASM Response event logging for "Illegal response" violations.

Links to More Info: BT844045

Component: Application Security Manager

Symptoms:
Response log is not available when the request is legal but returns an illegal response status code.
In ASM, logging profiles allow the logging of all blocked responses. The existing response logging allows either all requests or illegal requests only which does not contain response logging data.

Conditions:
-- Response logging is enabled
-- An illegal response occurs

Impact:
Response logging does not occur.

Workaround:
N/A

Fix:
When a response has ASM response violations and response logging is enabled only for when there was a violation, ASM includes the response in the log.

Added an internal variable:
disable_illegal_response_logging -- default value 0.

If the response logging is enabled in the GUI, only the response logs are captured.
If the variable disable_illegal_response_logging is set to 1, then response logging is disabled(even if enabled in GUI).

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


842425-6 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


842013-1 : ASM Configuration is Lost on License Reactivation

Links to More Info: BT842013

Component: Application Security Manager

Symptoms:
After re-activating a BIG-IP license, if the configuration fails to load and reverts to a base config load, the ASM policy config contains 'default' or 'stub' policies, even after fixing the error that caused the configuration to fail to load.

Conditions:
1) A parsing error exists in the BIG-IP config such that 'tmsh load sys config verify' would fail
2) There is a license reactivation or the configuration is reloaded

Impact:
ASM policy configuration is lost and all policies are reverted to empty 'stubs'

Workaround:
In the case of license re-activation/before upgrade:

   Run the command "tmsh load sys config verify" prior to license activation on ASM units to be sure that the config will pass parsing and avoid the fallback to base configuration load.

   In a case of booting the system into the new version:

   Option 1:

      1. Using the steps in either K4423 or K8465, fix the issue that was preventing the config to load.
      2. Reload the config from the fixed UCS file using the command in K13132.

   Option 2:

      1. Roll back to the old version.
      2. Fix the issue that was preventing the config to load.
      3. Before activating the Boot Location of the new version at System >> Software Management : Boot Locations, make sure to set the option Install Configuration to Yes. see: K64400324

   Option 3: If one of the high availability (HA) units successfully upgraded, then use config-sync to push the working config to the failing unit.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


838405-4 : Listener traffic-group may not be updated when spanning is in use

Links to More Info: BT838405

Component: TMOS

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):

> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


838305-9 : BIG-IP may create multiple connections for packets that should belong to a single flow.

Links to More Info: BT838305

Component: Local Traffic Manager

Symptoms:
Due to a known issue, BIG-IP may create multiple connections for packets that should belong to a single flow. These connections will stay in the connection table until the idle timeout is reached. These connections can be used for forwarding the traffic.

Conditions:
BIG-IP may create multiple connections for packets that should belong to a single flow when both following conditions are true:
- Packets are coming at a very high rate from the network.
- Flow handling these packets is torn down.

Impact:
This might result in packets from the client being handled by one flow and packets from the server being handled by a different flow.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


832133-7 : In-TMM monitors fail to match certain binary data in the response from the server

Links to More Info: BT832133

Component: In-tmm monitors

Symptoms:
Pool members are incorrectly marked DOWN by a monitor. The pool members send the expected response to the probe, but the BIG-IP system marks them DOWN.

Conditions:
This issue occurs when all of the following conditions are met:

- In-TMM monitoring is enabled on the system (the 'bigd.tmm' db key is set to 'enable'; note this is set to 'disable' by default).

- One or more TCP or HTTP monitors specify a receive string using HEX encoding, in order to match binary data in the server's response.

- Depending on the HEX values specified (currently values in the range of 0x80-0xBF are believed to be affected), response matching fails.

Impact:
Objects that are meant to be marked UP are marked DOWN. As a result, no load balancing occurs to affected resources.

Workaround:
Either one of the following workarounds can be used:

- Disable in-TMM monitoring by setting 'bigd.tmm' to 'disable'.

- Do not monitor the application through a binary response (if the application allows it).

Fix:
The monitor finds the recv string and shows the pool or member as available.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.7


831737-3 : Memory Leak when using Ping Access profile

Links to More Info: BT831737

Component: Access Policy Manager

Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.

Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.

Impact:
Memory leak occurs in which ping access memory usage increases.

Fix:
Fixed a memory link with the Ping Access profile.

Fixed Versions:
17.1.1, 16.1.5, 15.1.6.1


830361-9 : CVE-2012-6711 Bash Vulnerability

Links to More Info: K05122252, BT830361


830341-5 : False positives Mismatched message key on ASM TS cookie

Links to More Info: BT830341

Component: Application Security Manager

Symptoms:
ASM system triggers false positives for ASM Cookie Hijacking violation with reason "Mismatched message key"

Conditions:
-- An HTTP request containing an old frame cookie with a different message key from the main ts cookie is rejected
-- The cookie is left intact

Impact:
All subsequent requests are rejected on ASM Cookie Hijacking violation

Workaround:
1. Disable "Learn Host Names" flag all policies. If the policy builder is on manual mode, they need to change it back to Auto mode, disable "Learn Host Names", then change to manual mode.

OR

2. Delete the mismatched cookie. This will cause the violations to stop occurring if the request comes from a legit endpoint

Fix:
In order to activate the changed functionality, set internal parameter ignore_cookies_msg_key to 1 and restart asm by executing following commands in CLI:
/usr/share/ts/bin/add_del_internal add ignore_cookies_msg_key 1
bigstart restart asm

Once enabled, ASM system does not trigger false positives.

Fixed Versions:
17.0.0, 16.1.2.1, 16.0.1.2, 15.1.4, 14.1.4.2, 13.1.4.1


829653-1 : Memory leak due to session context not freed

Links to More Info: BT829653

Component: Policy Enforcement Manager

Symptoms:
Memory increases slowly

Conditions:
A PEM iRule times out

Impact:
Memory could be exhausted depending on the frequency of the command timeouts

Fixed Versions:
17.0.0, 16.1.4


828761-5 : APM OAuth - Auth Server attached iRule works inconsistently

Links to More Info: BT828761

Component: Access Policy Manager

Symptoms:
The iRule attached to the OAuth Resource Server (RS) is not triggered when the traffic hits the virtual server.

Conditions:
The issue occurs during a reboot of the BIG-IP device containing an OAuth server config and an attached iRule, or when the iRule is initially assigned to the OAuth Server.

Impact:
OAuth scope check agent fails with 'HTTP error 503': as the iRule attached to the RS virtual server is not triggered.

Workaround:
For existing OAuth servers with the iRule attached, modify the iRule, for example, adding a log. This makes the iRule trigger when it is initially attached or loaded.

Fix:
The iRule is triggered when a request comes to the OAuth RS virtual server.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


827393-5 : In rare cases tmm crash is observed when using APM as RDG proxy.

Links to More Info: BT827393

Component: Access Policy Manager

Symptoms:
Tmm may crash when APM is configured as an RDG proxy to access Microsoft remote desktops and applications.

Conditions:
APM is used as RDG proxy

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Tmm does not crash when APM is configured as RDG proxy.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5.1, 14.1.4.5, 13.1.5


823877-7 : CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability

Links to More Info: K25126370, BT823877


819645-1 : Reset Horizon View application does not work when accessing through F5 APM

Links to More Info: BT819645

Component: Access Policy Manager

Symptoms:
You are unable to reset VMware applications from a Windows VM client, Android VM client or HTML5 client.

Conditions:
-- VMware Horizon Proxy configured via an iApp on APM
-- Access the VM applications via APM webtop through native client /HTML5 client for windows or access applications via native client on android

Impact:
Impaired reset option functionality

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


818889-1 : False positive malformed json or xml violation.

Links to More Info: BT818889

Component: Application Security Manager

Symptoms:
A false positive malformed XML or JSON violation occurs.

Conditions:
-- A stream profile is attached (or the http profile is set to rechunk on the request side).
-- A json/XML profile attached to the virtual.

Impact:
A false positive violation.

Workaround:
Modify the http profile to work in preserve mode for request chunking (this workaround is not possible in 16.1).

Fix:
N/A

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


815901-2 : Add rule to the disabled pem policy is not allowed

Links to More Info: BT815901

Component: Policy Enforcement Manager

Symptoms:
Adding rule to PEM policy is not allowed

Conditions:
A PEM policy is disabled

Impact:
You are unable to add rules to a PEM policy if it is disabled.

Fix:
Allow adding rules to disabled PEM policy

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


810917-1 : OWASP Compliance score is shown for parent and child policies that are not applicable.

Links to More Info: BT810917

Component: Application Security Manager

Symptoms:
OWASP score for a parent policy or child policy is shown as 0.
The more accurate value should be 'N/A' since these policies are not configurable for OWASP.

Conditions:
Create either child policy or parent policy. On Security ›› Application Security : Security Policies : Policies List page you will see in the OWASP Compliance score the value 0, and when going to OWASP page configuration (Security ›› Overview : OWASP Compliance) the user will see a note that the policy is not configurable for OWASP.

Impact:
When looking on the policies list, the user may get the impression that the parent or child policies can be configured to comply with OWASP.

Workaround:
Ignore OWASP Compliance score for child and parent policies.

Fixed Versions:
17.0.0, 16.1.4


808913-1 : Big3d cannot log the full XML buffer data

Links to More Info: BT808913

Component: Global Traffic Manager (DNS)

Symptoms:
Big3d cannot log the full XML buffer data:

-- notice big3d[12212]: 012b600d:5: Probe from ::ffff:11.11.1.21:45011: len 883/buffer = <vip>.

Conditions:
The gtm.debugprobelogging variable is enabled.

Impact:
Not able to debug big3d monitoring issues efficiently.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


805821-1 : GTP log message contains no useful information

Links to More Info: BT805821

Component: Service Provider

Symptoms:
GTP profile and GTP iRules provide no useful information in order to proceed with troubleshooting.

Conditions:
GTP profile or iRules fails to process message

Impact:
User lacks of information for troubleshooting

Workaround:
N/A

Fix:
GTP error log has been replaced with a more useful message. The new log message provides more intuitive information including the reason and, in some messages, location of data that causes the failure.

Fixed Versions:
17.0.0, 16.1.1, 15.1.4, 14.1.4.4, 13.1.5


804529-1 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools

Links to More Info: BT804529

Component: TMOS

Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.

Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.

For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"

- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
         
In the above example, the word 'members' is displayed in selflink.

Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.

Workaround:
The following workarounds are available:

1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.

2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:

/mgmt/tm/ltm/pool/<pool>/members/<member>/stats

Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


803965-10 : Expat Vulnerability: CVE-2018-20843

Links to More Info: K51011533, BT803965


803109-4 : Certain configuration may result in zombie forwarding flows

Links to More Info: BT803109

Component: Local Traffic Manager

Symptoms:
OneConnect profile in conjunction with 'Source-port preserve-strict' or cmp-hash setting of 'dst-ip' or 'src-ip' on the server-side VLAN may result in zombie forwarding flows.

On the server-side the incoming traffic hits a different TMM from the one that handles the outgoing traffic.

Unexpected 'Inet port exhaustion' messages may be logged in the LTM log file.

Conditions:
-- OneConnect configured.

And one of the following:

-- Source-port is set to preserve-strict.
-- The cmp-hash setting on the server-side VLAN is set to 'dst-ip' or 'src-ip'.

Impact:
Zombie forwarding flows. Over time, the current allocation count grows and does not return to its prior level when traffic stops.

The current allocation can be checked with this command:
# tmctl memory_usage_stat name=connflow -s name,cur_allocs

Workaround:
You can use any of the following workarounds:

-- Remove the OneConnect profile from the Virtual Server.

-- Do not use 'source-port preserve-strict' setting on the Virtual Server.

-- Set the 'cmp-hash default' on the server-side VLAN if it is set to 'cmp-hash src-ip' or 'cmp-hash dst-ip'.

Note: After making this change, it may be necessary to run the command 'tmsh restart sys service tmm', which will clear the old flows but also impact traffic. Traffic interrupted while tmm restarts.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6


797797-7 : CVE-2019-11811 kernel: use-after-free in drivers

Links to More Info: K01512680, BT797797


796065-2 : PingAccess filter can accumulate connections increasing memory use.

Links to More Info: BT796065

Component: Access Policy Manager

Symptoms:
Currently the maximum http header count value for ping access is 64. The connection to the backend is aborted if there are more than 64 headers.

Conditions:
1. Ping access is configured.
2. The HTTP header count is more than 64.

Impact:
Connection is aborted by the BIG-IP system users are unable to access the backend.

Workaround:
None

Fix:
Fixed an issue with the ping access filter.

Fixed Versions:
16.1.4


794385-6 : BGP sessions may be reset after CMP state change

Links to More Info: BT794385

Component: Local Traffic Manager

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection

Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.

Fix:
BGP session is no longer reset during CMP state change.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.5


791669-5 : TMM might crash when Bot Defense is configured for multiple domains

Links to More Info: BT791669

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,

Fix:
TMM no longer crashes when Bot Defense is configured for multiple domains.

Fixed Versions:
17.0.0, 16.1.4, 16.0.1.2, 15.1.4, 14.1.2.3


785197-5 : binutils vulnerability CVE-2019-9075

Links to More Info: K42059040, BT785197


780857-4 : HA failover network disruption when cluster management IP is not in the list of unicast addresses

Links to More Info: BT780857

Component: Local Traffic Manager

Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.

Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.

Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:

[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--

Workaround:
You can add an explicit management IP firewall rule to allow this traffic:

tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }

This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.5.1


776117-1 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


760496-4 : Traffic processing interrupted by PF reset

Links to More Info: BT760496

Component: TMOS

Symptoms:
CPU usage increases after PF reset. Traffic between client and server is interrupted.

Conditions:
-- E710 NICs are used.
-- Reset PF.

Impact:
The BIG-IP instance requires a restart after PF reset to resume traffic processing.

Workaround:
Restart the BIG-IP device.

Fix:
A TMSH db variable ve.ndal.exit_on_ue, is introduced to enable/disable device restart on PF reset. On restart, a new error message within /var/log/tmm is written. Error message: "Restarting TMM on unrecoverable error."

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


760355-4 : Firewall rule to block ICMP/DHCP from 'required' to 'default'

Links to More Info: BT760355

Component: Advanced Firewall Manager

Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.

Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.

Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.

Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.

# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP

Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.

Fixed Versions:
16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1


759928-6 : Engineering Hotfixes might not contain all required packages

Links to More Info: BT759928

Component: TMOS

Symptoms:
An Engineering Hotfix might be missing certain required packages.

Conditions:
This can occur with certain Engineering Hotfixes.

Impact:
Some of the required packages may be missing.

Workaround:
None

Fix:
Engineering Hotfix ISOs now automatically include packages for targets that may be affected by code change in a specific target.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


756918-4 : Engineering Hotfix ISOs may be nearly as large as full Release ISOs

Links to More Info: BT756918

Component: TMOS

Symptoms:
Engineering Hotfix ISO images might be unexpectedly large.

Conditions:
This might occur with certain Engineering Hotfix builds.

Impact:
Engineering Hotfixes are unnecessarily large.

Workaround:
None

Fix:
Engineering Hotfix ISO images are no longer created with a size that may occasionally exceed 2 GB, and no longer contain a complete set of packages replacing all packages installed by the original BIG-IP release upon which the Engineering Hotfix is based.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.7


755976-9 : ZebOS might miss kernel routes after mcpd deamon restart

Links to More Info: BT755976

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.

Fix:
The kernel route is now present in the ZebOS routing table after mcpd daemon restart.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


752077-4 : Kerberos replay cache leaks file descriptors

Links to More Info: BT752077

Component: Access Policy Manager

Symptoms:
APMD reports 'too many open files' error when reading HTTP requests:

-- err apmd[15293]: 01490000:3: HTTPParser.cpp func: "readFromSocket()" line: 113 Msg: epoll_create() failed [Too many open files].
-- err apmd[15293]: 01490000:3: ApmD.cpp func: "process_apd_request()" line: 1801 Msg: Error 3 reading/parsing response from socket 1498. strerror: Too many open files, queue size 0, time since accept

There are file descriptor dumps in /var/log/apm showing many deleted files with name krb5_RCXXXXXX:

-- err apmd[15293]: 01490264:3: 1492 (/shared/tmp/krb5_RCx8EN5y (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1493 (/shared/tmp/krb5_RCnHclFz (deleted)) : cloexec, Fflags[0x8002], read-write
-- err apmd[15293]: 01490264:3: 1494 (/shared/tmp/krb5_RCKGW8ia (deleted)) : cloexec, Fflags[0x8002], read-write

Conditions:
This failure may happen if the access policy uses Kerberos authentication, Active Directory authentication, or Active Directory query. The conditions under which the Kerberos replay cache leaks is unknown.

Impact:
APM end users experience intermittent log on issues.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


749332-1 : Client-SSL Object's description can be updated using CLI and with REST PATCH operation

Links to More Info: BT749332

Component: TMOS

Symptoms:
REST PUT fails to update the object description when proxy-ca-cert and proxy-ca-key are not configured, and triggers an error:
SSL forward proxy RSA CA key is missing.

Conditions:
Issue is seen only with REST PUT operation, and when proxy-ca-cert and proxy-ca-key are not configured.

Impact:
REST PUT operation cannot be used to update/modify the description.

Workaround:
You can use either of the following:

-- You can use TMSH to update/modify the description, even if proxy-ca-cert and proxy-ca-key are not configured.

-- You can also use PATCH operation and send only the required field which need modification.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.4


748886-4 : Virtual server stops passing traffic after modification

Links to More Info: BT748886

Component: Local Traffic Manager

Symptoms:
A virtual server stops passing traffic after changes are made to it.

Conditions:
-- Virtual server is using a port-list or address-list
-- High availability (HA) environment with multiple traffic groups
-- A change is made to the virtual server

Impact:
Every time you make changes to the virtual server, the traffic-group for the virtual address is changed, and traffic goes down.

Fixed Versions:
17.1.0, 17.0.0.1, 16.1.3.1, 15.1.6.1, 14.1.5.1


742753-8 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Links to More Info: BT742753

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.

Fix:
CSRF checks based on HTTP headers pre-logon have been improved.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


740321-1 : iControl SOAP API does not follow current best practices

Links to More Info: K50310001, BT740321


738716-1 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients

Links to More Info: BT738716

Component: Access Policy Manager

Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.

Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource

Impact:
Unable to restart desktop from native and HTML5 clients.

Workaround:
None

Fix:
Restart desktop is successful and it works as expected.

Fixed Versions:
17.1.1, 16.1.5


738593-3 : Vmware Horizon session collaboration (shadow session) feature does not work through APM.

Links to More Info: BT738593

Component: Access Policy Manager

Symptoms:
When the VMware virtual desktop interface (VDI) is configured, session collaboration or shadow session does not work.

Conditions:
-- VMware VDI configured and Desktop resource is accessed with native client only.
-- Launch resources and VMware Horizon Client will use Blast protocol to display VMware sessions.
-- Shadow session is enabled in desktop.

Impact:
Desktop's Shadow session resource icon is not showed on webtop of native client.

Workaround:
None

Fix:
Users should see Desktop's shadow session icon when resources are loaded on to webtop of native client.

Fixed Versions:
17.0.0, 16.1.2.1, 15.1.5, 14.1.4.5


737692-5 : Handle x520 PF DOWN/UP sequence automatically by VE

Links to More Info: BT737692

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.

Fix:
Tmm now restarts automatically when the PF comes back up after going down.

Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.

Fixed Versions:
17.1.1, 16.1.5, 15.1.3.1


724653-5 : In a device-group configuration, a non-empty partition can be deleted by a peer device during a config-sync.

Links to More Info: BT724653

Component: TMOS

Symptoms:
In a device-group configuration, a BIG-IP administrator can add a non-synced object to a partition on one device, then delete that partition on a peer device, syncing the delete (this is assuming the partition is empty on the peer).

Although the config-sync operation will report as having completed successfully on both devices, and no errors will be visible in the /var/log/ltm file of either device, a number of issues can manifest at a later time.

For instance, assuming the non-synced object was a VLAN, listing all VLANs across all partitions will return the following error:

root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/)(tmos)# list net vlan recursive
01070712:3: Internal error, can't load folder or nested folder for: /test/my_vlan

And reloading the config will return the following error (as the partition has been deleted, including its flat config files):

root@(bigip-ntr-d)(cfg-sync In Sync)(Active)(/Common)(tmos)# load sys config
Loading system configuration...
  /defaults/asm_base.conf
  /defaults/config_base.conf
  /defaults/ipfix_ie_base.conf
  /defaults/ipfix_ie_f5base.conf
  /defaults/low_profile_base.conf
  /defaults/low_security_base.conf
  /defaults/policy_base.conf
  /defaults/wam_base.conf
  /defaults/analytics_base.conf
  /defaults/apm_base.conf
  /defaults/apm_saml_base.conf
  /defaults/app_template_base.conf
  /defaults/classification_base.conf
  /var/libdata/dpi/conf/classification_update.conf
  /defaults/urlcat_base.conf
  /defaults/daemon.conf
  /defaults/pem_base.conf
  /defaults/profile_base.conf
  /defaults/sandbox_base.conf
  /defaults/security_base.conf
  /defaults/urldb_base.conf
  /usr/share/monitors/base_monitors.conf
Loading configuration...
  /config/bigip_base.conf
  /config/bigip_user.conf
  /config/bigip.conf
01070523:3: No Vlan association for STP Interface Member 1.2.
Unexpected Error: Loading configuration process failed.

These are just examples, and the exact failures will depend on the type of non-synced object and its use within your configuration.

Conditions:
-- Two or more devices in a device-group configuration.
-- Using partitions that contain non-synced objects.
-- Deleting the partition on a device and syncing the changes to the other devices.

Impact:
The partition is deleted on the peer device, even though it still contains non-synced objects. A number of config issues can arise at a later time as a result of this.

Workaround:
In some cases, if you need to define non-synced objects, you can do so in partitions or folders that are associated with 'device-group none' and 'traffic-group none'. This would prevent the partition or folder from synchronizing to other devices in the first place.

Fix:
Validation has been added that will make a config-sync receiver reject the operation if this includes the deletion of a non-empty partition. In this case, the config-sync will fail and report an error message similar to the following example:

0107082a:3: All objects from local device and all HA peer devices must be removed from a partition (test) before the partition may be removed, type ID (467), text ID (60706)

Fixed Versions:
17.0.0, 16.1.3, 15.1.6.1, 14.1.5


723109-2 : FIPS HSM: SO login failing when trying to update firmware

Links to More Info: BT723109

Component: TMOS

Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.

Conditions:
When trying to update FIPS firmware.

Impact:
This will not be able to upgrade the FIPS firmware.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10


720610-4 : Automatic Update Check logs false 'Update Server unavailable' message on every run

Links to More Info: BT720610

Component: TMOS

Symptoms:
The Automatic Update Check operation erroneously logs a message indicating that the Update Server is unavailable on every run, successful or not.

Conditions:
The BIG-IP system is configured to run the Automatic Update Check feature.

Impact:
Misleading 'PHONEHOME: Update Server unavailable' messages in the log file, implying that the update server is not available.

Workaround:
None.

Fix:
The Automatic Update Check operation no longer logs false messages.

Fixed Versions:
17.0.0, 16.1.3.1, 15.1.6.1, 14.1.2.7, 13.1.3


717806-8 : In the case of 'n' bigd instances, uneven CPU load distribution is seen when a high number of monitors are configured

Links to More Info: BT717806

Component: Local Traffic Manager

Symptoms:
Load average peaks are observed when a high number of monitors (>= 200) are configured across 'n' bigd instances.

Conditions:
When a high number of monitors are configured across 'n' bigd instances. CPU load peaks appear and disappear periodically.

Impact:
No performance impact

Workaround:
None

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


715748-7 : BWC: Flow fairness not in acceptable limits

Links to More Info: BT715748

Component: TMOS

Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.

Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.

Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


713754-3 : Apache vulnerability: CVE-2017-15715

Links to More Info: K27757011


693473-8 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None

Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9


686783-1 : UlrCat custom database feed list does not work when the URL contains a www prefix or capital letters.

Links to More Info: BT686783

Component: Traffic Classification Engine

Symptoms:
If a UrlCat custom database feed list has URLs containing a www prefix or capital letters, the URLs are not categorized when queried.

Conditions:
The UrlCat custom database feed list with URL containing www prefix or capital letters,

Impact:
Improper classification

Workaround:
Using an iRule can help classify the URL.

Fix:
Normalized the URL before putting in the custom database.

Fixed Versions:
17.0.0, 16.1.2, 15.1.4.1, 14.1.4.5, 13.1.5


674026-6 : iSeries AOM web UI update fails to complete.

Links to More Info: BT674026

Component: TMOS

Symptoms:
Upon upgrading a BIG-IP version, AOM web UI updates can sometimes fail.

Conditions:
This occurs when upgrading a BIG-IP system's software version on iSeries platforms.

Impact:
After booting to a new version, the AOM web UI update fails with an error message in /var/log/ltm similar to the following:

err bmcuiupdate[20824]: Failed updated AOM web UI with return code 2

Workaround:
At the bash prompt run:

/etc/lcdui/bmcuiupdate

This triggers another upgrade attempt, and the result is logged in /var/log/ltm. This should not be service-affecting.

Fix:
AOM web UI update failures are now automatically corrected.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


673952-6 : 1NIC VE in high availability (HA) device-group shows 'Changes Pending' after reboot

Links to More Info: BT673952

Component: TMOS

Symptoms:
When Virtual Edition (VE) is configured for 1NIC, you will see the following logs on reboot indicating that configuration has been loaded from file:

 notice tmsh[12232]: 01420002:5: AUDIT - pid=12232 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all base
 notice tmsh[12392]: 01420002:5: AUDIT - pid=12392 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=load sys config partitions all

Conditions:
- VE configured in 1NIC mode.
- Unit booted either through reboot or power on.

Impact:
This is unlikely to have any impact if the VE is in standalone mode but could result in an unexpected config if the configuration files differ.

If the VE is part of a device-group, then this will result in a commit id update and the units will show 'Changes pending'.

Workaround:
None.

Fixed Versions:
17.0.0, 16.1.5


672963-1 : MSSQL monitor fails against databases using non-native charset

Links to More Info: BT672963

Component: Local Traffic Manager

Symptoms:
MSSQL monitor is fails against databases using non-native charset.

Conditions:
MSSQL monitor configured to monitor a database that is using non-native charset (ISO-8859-1).

Impact:
MSSQL monitoring always marks node / member down.

Workaround:
On BIG-IP v13.x and v14.0.x, you can work around this issue using the following steps:

1. Log in to the BIG-IP console into a bash prompt.

2. Run the following command:
mount -o remount,rw /usr; ln -s /usr/java-64/openjdk/lib/charsets.jar /usr/java/openjdk/lib/charsets.jar; mount -o remount,ro /usr

3. Restart bigd:
bigstart restart bigd

Fix:
MSSQL monitor can be used effectively against a database using a non-native charset.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


669046-7 : Handling large replies to MCP audit_request messages

Links to More Info: BT669046

Component: TMOS

Symptoms:
When receiving very large replies to MCP messages (e.g., when viewing audit logs from the GUI), MCP can run out of memory and produce a core file. This is due in part to the amount of data returned, and also due in part to memory handling.

In a production environment, fragmentation naturally occurs over the lifetime of MCP, thus increasing the odds of this happening. In addition, larger configurations cause more space to be consumed in MCPD and might more easily lead to the fragmentation, resulting in this issue.

Conditions:
Receiving very large replies to MCP messages (e.g., from audit_request messages, which occurs when you view audit logs from the GUI).

Memory usage is already high.

Impact:
Allocation of memory for viewing the audit logs fails. MCP can run out of memory and produce a core file.

Workaround:
Use tmsh/bash to view the audit logs instead of the GUI when audit logs are extremely large and memory usage is already high.

Fix:
Viewing audit logs in the GUI is now limited to 10,000 lines, so this issue no longer occurs.

Behavior Change:
The GUI is limited to viewing no more than 10,000 lines of the audit log.

You can use tmsh/bash to view audit logs larger than 10,000 lines.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.6.1, 14.1.5


662301-8 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Links to More Info: BT662301

Component: TMOS

Symptoms:
An error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.

Examination of the configuration and license shows that there are no configuration errors or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
On an appliance, restart mcpd by running the following command:

    bigstart restart mcpd

On a VIPRION or vCMP guest running on a VIPRION, restart MCPD on all blades by running the following command:

    clsh bigstart restart mcpd

Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


651029-12 : Sensitive information exposed during incremental sync

Links to More Info: K20307245, BT651029


634576-3 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

Fixed Versions:
16.1.5, 13.1.0


605966-9 : BGP route-map changes may not immediately trigger route updates

Links to More Info: BT605966

Component: TMOS

Symptoms:
When a route-map is used to filter BGP advertisements, changes to the route-map that affect the filtered routes may not trigger an update to the affected routes.

Conditions:
BGP in use with a route-map filtering advertisements.

Impact:
BGP table may not reflect route-map changes until "clear ip bgp" is executed.

Workaround:
Run "clear ip bgp <neighbor>".

Fix:
Changing a route-map used with BGP updates affected routes without clearing the session.

Fixed Versions:
16.1.5


586948-2 : Dynamic toggling for HSB hardware checksum validation

Links to More Info: BT586948

Component: TMOS

Symptoms:
Disabling hardware checksum validation on BIG-IP requires manually editing a config tcl file and restarting TMM.

Conditions:
- Configuring HSB hardware checksum validation.

Impact:
None

Workaround:
None

Fix:
HSB hardware checksum validation can now be configured by using the new DB variable "tmm.hsb.hwchecksumvalidation".

When the value of this DB variable is changed, the HSB will be updated immediately without requiring a TMM restart.

Fixed Versions:
17.1.0, 16.1.5


574762-4 : Forwarding flows leak when a routing update changes the egress vlan

Links to More Info: BT574762

Component: Local Traffic Manager

Symptoms:
Forwarding flow doesn’t expire and leaks a connflow object.

Conditions:
Conditions to hit this are a route change on forwarded flows.

Impact:
Memory leak.

Workaround:
None

Fix:
Fixed a memory leak with forwarding flows.

Fixed Versions:
17.0.0, 16.1.4, 15.1.9


528894-5 : Config-Sync after non-Common partition config changes results in extraneous config stanzas in the config files of the non-Common partition

Links to More Info: BT528894

Component: TMOS

Symptoms:
Configuration stanzas that do not belong in the files of a non-Common partition appear there. These stanzas could include, for example, 'net trunk' or 'sys ha-group' objects.

Conditions:
-- The system includes partitions other than Common.

-- Configuration in a partition other than Common is modified.

-- A Config-Sync operation not involving an overwrite takes place (it is also possible to reproduce this issue on a standalone BIG-IP system by doing a save operation like the following: "tmsh save sys config partitions { Common other }").

Impact:
/config/partitions/<partition_name>/bigip_base.conf will contain extraneous config stanzas (such as the ones mentioned in Symptoms).

/config/bigip_base.conf will no longer contain config stanzas that belong there.

Note that the impact is mostly cosmetic. An affected device will still be able to correctly load its configuration even if some config stanzas appear in the wrong flat config file.

However, Administrators performing audits of the flat config files will be perplexed as to why some stanzas are moving back and forth between partitions.

Workaround:
If you wish to restore your flat config files to their proper state after the issue has already occurred, simply run "tmsh save sys config" on the affected device.

Alternatively, to prevent the issue in the first place, you can Config-Sync using the following command "tmsh run cm config-sync force-full-load-push to-group <device-group>".

Note that neither workaround is permanent and the issue will reoccur.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5, 14.1.4.6, 13.1.5


504374-1 : Cannot search Citrix Applications inside folders

Links to More Info: BT504374

Component: Access Policy Manager

Symptoms:
Search in webtop will not consider Citrix applications inside folders while searching.

Conditions:
Citrix applications available inside folder

Impact:
Unable to search Citrix applications inside folders.

Workaround:
None

Fixed Versions:
16.1.5


490138-1 : Kerberos Auth might fail in case BIG-IP is configured with multiple AAA Kerberos Servers

Links to More Info: BT490138

Component: Access Policy Manager

Symptoms:
In case BIG-IP is configured with multiple AAA Kerberos Server objects and those Kerberos Server uses different keytabs for different service account but for the same realm,
authentication may fail intermittently

Conditions:
- multiple AAA Kerberos Servers created
- AAA Kerberos servers are configured with different keytabs
- the keytabs are for different service accounts but for the same realm

Impact:
Kerberos authentication fails, user cannot log in

Workaround:
As a workaround, it is suggested to merge keytab files and use cumulative keytab file for all AAA Kerberos Servers

Administrator can merge keytab files with "ktutil" kerberos utility that is installed at BIG-IP.
1. run ktutil
2. load all the keytab files to merge using:
rkt <file>
3. you cal list currently loaded entries with "l"
4. after you load all required keytabs, save new keytab with
wkt <newfile>

Fixed Versions:
17.1.0, 16.1.4, 15.1.9


435231 : Support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral parameters

Links to More Info: K79342815, BT435231

Component: Local Traffic Manager

Symptoms:
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) parameters are not supported.

Conditions:
This affects ciphersuites that use Diffie–Hellman Ephemeral (DHE) key exchange.

Impact:
Support for larger FFDHE groups will be chosen if offered by the client.

Note: You might notice an impact to performance as compared with the previously chosen DHE 1024.

Workaround:
None

Fix:
With the support for the FFDHE groups defined in RFC7919, the system now supports DHE2048, DHE3072, DHE4096 keys. The default DHE key size is 2048 bits. (In previous BIG-IP versions, the default was 1024 bits.)

You can configure this default value by enabling or disabling the DB variable tmm.ssl.dh1024. To do so, use the following TMSH command syntax:

 modify sys db tmm.ssl.dh1024 value enable/disable

To use FFDHE2048, FFDHE3072, FFDHE4096 keys, you define them in a cipher rule, and then use this rule in a cipher group before associating it with an SSL profile.

Note: If you use a cipher rule that does not define any of the FFDHE2048, FFDHE3072, or FFDHE4096 groups (e.g., f5-default), this feature is not enabled.

For more information, and for steps to define these rules, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.

Behavior Change:
RFC7919 Negotiated FFDHE parameters are now supported.

The FFDHE2048, FFDHE3072, FFDHE4096 keys are supported in this release. The default is DHE 2048 bits.

In previous versions, the default DHE key size was 1024 bits. If you want to continue to use DHE 1024 you can enable db var tmm.ssl.dh1024, by default it is disabled.

For more information, and for steps to use this feature, see K79342815: BIG-IP support for RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral (FFDHE) :: https://support.f5.com/csp/article/K79342815.

Fixed Versions:
17.0.0, 16.1.2.2


427094-1 : Accept-language is not respected if there is no session context for page requested.

Links to More Info: BT427094

Component: Access Policy Manager

Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.

Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.

Impact:
APM page doesn't load the preferred language after refreshing twice.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.1, 16.1.5, 15.1.10


423519-5 : Bypass disabling the redirection controls configuration of APM RDP Resource.

Links to More Info: K74302282, BT423519

Component: Access Policy Manager

Symptoms:
User can bypass RDP resource redirection restrictions between RDP remote machine and local machine.

Conditions:
1. Create RDP resource. Disable redirection parameter.
2. Launch the resource.
3. Launch RDP Client, enable redirection parameter.

Impact:
User can bypass RDP resource restrictions.

Workaround:
NA

Fix:
User is not allowed to perform any redirection controls of the RDP resource.

Fixed Versions:
17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, 13.1.5


1615861-2 : TMUI hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
No work around

Fix:
Best security practices are now applied

Fixed Versions:
16.1.5.1, 15.1.10.5


1593681-2 : Monitor validation improvements

Component: TMOS

Symptoms:
Monitor validation did not follow expected behavior.

Conditions:
N/A

Impact:
N/A

Workaround:
No mitigation

Fix:
Only allow trusted admins to create and upload custom monitors. Do not upload untrusted monitors.

Fixed Versions:
16.1.5, 15.1.10.5


1560497 : Host is unreachable, vector is not mitigated by HW at profile level.

Links to More Info: BT1560497

Component: Advanced Firewall Manager

Symptoms:
HW drops are not getting incremented when traffic was sent to Host. Unreachable vector at profile level.

Conditions:
Configure the Host unreachable vector detection and mitigation limits at profile level.

Impact:
Hardware mitigation does not happen at profile level.

Workaround:
None

Fix:
Handled, neuron support checks for host with unreachable vector as the support was not there, such that, the packets were routed directly to flow table to effect the hardware stats.

Fixed Versions:
16.1.5


1552685-5 : Issues are observed with APM Portal Access on Chrome browser version 122 or later

Links to More Info: K000138771, BT1552685

Component: Access Policy Manager

Symptoms:
Web application using APM Portal Access stops working after upgrading to Chrome browser version 122 or later or a similar MS Edge browser version.

Conditions:
-- Chrome browser version 122 or later or a similar MS Edge browser version
-- APM Portal Access

Impact:
Applications will not work through Portal Access.

Workaround:
An iRule/iFile workaround is available. Refer to K000138771: APM Portal Access stops working after upgrading Chrome to version 122 (https://my.f5.com/manage/s/article/K000138771)

Fix:
APM portal access will work with Chrome browser version 122 or later or a similar MS Edge browser version.

Fixed Versions:
16.1.5


1538173-3 : Bados TLS fingerprints works incorrectly with chrome's new versions

Links to More Info: BT1538173

Component: Anomaly Detection Services

Symptoms:
The requests from the same Chrome browser but from different connections can have different TLS fingerprints

Conditions:
Behavioral L7 DOS is configured, BAD actors behavior detection configured with "Use TLS patterns as part of host identification" option.

Some good clients or attackers use new versions of Chrome

Impact:
The same user will be identified and examined as a different users

Workaround:
Don't use "TLS patterns as part of host identification" option"

Fix:
The requests from the same Chrome browser have different TLS fingerprints

Fixed Versions:
16.1.5


1507913-2 : CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources

Links to More Info: K000139084, BT1507913


1507569-2 : KeyTrap: Extreme CPU consumption in DNSSEC validator

Links to More Info: K000139092, BT1507569


1506049-2 : Parsing large DNS messages may cause excessive CPU load

Links to More Info: K000138990, BT1506049


1506009-1 : Oauth core

Links to More Info: BT1506009

Component: Access Policy Manager

Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.

Conditions:
-- OAuth configured with opaque token generation
-- A configuration sync occurs

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Identified and addressed the db proxy connection pointer validation in case of rollback when db query fails.

Fixed Versions:
16.1.5


1506005-2 : TMM core occurs due to OAuth invalid number of keys or credential block size

Links to More Info: BT1506005

Component: Access Policy Manager

Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.

Conditions:
-- OAuth is configured.
-- A configuration sync occurs.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Modified the terminating condition based on the credential block length with the number of keys.

Fixed Versions:
16.1.5


1505789-2 : VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"

Links to More Info: K000138683, BT1505789

Component: Access Policy Manager

Symptoms:
When the user is upgraded to edge client version 7.2.4.6, they may fail to connect to the VPN server.

Conditions:
1. If LTM VS/NATed device is present before APM VPN enabled virtual server or any cases where client receives the VPN server IP different in the IP header and pre/config message.

2. BIG-IP versions v17.1.1.1 or v16.1.4.2 or v15.1.10.3 used along with edge client version 7.2.4.6.

Impact:
The user fails to connect to the VPN.

Workaround:
See the Recommended Actions at K000138683: Users cannot connect to BIG-IP APM virtual servers with BIG-IP Edge Client 7246, available at https://my.f5.com/manage/s/article/K000138683

Fix:
The user should be able to connect to the VPN even after the upgrade.

Fixed Versions:
16.1.5


1505753-1 : Maximum Fragment Length extension is not visible in ServerHello even though it is present in ClientHello

Links to More Info: BT1505753

Component: Local Traffic Manager

Symptoms:
When the request from the client contains the Maximum Fragment Length header, BIG-IP is able to process it and honors the functionality, but this parameter is not added to the ServerHello.

Conditions:
Send a request from a client that contains the maximum fragment length extension.

Impact:
The ClientHello succeeds but the TLS Handshake fails when the Server Hello is received.

Workaround:
None

Fixed Versions:
16.1.5


1505413 : Error in Wrapper for Array.slice Method When F5_window_link is Undefined

Links to More Info: BT1505413

Component: Access Policy Manager

Symptoms:
When Modern Rewrite Mode is used, an error occurs while processing traffic:

cache-fm-Modern.js:481 Uncaught TypeError: Cannot read properties of undefined (reading 'Array')

Conditions:
Modern Rewrite Mode is used

Impact:
Application does not function properly

Workaround:
Use the below iFile iRule:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
  if {
    [HTTP::path] ends_with "cache-fm-Modern.js"
  } {
    HTTP::respond 200 content [ifile get ModernCachefm]
  }
}

iFile - Contact F5 support for iFile

Fix:
Application is working fine now

Fixed Versions:
16.1.5


1496701-1 : PEM CPPE reporting buffer overflow resulting in core

Links to More Info: BT1496701

Component: Policy Enforcement Manager

Symptoms:
PEM writes into buffer without checking size hence resulting unknown behavior or core.
TMM starts coring and rebooting.

Conditions:
1) PEM policy with action reporting is configured.
2) Reporting ->hsl-> session-reporting-fields has large number of fields.

Impact:
TMM core, hence service disruption.

Fix:
Check the bounds before each write

Fixed Versions:
16.1.5


1496457-2 : TMM crash under certain traffic patterns when an HTTP/2 profile is applied.

Component: Local Traffic Manager

Symptoms:
A TMM crash.

Conditions:
An LTM virtual server with an HTTP/2 profile attached.

Impact:
A TMM crash.

Workaround:
Set up HA pairs when configuring your BIG-IP device.

Fix:
The issue no longer occurs.

Fixed Versions:
16.1.5


1496269-2 : VCMP guest on version 16.1.4 or above might experience constant TMM crashes.

Links to More Info: BT1496269

Component: TMOS

Symptoms:
VCMP guest on version 16.1.4 or above might experience constant TMM crashes.

Conditions:
VCMP guest running version from 16.1.x software train, 16.1.4 or above.

vCMP host running any other software version.

Impact:
Post upgrade TMM enters crash/core loop on vCMP guest. Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
16.1.5


1495217-3 : TMUI hardening

Links to More Info: K000138636, BT1495217


1494833-3 : A single signature does not match when exceeding 65535 states

Links to More Info: K000138898, BT1494833

Component: Application Security Manager

Symptoms:
One of the attack signatures is not matched.

Conditions:
When all signatures are enabled and custom ones are created.

Impact:
The attack signature is passed instead of getting blocked.

Workaround:
NA

Fix:
All the signatures will be detected and respective violations will be raised.

Fixed Versions:
17.1.1.3, 16.1.4.3, 15.1.10.4


1494293-4 : BIG-IP might fail to forward server-side traffic after a routing disruption occurs.

Links to More Info: BT1494293

Component: Local Traffic Manager

Symptoms:
BIG-IP might fail to forward server-side traffic after a routing disruption occurs.

Conditions:
- CMP forwarding occurs (traffic on ingress is handled by a different TMM on egress).
- Routing disruption happens.
- Flow collision with existing connection happens.
- connection.vlankeyed is enabled (default)

Impact:
Server-side traffic is silently dropped.

Workaround:
Clear the existing connection from the connection table according to K53851362

Fixed Versions:
16.1.5


1494137-1 : Translucent mode vlan-group uses wrong MAC when sending ICMP to client

Links to More Info: BT1494137

Component: Local Traffic Manager

Symptoms:
Translucent mode vlan-group uses source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.

Conditions:
1. Configure Vlangroup in Translucent mode on BIG-IP
2. Send an ICMP unreachable request from client to server.
3. Capture the tcpdump on the BIG-IP, observe the response packet has source MAC as the vlan-group's MAC address instead of the server's MAC address while responding to an ICMP unreachable request.

Impact:
The wrong MAC address is used which can cause traffic disruption.

Workaround:
Disable vlangroup.flow.allocate :

tmsh modify sys db vlangroup.flow.allocate value disable

Fix:
Translucent mode vlan-group uses source MAC as the server's MAC address instead of vlan-group's MAC address while responding to an ICMP unreachable request.

Fixed Versions:
16.1.5


1492361-2 : TMUI Security Hardening

Links to More Info: K000138894, BT1492361


1491481-2 : Server changes to support QT upgrade of Mac Clients

Links to More Info: BT1491481

Component: Access Policy Manager

Symptoms:
The old client build was failing due to a pending QT upgrade, the client requires server changes to support.

Conditions:
QTv5.5 and MAC OS(11.1)

Impact:
Cannot establish VPN connection with new clients.

Workaround:
None

Fix:
Server changes to support QT upgrade of clients.

Fixed Versions:
16.1.5


1491165-1 : TMM crashes when saving DAG setting and there are 7 or more blades

Links to More Info: BT1491165

Component: TMOS

Symptoms:
TMM crashes and generates a core file and continues to crash during startup.

Conditions:
A chassis has 7 or more blades installed.

The settings introduced by ID1282181 have been saved.

Impact:
Traffic interruption while TMM restarts.

Workaround:
The issue could be avoided by clearing the variables for ID1282181. However, this takes away the feature.

Fix:
The fix is adjusting the size of the buffers.

Fixed Versions:
16.1.5


1490833-1 : OAuth agent gets misconfigured when adding a new Scope/Claim in VPE

Links to More Info: BT1490833

Component: Access Policy Manager

Symptoms:
OAuth agents gets misconfigured when adding a new scope/claim in the visual policy editor (VPE)

Conditions:
- There are at least 10 scopes/claims attached to the OAuth agent.
- Adding a new scope/claim to the OAuth agent

Impact:
OAuth agent gets misconfigured

Workaround:
None

Fixed Versions:
16.1.5


1490765-2 : Request body can be unordered by bot-defense

Links to More Info: BT1490765

Component: Application Security Manager

Symptoms:
Certain request body, such as request body from a trusted bot, can be unordered after bot-defense applied its enforcement.

Conditions:
- bot-defense profile is in use
- bot-defense performs rDNS lookup for the request
- this manifests once in every five minutes

Impact:
Service or application that receives the unordered request body might not understand the request content and can fail.

Workaround:
Use iRule that disables bot-defense for the specific request, for example
- Check UA, URI, and other
- Disable bot-defense

Fixed Versions:
16.1.5


1489657-3 : HTTP/2 MRF incorrectly end stream for 100 Continue

Links to More Info: BT1489657

Component: Local Traffic Manager

Symptoms:
HTTP2 client resets the stream by PROTOCOL ERROR on seeing END_STREAM flag set in 100 CONTINUE header frame.

Conditions:
HTTP/2 MRF enabled
HTTP/2 on the server side.
HTTP POST with body length > 0
The HTTP request has the "Expect: 100-continue" header
The server responds 100 Continue

And versions that have BugID-1220629 fixed

Impact:
The request would not be processed due to PROTOCOL_ERROR.

Fix:
Special handling for 1xx headers

Fixed Versions:
16.1.5


1473701 : Oauth Discovery task is struck at "SAVE_AND_APPLY" state

Links to More Info: BT1473701

Component: Access Policy Manager

Symptoms:
Initial symptoms could be one of the following:
- Auto JWT discovery task stops or stalls and no reason is provided
- OIDC discovery task stops discovering
- Auto update of JWK fails
- OAuth token does not renew
- Oauth Discovery stuck at "SAVE_AND_APPLY"
- OAuth Provider Discovery Task does not work anymore

Other indications:

-> Stale JWK keys will be present in the config and Authentication fails with the following error in /var/log/apm:"OAuth Scope: failed for jwt-provider-list '/Common/VPN_JWT', error: None of the configured JWK keys match the received JWT token, JWT Header:
"
->restcurl -X GET tm/access/oidc/discover/ outputs the OIDC discovery task status and status will be in "SAVEANDAPPLY"

Conditions:
- jwk keys discovered from the openid well known url should be different from the existing JWK keys in the config
- And mcp should fail while applying the config. We can identify that if the /var/log/restjavad does not show the " Applying access policies" log after the "Updating mcp jwt and jwk objects for provide" log

Impact:
- Config will contain stale JWK keys

Workaround:
- Restart restjavad so that the discovery task starts again

Fix:
- Moved the apply access policy operation into a child thread so that the parent thread does not block itself until it receives a response from the mcp.
- Earlier the OIDC thread would be blocked until it got a successful response from the mcp for "apply access policy" and if it did receive a response, it would be blocked and would stop permanently without rescheduling itself.
- Now, even if the apply access policy fails in the current discovery cycle, the OIDC discovery worker will not be blocked and will be rescheduled for the next interval and the apply access policy will be reattempted as part of the next discovery cycle.

Fixed Versions:
16.1.5


1472853-2 : PVA may not fully come up on large platforms with many tmms

Links to More Info: BT1472853

Component: TMOS

Symptoms:
The PVA may not be fully initialized when tmm starts. This can lead to versions issues such as

* flows not being accelerated
* flows getting reset with idle timeout or "No flow found for ACK" reset cause messages.

Log message similar to the following is seen in /var/log/tmm2:
notice ePVA had not been globally enabled by HSBE2 LBB

Conditions:
-- BIG-IP iSeries i15800 platform.
-- PVA enabled
-- Tmm that has not been restarted since boot.

Impact:
-- flows may not be accelerated
-- flows may get reset with idle timeout or "No flow found for ACK" reset cause messages.

Workaround:
Restart tmm

Fixed Versions:
16.1.5


1472685-2 : Add support for 4 new Webroot Categories

Links to More Info: BT1472685

Component: Traffic Classification Engine

Symptoms:
URL's getting categorised as Uncategorized.

Conditions:
Query any of the URL that fall under new category

Impact:
URL does not get categorised as expected and gets classified as "Uncategorized"

Fix:
Added support for 4 new categories.

Fixed Versions:
16.1.5


1472609 : [APM]Some user roles unable view Access config GUI, getting 403 error

Links to More Info: BT1472609

Component: Access Policy Manager

Symptoms:
Some user roles (except admin, manager, resource manager, and App Editor users) get 403 forbidden when opening Access config in GUI.

Conditions:
- BIGIP versions 16.1.4.1 (or later), 15.1.10.2 (or later), and 17.1.0.3 (or later).

- User roles except for admin, manager, resource manager, and App Editor users.

Impact:
Unable to view APM UI.

Fixed Versions:
16.1.5


1470329-2 : PEM: Multiple layers of callback cookies need input validation in order to prevent crashes.

Links to More Info: BT1470329

Component: Policy Enforcement Manager

Symptoms:
TMM core and restart because of PEM.

Conditions:
1)PEM session attribute lookup via spmdb_session_attr_session_lookup_cb
2) The callback function in the cookie is null.

Impact:
TMM restarts. Service disruption.

Fix:
Fix: adding null check for callback function.

Fixed Versions:
16.1.5


1468809-2 : Attack signature "Staged Since" timestamp is not accurate

Links to More Info: BT1468809

Component: Application Security Manager

Symptoms:
Attack signature "Staged Since" timestamp is not accurate

Conditions:
Signature is set to staging

Impact:
The "Staging: Since" timestamp is inaccurate.

Workaround:
None

Fixed Versions:
16.1.5


1468589 : TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions

Links to More Info: BT1468589

Component: Access Policy Manager

Symptoms:
APM is unable to read or modify the CSS properties to dynamically change the style of the element

Conditions:
Modern Rewrite Mode is enabled

Impact:
Unable to read or modify the CSS properties to dynamically change the style of the element

Workaround:
Use the below iRule:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}

when HTTP_REQUEST {
 if {
   [HTTP::path] ends_with "cache-fm-Modern.js"
 } {
  HTTP::respond 200 content [ifile get ModernCachefm]
 }

}

Request the iFile with the fix via an escalation

Fixed Versions:
16.1.5


1466293-2 : SIP MRF over TCP might cause excessive memory buffering

Component: Service Provider

Symptoms:
SIP MRF over TCP might cause excessive memory buffering.

Conditions:
Certain traffic patterns might flood the BIG-IP over TCP from the server side and cause excessive memory buffering.

Impact:
The system can undergo core

Fix:
Excessive memory buffering is eliminated when certain traffic pattern occurs.

Fixed Versions:
16.1.5


1466289-3 : SIP MRF might leave orphaned connections

Component: Service Provider

Symptoms:
Under certain traffic patterns, SIP MRF may leave orphaned connections.

Conditions:
A system with SIP MRF enabled.

Impact:
It leads to excessive memory buffering.

Fix:
Connections are no longer orphaned.

Fixed Versions:
16.1.5


1462885-2 : LTM should send ICMP port unreachable upon unsuccessful port selection.

Links to More Info: BT1462885

Component: Local Traffic Manager

Symptoms:
In some cases ICMP port unreachable is not sent back to the client when the BIG-IP system is unable to obtain an available port for a connection.

Conditions:
Flow collision happens, BIG-IP is unable to obtain an available port for connection.

Impact:
LTM drops traffic and does not send an ICMP error to the client.

Workaround:
None

Fixed Versions:
16.1.5


1462797-2 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent

Links to More Info: BT1462797

Component: Application Security Manager

Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled using an iRule. This occurs while sending an HTTP/2 request to the virtual server.

Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule
- HTTP/2 request is sent to virtual server.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
16.1.5


1462393 : Quota is not getting updated from the PEM side

Links to More Info: BT1462393

Component: Policy Enforcement Manager

Symptoms:
The quota is not updated when PEM receives the CCR-U message from the OCS.

Conditions:
Once the quota is exhausted,
1. OCS initiates a Re-Auth Request (RAR) to PEM
2. PEM responds with RAA
3. PEM then sends CCRu to OCS to request more quota
4. OCS responds with a CCA for additional quota for the rating group
5. Subscriber Session record did not change with new Granted Units.

Impact:
The quota is not updating from the PEM side.

Fix:
Quota is updating from the PEM side

Fixed Versions:
16.1.5


1461597-2 : IPS IM upgrade is taking more time

Links to More Info: BT1461597

Component: Protocol Inspection

Symptoms:
It takes more time than usual for the upgrade of the protocol inspection updates IM Package.

Conditions:
During IM Upgrade:
1) Go to security -> Protocol Inspection -> Inspection Updates -> Download Package -> From file -> choose file -> Download.
2) select the IM and click on install
3) select the IM and click on deploy

Impact:
It takes more time to upgrade to the latest IM package. This is due to a larger than normal number of signature updates.

Workaround:
None

Fix:
Setting the default action to don't inspect for new signatures in the default profiles.

Fixed Versions:
16.1.5


1455677-2 : ACCESS Policy hardening

Component: Access Policy Manager

Symptoms:
Under certain traffic patterns, ACCESS policy may crash

Conditions:
ACCESS policy evaluation is enabled

Impact:
A TMM core.

Workaround:
None

Fix:
The core is resolved.

Fixed Versions:
16.1.5


1449709-2 : Possible TMM core under certain Client-SSL profile configurations

Links to More Info: K000138912, BT1449709


1429897 : NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60

Links to More Info: BT1429897

Component: Local Traffic Manager

Symptoms:
With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS.
It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'.

If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.

Conditions:
--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x.
--> Create a new nethsm key using TMSH or WebUI.

Impact:
Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.

Workaround:
Use 'rfs-sync -c' after creating a new key.

Fix:
None

Fixed Versions:
16.1.5


1410989-3 : DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section.

Links to More Info: BT1410989

Component: Global Traffic Manager (DNS)

Symptoms:
The BIG-IP system returns a malformed UDP DNS response.

Conditions:
When provided buf_size is able to fit the answer section but not able to fit authority and additional sections.

Impact:
Malformed UDP DNS response.

Workaround:
Use TCP DNS query.

Fix:
None

Fixed Versions:
16.1.5


1410953-2 : Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path.

Links to More Info: BT1410953

Component: TMOS

Symptoms:
Keymgmtd is coring and restarting in a loop.

Conditions:
Create an empty file in the crl_file_cache_d path and try restarting the keymgmtd.

Impact:
Key management-related operations will fail.

Workaround:
None

Fix:
None

Fixed Versions:
16.1.5


1409453 : [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config

Links to More Info: BT1409453

Component: Access Policy Manager

Symptoms:
On GUI: 'General database error retrieving information.'
In /var/log/ltm: Read Access Denied: user (es-manager) type (network acces address space include)

Conditions:
-- Non-admin user
-- Network Access configured on APM

Impact:
Non-admin users cannot access Network Access settings.

Workaround:
None

Fixed Versions:
16.1.5


1408381 : BADOS signals might no sync on HA setups

Links to More Info: BT1408381

Component: Anomaly Detection Services

Symptoms:
BADOS signals might no sync on HA setups.

Conditions:
When using High Availability setups with BADOS enabled.

Impact:
Standby machine is not synched in some scenarios.

Workaround:
Manual sync with the script that calls rsync.

Fix:
The state file always stays in sync.

Fixed Versions:
16.1.5


1402421 : Virtual Servers haviing adfs proxy configuration might have all traffic blocked

Links to More Info: BT1402421

Component: Access Policy Manager

Symptoms:
All requests for ADFS proxy will be blocked and will not be allowed.

Conditions:
/var/log/apm should show a line similar to below in a normal scenario
Nov 30 09:10:38 guest1.pslab.local debug adfs_proxy[9282]: 01aeffff:7: (null)::00000000: C: TMEVT_TIMER
TMEVT_TIMER should occur once every minute

These lines will be missing in the non-working case.

Impact:
Traffic to virtual servers having ADFS Proxy configuration will be disrupted.

Workaround:
- Restart adfs_proxy
- bigstart restart adfs_proxy

Fix:
None

Fixed Versions:
16.1.5


1400317-2 : TMM crash when using internal datagroup

Links to More Info: BT1400317

Component: Local Traffic Manager

Symptoms:
When an internal data group matches a local traffic policy, tmm crashes.

Conditions:
Local data group involved. External data groups are fine.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use an external data group if possible

Fix:
Both internal and external data group works

Fixed Versions:
16.1.5


1399809-3 : DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.

Links to More Info: BT1399809

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Resolution for IPv6 clients is not working when dns64 is enabled with secondary in DNS Profile.

Conditions:
--- DNS64 is enabled and set to secondary in DNS Profile.
--- qname-minimisation is enabled by default in code in the latest unbound.
--- That Profile is configured with dns cache.
--- A DNS listener is configured with the above profile.
--- DNS clients requesting ipv6 resolution requests towards the listener.

Impact:
IPv6 resolution is failing.

Workaround:
None

Fixed Versions:
16.1.5


1399645-2 : iRule event BOTDEFENSE_ACTION validation failing a subroutine call

Links to More Info: BT1399645

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from the BOTDEFENSE_ACTION event, an error occurs.

Conditions:
-- Configure an iRule with event BOTDEFENSE_ACTION.
-- The event calls a procedure.

Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(BOTDEFENSE)": no such element in array.

Workaround:
None

Fix:
None

Fixed Versions:
16.1.5


1399289-1 : "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1

Links to More Info: BT1399289

Component: Application Security Manager

Symptoms:
If the "Attribute" in a schema file has an upper case letter, then schema validation fails.

This does not apply to "Element", which tries to match exact case.

Conditions:
Create a Case insensitive ASM policy. Create an XML Schema profile which has an "Attribute" Tag with at least one upper-case letter in the Attribute name.

Impact:
Requests fail with Violation, even though the Schema file has a specific attribute.

Workaround:
Have the "Attribute" tag name with all lower case letters, then the request does not gets blocked.

Fixed Versions:
16.1.5


1399241-2 : QUIC occasionally erroneously sends connection close with QPACK decoder stream error

Links to More Info: BT1399241

Component: Local Traffic Manager

Symptoms:
QUIC connections are occasionally closed with "QPACK decoder stream error" (error code 514).

Conditions:
The QPACK decoder stream of a QUIC connection receives part of a request in a packet or receives an ack or cancel for a stream that has already been closed.

Impact:
A connection close with "QPACK decoder stream error" is sent and the QUIC connection is closed. Web browsers might also conclude that the BIG-IP's QUIC implementation is not interoperable and stop initiating HTTP/3 connections.

Fix:
Fixed QPACK handling when receiving part of a request in a packet or receiving an ack or cancel for a stream that has already been closed.

Fixed Versions:
16.1.5


1398401-1 : Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.

Links to More Info: K000135607, BT1398401

Component: Access Policy Manager

Symptoms:
After an upgrade, the configuration fails to load with one or more errors:

Configuration error: In url-filter <filter name> allowed-category <cat name> does not exist.

Conditions:
Upgrading SWG from a BIG-IP version that uses category names that no longer exist.

Impact:
BIG-IP upgrade fails.

Workaround:
Remove the affected category names before attempting the BIG-IP upgrade.

Fix:
Code exists to map old categories with the new.
Existing mapping code works till BIG-IP 13.x.x, the same code support extended for BIG-IP 15.x.x and later versions.

Fixed Versions:
16.1.5


1398229-1 : Enabling support for SSH-RSA in Non FIPS mode

Links to More Info: BT1398229

Component: TMOS

Symptoms:
Ssh-rsa is disabled in FIPS and non-FIPS mode, as SSH-RSA is a less secure algorithm.

Conditions:
Attempt to use SSH-RSA algorithm

Impact:
Unable to use SSH-RSA algorithm

Fix:
Added support for SSH-RSA in Non-FIPS mode.
It is still disabled in FIPS mode.

Fixed Versions:
16.1.5


1395281-2 : UDP payloads not ending with CRLF are being treated as BAD messages.

Links to More Info: BT1395281

Component: Service Provider

Symptoms:
The UDP SIP payloads that did not end with CRLF are being treated as BAD messages.

Conditions:
The UDP SIP payload did not end with CRLF.

Impact:
The UDP SIP message will be treated as a BAD message if the payload does not end with CRLF.

Workaround:
None

Fix:
Made SIPP parser changes to accept and process UDP SIP messages that do not end with CRLF.

Fixed Versions:
16.1.5


1395081-2 : Remote users are unable to generate authentication tokens

Links to More Info: K000137514, BT1395081

Component: TMOS

Symptoms:
On a BIG-IP version with the fix for ID1147633, remote users are unable to generate authentication tokens. This also results in following pages in the GUI being broken for users:
- Device Management >> Overview
- Local Traffic >> Network Map

Conditions:
-- BIG-IP version with the fix for ID1147633
-- Remote user authentication (such as TACACS, RADIUS, Active Directory, and other)

Impact:
Some parts of the GUI may not load for remote users.

Generating an authentication token for a remote user would result in an error message similar to the following:

{
  "code": 400,
  "message": "token creation failed; target user [<id>] does not exist in the system",
  "referer": "https://<IP>/tmui/tmui/devmgmt/overview/app/index.html?ver=0.0.6.17.1.1",
  "restOperationId": <ID>,
  "kind": ":resterrorresponse"
}

Workaround:
None

Fix:
The GUI pages are loading successfully for remote users.

Fixed Versions:
17.1.1.1, 16.1.5


1394601-1 : PEM AVR onbox reporting stall

Links to More Info: BT1394601

Component: Policy Enforcement Manager

Symptoms:
When using PEM AVR onbox reporting, the per-subscriber reporting will stop working after a set of time.

Conditions:
- PEM AVR reporting.

Impact:
No per-subscriber reporting is available.

Workaround:
Restart tmm to get it working again.

Fix:
PEM AVR reporting continues to function.

Fixed Versions:
16.1.5


1394445-2 : Password-memory is not remembering passwords to prevent them from being used again

Links to More Info: BT1394445

Component: TMOS

Symptoms:
Password-memory is not remembering passwords to prevent users from using the same password again.

Conditions:
-- Policy-enforcement is enabled.
-- password-memory is configured.

Impact:
System should support "password memory" for each user and can't use previous password.

Workaround:
None

Fixed Versions:
16.1.5


1391357-1 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address

Links to More Info: K000136909, BT1391357


1391161-2 : sipmsg_parse_sdp crashes when SIP receives certain traffic pattern.

Component: Service Provider

Symptoms:
When the SIP message body has a certain traffic pattern, the sipmsg_parse_sdp crashes.

Conditions:
A pattern that can cause sipmsg_parse_sdp to crash.

Impact:
The system may core.

Fix:
Sipmsg_parse_sdp does not crash when SIP receives the traffic pattern that caused the core previously.

Fixed Versions:
16.1.5


1391081-2 : TMM crash when running HTTP/3 and persist record

Links to More Info: BT1391081

Component: Local Traffic Manager

Symptoms:
TMM crashes when handling an HTTP/3 request.

Conditions:
HTTP/3 traffic on a BIG-IP system with multiple TMMs and the use of persistence.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
16.1.5


1389225-2 : For certain iRules, TCP::close does not close the TCP connection

Links to More Info: BT1389225

Component: Local Traffic Manager

Symptoms:
When an iRule generates a TCP::close before a server-side connection is established, the BIG-IP system does not close the connection.

Conditions:
Example 1
With this iRule, if there are 2 pipelined http requests, the close will not happen after the first request
Sample iRule:
proc redirect {loc} {
    HTTP::redirect $loc
    TCP::close
}

when HTTP_REQUEST priority 1 {
   call redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}

Example 2:
In this second example of iRule where there are no pools involved (say redirects or error message return 404 not found...) when no servers are connected to. In such case, the close will not happen.
ltm rule tcp_it {
when CLIENT_ACCEPTED {
    TCP::collect 1
}
 
when CLIENT_DATA {
    table or other commands for example
    TCP::respond "reply" (or 404 not found...)
    TCP::release
    TCP::close
}
 
when CLIENT_CLOSED {
    log local0. "Client closed"
}
 
when SERVER_CONNECTED {
    log local0. "Server here"
}
}

When such rule involves no servers to be connected - hence "Server here" not displayed - the close will never happen.

Impact:
TCP connection lingers in TMM until expiration.

Workaround:
None

Fixed Versions:
16.1.5


1389049-1 : Frequent instances of provisioning-pending count spiking on various PEM devices

Links to More Info: BT1389049

Component: Policy Enforcement Manager

Symptoms:
PEM intermittently fails to provision subscribers and a large number of subscriber sessions go into the provisioning-pending state.

Conditions:
-- PEM is enabled
-- BIG-IP is configured to create subscriber dynamically and receive subscriber policy from PCRF
-- BIG-IP receives a large number of subscriber login/logout requests in a short period.

Impact:
New subscribers provisioning fails. Subscribers remain in the provision-pending state.

Workaround:
None

Fix:
With fix, new subscriber provisioning and old subscriber deletion is successful.

Fixed Versions:
16.1.5


1389033-2 : In an iRule SSL::sessionid returns an empty value

Links to More Info: K000137430, BT1389033

Component: Local Traffic Manager

Symptoms:
The irule SSL::sessionid command used returns an empty value after an upgrade to v15.1.9.1, when used with a TLS1.3 session.

While SSL::sessionid in v15.1.8.2 returns the value specified in the ClientHello for a TLSv1.3 session, upgrading to v15.1.9.1 results in empty values returned when calling SSL::sessionid.

Conditions:
1. Use SSL::sessionid in an iRule
2. Use an affected BIG-IP version
3. Client establishes a TLS1.3 connection

Impact:
SSL::sessionid returns an empty value, which could result in unintended behavior for applications that use that iRule command.

Workaround:
None

Fixed Versions:
16.1.5


1388985-2 : The daemon dwbld uses 100% CPU when max port value configured in TMC port list

Links to More Info: BT1388985

Component: Advanced Firewall Manager

Symptoms:
When Traffic Matching Criteria (TMC) port list range is configured that includes maximum port value of 65535, counter is incremented till 65535 and wraps back to 0, as the variable used to store the counter is uint16_t.

Conditions:
- AFM license enabled.
- Daemon dwbld enabled
- Any TMC port list configured with maximum port value of 65535

Impact:
The daemon dwbld consumes 100% CPU impacting system performance.

Workaround:
Avoid configuring maximum port value of 65535 in TMC port list range.

Fix:
The counter is changed to uint32_t to avoid rollover when maximum port value is included in port list range.

Fixed Versions:
16.1.5


1388621-2 : Database monitor with no password marks pool member down

Links to More Info: BT1388621

Component: Local Traffic Manager

Symptoms:
If an LTM or GTM database monitor is configured with a username to log in to the database, but without a password, pool members monitored by that monitor will be marked Down.

When this issue occurs, an error message similar to the following (for a postgresql monitor in this example) will appear in the DBDaemon log file (/var/log/DBDaemon-*.log):

[MonitorWorker-###] - incomplete parameters: m_connectStr:'jdbc:postgresql://###.###.###.###:##/postgres' m_user:'*********' m_password:'null' max_use:'#' m_inst_id:'******'

The "incomplete parameters" and "m_password:'null'" items are the relevant parts of this error message.

Conditions:
This may occur under the following conditions:
-- LTM or GTM pool members are configured to use a database monitor, such as:
   -- mssql
   -- mysql
   -- oracle
   -- postgresql
-- The monitor is configured with a username, but no password
   -- And this configuration is otherwise valid: The username is a configured in the target database with no password, and no password is required by the database for authentication of that user.
-- The version of BIG-IP, or BIG-IP Engineering Hotfix,
 which includes a fix for Bug ID1025089.

Impact:
Pool members monitored by a database monitor, the configured will be marked Down.

Workaround:
Following is workaround for this issue:
-- Configure the database user with a password, and require password authentication for the user
-- Configure the database monitor with the correct password for the configured username

Fix:
Database monitors with usernames configured without a password (which matches the configuration of that user in the database itself) will report correct health status of monitored pool members.

Fixed Versions:
16.1.5


1388341-2 : tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN)

Links to More Info: BT1388341

Component: Anomaly Detection Services

Symptoms:
While requests are delayed in TMM due to various reasons, their virtual server and BADOS profile might be deleted.
This may lead to a TMM crash.

Conditions:
-- BIG-IP System, passing traffic.
-- The virtual server has objects attached, such as complex iRules or BADOS, which cause the requests to take more time to get through the tmm.
-- A connection is dropped while the request is still being handled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
If possible, avoid using objects that cause requests to be delayed, such as iRules and behavioral DoS.

Fix:
TMM does not crash when a connection is dropped while a request is still in the progress.

Fixed Versions:
16.1.5


1382329 : Handling 'active' attribute in introspection response

Links to More Info: BT1382329

Component: Access Policy Manager

Symptoms:
When Google is configured as an authorization server it does not include an 'active' attribute in response to the token validation endpoint. OAuth Scope fails without any error message.

Conditions:
BIG-IP configured as OAuth Client + Resource Server and Google as Authorisation server.

Impact:
BIG-IP Administrator will not be able to figure out why OAuth Scope fails by looking at the debug logs.

Workaround:
None

Fix:
Log an error message describing the absence of an 'active' attribute.

Fixed Versions:
16.1.5


1381565-2 : ADMD stability improvements when configured with TLS signatures

Component: Anomaly Detection Services

Symptoms:
- ADMD restart
- High CPU utilization of ADMD
- TMM restart

Conditions:
BADOS configured with TLS signatures

Impact:
- High CPU utilization
- Traffic loss

Workaround:
None

Fix:
- No ADMD restarts.
- ADMD consumes reasonable CPU resources
- No TMM restarts

Fixed Versions:
16.1.5


1381357-2 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability

Links to More Info: K000137365, BT1381357


1381065-1 : Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property.

Links to More Info: BT1381065

Component: Access Policy Manager

Symptoms:
Cache-fm-Modern.js:405 TypeError: Failed to execute 'fetch' on 'Window': Failed to read the 'signal' property from 'RequestInit': Failed to convert value to 'AbortSignal'.

Conditions:
When going through Portal Access Modern Rewrite mode

Impact:
Fetch request fails and throws an error

Workaround:
Mitigate the issue with below iFile iRule:

when CLIENT_ACCEPTED {
  ACCESS::restrict_irule_events disable
}
  
when HTTP_REQUEST {
 if {
   [HTTP::path] ends_with "cache-fm-Modern.js"
 } {
  HTTP::respond 200 content [ifile get ModernCachefm]
 }
}

For iFile - Escalate a case explaining to open an SR requesting for such iFile

Fix:
NA

Fixed Versions:
16.1.5


1378329-2 : Secure internal communication between Tomcat and Apache

Links to More Info: K000137353

Component: TMOS

Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353

Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353

Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353

Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747

For more details see: https://my.f5.com/manage/s/article/K000137353

Fix:
Communication between Tomcat and Apache is secured.

Fixed Versions:
16.1.5, 15.1.10.5


1369673-2 : OCSP unable to staple certificate chain

Links to More Info: BT1369673

Component: Local Traffic Manager

Symptoms:
When a server returns a certificate chain that involves an archived Let's Encrypt certificate, the OCSP is unable to staple the full chain.

Conditions:
An OCSP is configured on the serverside profile, and the client tries to connect to a server that returns certificate chain using an archived Let's Encrypt certificate.

Impact:
The OCSP is unable to staple the certificate chain. If the stapling is required by the client, the connection will be broken.

Workaround:
None

Fixed Versions:
16.1.5


1366593-2 : HTTPS monitors can fail when multiple bigd processes use the same netHSM

Links to More Info: BT1366593

Component: Local Traffic Manager

Symptoms:
Monitors going down accompanied by netHSM FIPS errors in /var/log/ltm.
Following is an example error:
01960005:3: netHSM: Shared memory error [Failed to fetch result].

Conditions:
HTTPS monitors having server_ssl profile that is storing a key in netHSM.

Impact:
Intermittently seeing HTTPS monitors fail for brief periods, causing some pool members to briefly be marked down.

Workaround:
Configure bigd to run in single process mode by running the following commands:

tmsh modify sys db bigd.numprocs value 1
bigstart restart bigd

Fixed Versions:
16.1.5


1366445-3 : [CORS] "Replace with" and "Remove header" CORS functionalities does not work

Links to More Info: BT1366445

Component: Application Security Manager

Symptoms:
"Replace with" and "Remove header" CORS functionalities do not work

Conditions:
-- Allow CORS Enabled
"Replace headers" Or "Remove headers" enabled with Header 'AAA'
-- Disallowed header 'AAA' in request sent

Impact:
The request is blocked with "VIOL_CROSS_ORIGIN_REQUEST" violation

Workaround:
None

Fix:
The request passes with no violations.

Fixed Versions:
16.1.5


1366401 : [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation

Links to More Info: BT1366401

Component: Access Policy Manager

Symptoms:
You may see observe below logs in /var/log/apm

<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_server_init, Line: 5382
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 4075

Conditions:
ASM is configured along with APM on the same virtual server.

Impact