1622609-3 : Fix for Blast-RADIUS

Links to More Info: K000141008

Component: Access Policy Manager

Symptoms:
This vulnerability is in Radius protocol itself.

Conditions:
For every radius auth request where old server version used.

Impact:
Radius Auth request is vulnerable to this CVE.

Workaround:
None

Fixed Versions:
17.1.1.4.0.100.9

1621249-3: CVE-2024-3596

Links to More Info: K000141008

Component: TMOS

Symptoms:
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature

Conditions:
Radius authentication must be configured in BIG-IP to be vulnerable to CVE-2024-3596.

Impact:
BIG-IP may be susceptible to forgery attacks.

Workaround:
None

Fix:
As part of the fix, a new cli option 'require_message_authenticator' in system auth is introduced. require_message_authenticator is false by default and it should be set true to mitigate this vulnerability. To configure it to true, below command should be used, tmsh modify sys db radius.messageauthenticator value true

Fixed Versions:
17.1.1.4.0.100.9

1678649-4: CVE-2024-3596

Links to More Info: K000141008

Component: TMOS

Symptoms:
RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature

Conditions:
Radius authentication must be configured in BIG-IP to be vulnerable to CVE-2024-3596.

Impact:
BIG-IP may be susceptible to forgery attacks.

Workaround:
None

Fix:
As part of the fix, a new cli option 'require_message_authenticator' in system auth is introduced. require_message_authenticator is false by default and it should be set true to mitigate this vulnerability. To configure it to true, below command should be used, tmsh modify sys db radius.messageauthenticator value true

Fixed Versions:
17.1.1.4.0.100.9

903501-1: VPN Tunnel establishment fails with some ipv6 address

Links to More Info: ID903501

Component: APM

Symptoms:
VPN Tunnel establishment fails with some ipv6 address

Conditions:
— APM is provisioned.
— Network Access with IPv6 virtual server is configured.

Impact:
VPN Tunnel cannot be established.

Workaround:
1. Disable the DB variable isession.ctrl.apm: tmsh modify sys db isession.ctrl.apm value disable
2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.
Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).

Fix:

Fixed Versions:
17.1.1.4.0.100.9

1505789: VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable”

Links to More Info: K000138683

Component: APM

Symptoms:
When the user is upgraded to edge client version 7.2.4.6, they may fail to connect to the VPN server.

Conditions:
— If LTM VS/NATed device is present before APM VPN enabled virtual server or any cases where client receives the VPN server IP different in the IP header and pre/config message.
— BIG-IP versions v17.1.1.1 or v16.1.4.2 or v15.1.10.3 used along with edge client version 7.2.4.6.

Impact:
The user fails to connect to the VPN.

Workaround:
See the Recommended Actions at K000138683: Users cannot connect to BIG-IP APM virtual servers with BIG-IP Edge Client 7246, available at https://my.f5.com/manage/s/article/K000138683

Fix:

Fixed Versions:
17.1.1.4.0.100.9

998701-3 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.

Links to More Info: BT998701

Component: Advanced Firewall Manager

Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.

Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation

Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.

Workaround:
None

Fixed Versions:
17.1.1, 15.1.10

997561-6 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic

Links to More Info: BT997561

Component: TMOS

Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.

In some circumstances, handling this traffic should not require maintaining state across TMMs.

Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.

Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.

Workaround:
None

Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

996649-7 : Improper handling of DHCP flows leading to orphaned server-side connections

Links to More Info: BT996649

Component: Local Traffic Manager

Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.

Conditions:
Regular DHCP virtual server in use.

Impact:
Traffic is not passed to the client.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

994033-4 : The daemon httpd_sam does not recover automatically when terminated

Links to More Info: BT994033

Component: TMOS

Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.

Conditions:
Daemon httpd_sam stopped with the terminate command.

Impact:
APM policy performing incorrect redirects.

Workaround:
Restart the daemons httpd_apm and httpd_sam.

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

993481-5 : Jumbo frame issue with DPDK eNIC

Links to More Info: BT993481

Component: TMOS

Symptoms:
TMM crashes

Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet

Impact:
Traffic disrupted while TMM restarts.

Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500

Fix:
Skipped initialization of structures.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus

Links to More Info: BT989501

Component: TMOS

Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.

Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.

Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.

Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.

Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation

Links to More Info: BT987977

Component: Application Security Manager

Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.

Conditions:
When all the following conditions are met

-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.

Impact:
Remote logging server receives inaccurate message.

Workaround:
None

Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.

Fixed Versions:
17.1.1, 16.1.5

985925-5 : Ipv6 Routing Header processing not compatible as per Segments Left value.

Links to More Info: BT985925

Component: Local Traffic Manager

Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.

Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.

Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.

Workaround:
None

Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

981917-8 : CVE-2020-8286 - cUrl Vulnerability

Links to More Info: K15402727

979213-7 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.

Links to More Info: BT979213

Component: Local Traffic Manager

Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.

The spikes may report unrealistically high levels of traffic.

Note: Detailed throughput graphs are not affected by this issue.

Conditions:
This issue occurs when the following conditions are met:

-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.

Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

972545-9 : iApps LX does not follow best practices in appliance mode

Links to More Info: K91054692, BT972545

965897-5 : Disruption of mcpd with a segmentation fault during config sync

Links to More Info: BT965897

Component: TMOS

Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop

Numerous messages may be logged in the "daemon" logfile of the following type:

emerg logger[2020]: Re-starting mcpd

Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs

Impact:
Continuous restarts of mcpd process on the peer device.

Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.

  # tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.

Links to More Info: BT964533

Component: TMOS

Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.

Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.

Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.

There is no impact other than additional log entries.

Workaround:
None.

Fix:
Log level has been changed so this issue no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

964125-7 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.

Links to More Info: BT964125

Component: TMOS

Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.

There is more then one avenue where node statistics would be queried.

The BIG-IP Dashboard for LTM from the GUI is one example.

Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.

Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

960677-8 : Improvement in handling accelerated TLS traffic

Links to More Info: BT960677

Component: Local Traffic Manager

Symptoms:
Rare aborted TLS connections.

Conditions:
None

Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.

Workaround:
None

Fix:
The aborted connections will no longer be aborted and will complete normally.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

954001-9 : REST File Upload hardening

Component: Device Management

Symptoms:
REST file upload does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
Only upload trusted files to the BIG-IP.

Fix:
REST file uploads now follow best security practices.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

950201-6 : Tmm core on GCP

Links to More Info: BT950201

Component: TMOS

Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.

TMM panic with this message in a tmm log file:

panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.

Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141

-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.


Note: Using either workaround has a performance impact.

Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

950153-4 : LDAP remote authentication fails when empty attribute is returned

Links to More Info: BT950153

Component: TMOS

Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.

The failure might be intermittent.

Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.

This can be seen in tcpdump of the LDAP communication in following ways

1. No Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
        AttributeValue:

2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :

vals: 1 item
    AttributeValue: 00

Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log

The logs will be similar to :

info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0

Workaround:
There is no Workaround on the LTM side.

For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

949857-9 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync

Links to More Info: K32544615, BT949857

948725-9 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users

Links to More Info: K10438187, BT948725

943257-8 : REST framework support for IPv6 ConfigSync addresses

Links to More Info: BT943257

Component: Device Management

Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.

Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.

Workaround:
None

Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.

Fixed Versions:
17.1.1, 16.1.5

942617-6 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable

Links to More Info: BT942617

Component: Application Security Manager

Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.

Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables

Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.

Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.

Fix:
Trim() to delete the whitspaces.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

939757-7 : Deleting a virtual server might not trigger route injection update.

Links to More Info: BT939757

Component: TMOS

Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.

Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted

Impact:
The route remains in the routing table.

Workaround:
Disable and re-enable the virtual address after deleting a virtual server.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

939097-7 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests

Links to More Info: BT939097

Component: Application Security Manager

Symptoms:
bd.log shows error messages

Conditions:
Big chunked requests are sent

Impact:
Unexpected error messages seen in the bd.log

Workaround:
None

Fix:
The error messages related to long request allocation are no longer appearing.

Fixed Versions:
17.1.1, 16.1.5

936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Links to More Info: BT936093

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

929429-10 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed

Links to More Info: BT929429

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

928997-5 : Less XML memory allocated during ASM startup

Links to More Info: BT928997

Component: Application Security Manager

Symptoms:
Smaller total_xml_memory is selected during ASM startup.

For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.

Conditions:
Platforms with 16GiB, 32GiB, or more RAM

Impact:
Less XML memory allocated

Workaround:
Use this ASM internal parameter to increase XML memory size.

additional_xml_memory_in_mb

For more details, refer to the https://support.f5.com/csp/article/K10803 article.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack

Links to More Info: BT923821

Component: Application Security Manager

Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.

Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.

Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.

Workaround:
None

Fix:
Captcha will now be triggered after successful CSI challenge.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

921541-7 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Links to More Info: BT921541

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.

Fix:
The HTTP session hang no longer occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

906273-4 : MCPD crashes receiving a message from bcm56xxd

Links to More Info: BT906273

Component: TMOS

Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.

One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.

Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.

Impact:
MCPD failure and restarts causing a failover.

Workaround:
None

Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.

Links to More Info: BT890169

Component: Application Security Manager

Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.

Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.

Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

878641-7 : TLS1.3 certificate request message does not contain CAs

Links to More Info: BT878641

Component: Local Traffic Manager

Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4

Conditions:
TLS1.3 and client authentication

Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected

Fix:
Certificate request message now may contain CAs

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

876569-6 : QAT compression codec produces gzip stream with CRC error

Links to More Info: BT876569

Component: Local Traffic Manager

Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.

Conditions:
This occurs when the following conditions are met:

-- The following platforms with Intel QAT are affected:
   + 4450 blades
   + i4600/i4800
   + i10600/i10800
   + i7600/i7800
   + i5600/i5800
   + i11600/i11800
   + i11400/i11600/i11800
   + i15600/i15800

-- The compression.qat.dispatchsize variable is set to any of the following values:
   + 65535
   + 32768
   + 16384
   + 8192

-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:

   + 65355*32768
   + 8192*32768

Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.

Workaround:
Disable hardware compression and use software compression.

Fix:
The system now handles gzip errors seen with QAT compression.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

851121-8 : Database monitor DBDaemon debug logging not enabled consistently

Links to More Info: BT851121

Component: Local Traffic Manager

Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.

Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.

Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).

# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
    debug yes
}

Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.

Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.

Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.

In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.

The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

850141-5 : Possible tmm core when using Dosl7/Bot Defense profile

Links to More Info: BT850141

Component: Application Security Manager

Symptoms:
Tmm crashes.

Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server

OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

844597-7 : AVR analytics is reporting null domain name for a dns query

Links to More Info: BT844597

Component: Advanced Firewall Manager

Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.

Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.

Impact:
DNS domain name is reported as NULL

Workaround:
Enable the matching type vector on the DNS DoS profile.

Fix:
The domain name is now reported correctly under these conditions.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

842425-7 : Mirrored connections on standby are never removed in certain configurations

Links to More Info: BT842425

Component: Local Traffic Manager

Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.

Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.

Impact:
Leaking connections on the standby system.

Workaround:
You can use either of the following workarounds:

-- Use auto-lasthop with mirrored connections.

-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

838405-5 : Listener traffic-group may not be updated when spanning is in use

Links to More Info: BT838405

Component: TMOS

Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.

Conditions:
Spanning is disabled or enabled on a virtual address.

Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.

Depending on the configuration, virtual server may or may not forward the traffic when expected.

Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):

> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

831737-5 : Memory Leak when using Ping Access profile

Links to More Info: BT831737

Component: Access Policy Manager

Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.

Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.

Impact:
Memory leak occurs in which ping access memory usage increases.

Fix:
Fixed a memory link with the Ping Access profile.

Fixed Versions:
17.1.1, 16.1.5, 15.1.6.1

804529-4 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools

Links to More Info: BT804529

Component: TMOS

Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.

Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.

For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"

- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
       - Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
       - selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
         
In the above example, the word 'members' is displayed in selflink.

Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.

Workaround:
The following workarounds are available:

1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.

2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:

/mgmt/tm/ltm/pool/<pool>/members/<member>/stats

Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

793217-6 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation

Links to More Info: BT793217

Component: Advanced Firewall Manager

Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.

Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.

Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.

Workaround:
Configure the rate-limit to be 10% more than what is desired.

Fix:
HW DoS now shows mitigation more accurately.

Fixed Versions:
17.1.1

776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type

Links to More Info: BT776117

Component: TMOS

Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.

Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.

Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

738716-2 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients

Links to More Info: BT738716

Component: Access Policy Manager

Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.

Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource

Impact:
Unable to restart desktop from native and HTML5 clients.

Workaround:
None

Fix:
Restart desktop is successful and it works as expected.

Fixed Versions:
17.1.1, 16.1.5

737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE

Links to More Info: BT737692

Component: TMOS

Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.

Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.

Impact:
VE does not process any traffic on that VF.

Workaround:
Reboot VE.

Fix:
Tmm now restarts automatically when the PF comes back up after going down.

Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.

Fixed Versions:
17.1.1, 16.1.5, 15.1.3.1

723109-4 : FIPS HSM: SO login failing when trying to update firmware

Links to More Info: BT723109

Component: TMOS

Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.

Conditions:
When trying to update FIPS firmware.

Impact:
This will not be able to upgrade the FIPS firmware.

Workaround:
None

Fix:
None

Fixed Versions:
17.1.1, 16.1.4, 15.1.10

715748-4 : BWC: Flow fairness not in acceptable limits

Links to More Info: BT715748

Component: TMOS

Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.

Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.

Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

693473-3 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption

Links to More Info: BT693473

Component: Local Traffic Manager

Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.

Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.

Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted

Workaround:
None

Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.

Fixed Versions:
17.1.1, 16.1.4, 15.1.9

427094-3 : Accept-language is not respected if there is no session context for page requested.

Links to More Info: BT427094

Component: Access Policy Manager

Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.

Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.

Impact:
APM page doesn't load the preferred language after refreshing twice.

Workaround:
N/A

Fix:
N/A

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

1615861-1 : TMUI hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
No work around

Fix:
Best security practices are now applied

Fixed Versions:
17.1.1.4

1593681-1 : Monitor validation improvements

Component: TMOS

Symptoms:
Monitor validation did not follow expected behavior.

Conditions:
N/A

Impact:
N/A

Workaround:
No mitigation

Fix:
Only allow trusted admins to create and upload custom monitors. Do not upload untrusted monitors.

Fixed Versions:
17.1.1.4, 16.1.5

1505669 : Excessive broadcast traffic might cause backplane F5CDP packets to to dropped

Links to More Info: BT1505669

Component: Local Traffic Manager

Symptoms:
Excessive broadcast traffic can cause backplane F5CDP packets to be dropped by the FPGA metering. This issue affects the stability of the backplane and the overall health of the clustering system. When CDP packets are dropped, critical network topology and device information may not be communicated effectively, leading to potential disruptions and degraded performance in the cluster.

Conditions:
If Excessive broadcast traffic the backplane might become unstable.

Impact:
Chassis backplane and clustering issues.

Workaround:
None

Fix:
Upgrade BIG-IP with fix that includes F5CDP packet backplane fix.

Fixed Versions:
17.1.1.2

1495217-2 : TMUI hardening

Links to More Info: K000138636, BT1495217

1494833-1 : A single signature does not match when exceeding 65535 states

Links to More Info: K000138898, BT1494833

Component: Application Security Manager

Symptoms:
One of the attack signatures is not matched.

Conditions:
When all signatures are enabled and custom ones are created.

Impact:
The attack signature is passed instead of getting blocked.

Workaround:
NA

Fix:
All the signatures will be detected and respective violations will be raised.

Fixed Versions:
17.1.1.3, 16.1.4.3, 15.1.10.4

1492681 : Running tcpdump on a busy system may cause traffic drop.

Links to More Info: BT1492681

Component: TMOS

Symptoms:
Traffic throughput can be degraded.

Conditions:
The tcpdump application is executed on high throughput systems.

Impact:
Moderate to severe throughput drop is observed.

Workaround:
As a general recommendation, use tcpdump filters described in K411 or K2289 while capturing the packets on moderately busy systems.

However, on very busy systems, filters alone may not be enough. In this case, there is No workaround.

Fix:
Added a new db key 'tmm.tcpdump.pkt.ratelimit'. The default value of this db key is '0'. Also, this is the same behavior with the previous fix.

When the value is set to the default value (0), the TMM doesn’t do any rate limiting on the traffic that is sent to the tcpdump application.

When the value is set to any other value x, then the TMM applies rate limit of the value x and sends x packets/sec on an average to tcpdump application during capture cycle.

For example, if the db variable is set to 200, then each TMM sends an average of 200 pkts/sec to tcpdump application during the life cycle of tcpdump application.

Fixed Versions:
17.1.1.2

1492361-1 : TMUI Security Hardening

Links to More Info: K000138894, BT1492361

1472817 : Blade disconnects from BIG-IP clusters during high traffic flow.

Links to More Info: BT1472817

Component: Local Traffic Manager

Symptoms:
When the traffic is high, an overloaded blade can disconnect from the BIG-IP cluster due to dropped internal heartbeat packets.

Conditions:
Issue can be triggered when there is high and sustained traffic loads.

Impact:
Blades can disconnect from the BIG-IP cluster.

Workaround:
Decrease the traffic level until the blade rejoins the cluster.

Fix:
Priority of CDP packets are increased, so that they use high priority queues and are protected against being dropped when the front panel traffic load is high. Also optimized the algorithm that determines cross-blade disaggregation state to improve recovery when a blade drops out and rejoins a cluster.

Fixed Versions:
17.1.1.2

1449709-1 : Possible TMM core under certain Client-SSL profile configurations

Links to More Info: K000138912, BT1449709

1447389 : Dag context may not match the current cluster state

Links to More Info: BT1447389

Component: TMOS

Symptoms:
When the cluster state changes during synchronization of dag context in a HA pair, dag context may not match the current cluster state.

This is a rare-occurance problem and happens
only during frequent updates of the cluster state.

Conditions:
- HA pair is configured, the system role is the next-active
- The cluster state changes during the synchronization of the dag state.

Impact:
- one blade is not present in the dag context

Workaround:
Restart TMM

Fix:
Fixed an error that leads to a dag context not matching the current cluster state.

Fixed Versions:
17.1.1.2

1429149-1 : VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★

Links to More Info: K000138191, BT1429149

Component: TMOS

Symptoms:
- TMM does not fully come up on secondary slots leaving all but one slot non-operational.

Following is an example:
[root@rd1:/S1-green-P::Active:Standalone] config # tmsh show sys cluster

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address <IP address/subnet>
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 12/08/23 12:16:33

  ---------------------------------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clustered Reason
  ---------------------------------------------------------------------------------------------------------
  | 1 :: :: available enabled true active running Run
  | 2 :: :: unavailable enabled false active running TMM not ready

2. The following messages will be seen on secondary slots /var/log/tmm logs file:

notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00

3. On tenant run:
guishell -c "select name,module_id,physport from interface"

If physport for 1/0.1 is showing 0, it's another indication of the bug.

Note: This issue can also occur on a single-bladed tenant, but there are no "Can't find SEP mapping" errors in tmm log, and "show sys cluster" does not show any problem on a single-bladed tenants. The guishell command is the only clear symptom that can be observed.


Other symptoms of this issue include:
- /var/log/ltm contains 'inet port exhaustion' logs for non-floating SelfIP addresses.
- The HA channel is disconnected.
- The failover channel over the HA VLAN does not work.
- Health checks are down or flapping.
- A BIG-IP tenant was working fine, but after a reboot, it stopped working.
- A BIG-IP tenant was broken, so you restart it, and now the tenant works, but a different tenant is now broken.
- You can ping some things but not other things.

This issue may not be triggered immediately after the upgrade.

Although it is encountered more rarely, this issue could also be triggered on rSeries devices.

Conditions:
BIG-IP tenant running v17.1.1 running on VELOS.

Impact:
TMM does not fully start on secondary slots, leaving those slots as part of the cluster and unable to process traffic.

Workaround:
None

Fixed Versions:
17.1.1.2

1410509 : A F5 CDP timeout for a single blade may override the DAG context for the whole system

Links to More Info: BT1410509

Component: TMOS

Symptoms:
A timeout in the F5 Cluster Discovery Protocol for a single blade may override the DAG context for the entire system.

Conditions:
A timeout in the F5 Cluster Discovery Protocol for a single blade.

Impact:
Traffic is routed to a single blade, as seen in `tmctl -d blade tmm/sdaglib_hash_table`.

Workaround:
Restart any TMM.

Fix:
Fixed a possibility for a single blade timeout to override the DAG context for the whole system.

Fixed Versions:
17.1.1.2

1409537-1 : The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses

Links to More Info: BT1409537

Component: TMOS

Symptoms:
The chassis manager daemon (chmand) is wedged and does not fully start causing MCPD and cluster to never start.

Conditions:
This issue is seen when IPv6 alternate addresses to the cluster members are added and rebooted to a slot.

Impact:
The slot does not come online and stays inoperative.

Workaround:
None

Fix:
Using the copy of a variable for a bad iterator has fixed the issue.

Fixed Versions:
17.1.1.2

1395081 : Remote users are unable to generate authentication tokens

Links to More Info: K000137514, BT1395081

Component: TMOS

Symptoms:
On a BIG-IP version with the fix for ID1147633, remote users are unable to generate authentication tokens. This also results in following pages in the GUI being broken for users:
- Device Management >> Overview
- Local Traffic >> Network Map

Conditions:
-- BIG-IP version with the fix for ID1147633
-- Remote user authentication (such as TACACS, RADIUS, Active Directory, and other)

Impact:
Some parts of the GUI may not load for remote users.

Generating an authentication token for a remote user would result in an error message similar to the following:

{
  "code": 400,
  "message": "token creation failed; target user [<id>] does not exist in the system",
  "referer": "https://<IP>/tmui/tmui/devmgmt/overview/app/index.html?ver=0.0.6.17.1.1",
  "restOperationId": <ID>,
  "kind": ":resterrorresponse"
}

Workaround:
None

Fix:
The GUI pages are loading successfully for remote users.

Fixed Versions:
17.1.1.1, 16.1.5

1391357-4 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address

Links to More Info: K000136909, BT1391357

1381357-1 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability

Links to More Info: K000137365, BT1381357

1378329-1 : Secure internal communication between Tomcat and Apache

Links to More Info: K000137353

Component: TMOS

Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353

Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353

Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353

Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747

For more details see: https://my.f5.com/manage/s/article/K000137353

Fix:
Communication between Tomcat and Apache is secured.

Fixed Versions:
17.1.1.4, 16.1.5

1366025-1 : A particular HTTP/2 sequence may cause high CPU utilization.

Links to More Info: K000137106, BT1366025

1361169-1 : Connections may persist after processing HTTP/2 requests

Links to More Info: K000133467, BT1361169

1360917-5 : TMUI hardening

Links to More Info: K000138520, BT1360917

1355117 : TMM core due to extensive memory usage★

Links to More Info: K000137374, BT1355117

Component: Access Policy Manager

Symptoms:
User observes TMM core due to extensive memory usage.

Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.

Impact:
User observes TMM core and fail over will occur.

Workaround:
None

Fix:
TMM does not core due to successive logoffs.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10.3

1354253-1 : HTTP Request smuggling with redirect iRule

Links to More Info: K000137322, BT1354253

Component: Local Traffic Manager

Symptoms:
See: https://my.f5.com/manage/s/article/K000137322

Conditions:
See: https://my.f5.com/manage/s/article/K000137322

Impact:
See: https://my.f5.com/manage/s/article/K000137322

Workaround:
See: https://my.f5.com/manage/s/article/K000137322

Fix:
See: https://my.f5.com/manage/s/article/K000137322

Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.

Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3

1353957-1 : The message "Error getting auth token from login provider" is displayed in the GUI★

Links to More Info: K000137505, BT1353957

Component: TMOS

Symptoms:
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".

You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."

For example, accessing the policies list from the following location:
iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List

Conditions:
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
    auth-pam-idle-timeout 1200
}

Impact:
GUI pages that use REST API token-based authentication will not load.

Workaround:
Use the following tmsh commands:

tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd

wait for 2 minutes

Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*

Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly.

for VIPRION

tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
clsh tmsh restart sys service httpd


wait for 2 minutes


Edit csyncd settigs prevent old cookies sync from other blade.

clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)
clsh "sed -i '/run＼/pamcache/,+2s/^/#/' /etc/csyncd.conf"
clsh "bigstart restart csyncd"

Delete cookies from /var/run/pamcache
clsh rm -f /var/run/pamcache/*

Revert csyncd settigs.

clsh "sed -i '/run＼/pamcache/,+2s/^#//' /etc/csyncd.conf";
clsh "bigstart restart csyncd"

Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.

Fix:
Restjavad layer modified to accommodate idle timeout values other than 1200

Fixed Versions:
17.1.1.2, 16.1.5

1351049-2 : Platform recv queue is getting filled with requests from TMM.

Links to More Info: BT1351049

Component: TMOS

Symptoms:
Receive queue counters are unusually high:

# netstat -nalp | egrep -w "Proto|5678"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5678 0.0.0.0:* LISTEN 13828/platform_agen
tcp 1866270 0 127.0.0.1:5678 127.1.1.44:43695 ESTABLISHED 13828/platform_agen
tcp 1972914 0 127.0.0.1:5678 127.1.1.27:13478 ESTABLISHED 13828/platform_agen
tcp 1866830 0 127.0.0.1:5678 127.1.1.38:33709 ESTABLISHED 13828/platform_agen
...

Conditions:
-- AFM license is enabled
-- Device DOS vector is configured to mitigate DDOS traffic.

Impact:
There can be two impact of this issue :
1. Actual configuration of device dos vectors in FPGA might take longer.
2. DOS stats data might not be correct.

Workaround:
Issue is intermittent but restarting platform_agent may solve this issue.

Fix:
Fixed an issue related to platform agent fetching stats data from the api gateway.

Fixed Versions:
17.1.1.2

1349797 : Websense database download fails

Links to More Info: BT1349797

Component: Access Policy Manager

Symptoms:
URLDB download fails and the following logs are found in /var/log/apm

err urldbmgrd[18211]: 01770072:3: 00000000: Download failed with return code -1 (other)
err urldbmgrd[18211]: 01770026:3: 00000000: Master db download failed with return code -1 (other)
err urldbmgrd[18211]: 01770002:3: 00000000: Download of Master DB failed, will retry.

Conditions:
Occurs whenever the SWG or URLDB license is present.

Impact:
URL database download fails, and categorization will fail eventually.

Workaround:
None

Fix:
Websense URL database download and categorization no longer fail when SWG or URLDB license is provided.

Fixed Versions:
17.1.1

1339201 : ICMP traffic fails to reach tenant after a couple of continuous reboots

Links to More Info: BT1339201

Component: Local Traffic Manager

Symptoms:
ICMP traffic or any other traffic fails to reach the deployed tenant; the dataplane is down.

The problem is a race condition between multiple tenants being deployed at the same time. All of these tenants use the same socket to send enable/disable messages. When all of the tenants are deployed at the same time and send their enable/disable messages, it causes a slowdown, which then causes a timeout and failure to attach TMM.

Conditions:
This issue occurs when a tenant is continuously rebooted.

Impact:
The deployed tenant fails to receive traffic; dataplane is inoperable.

Workaround:
Redeploy the tenant by going into ConfD CLI and entering provisioned/deployed commands.

Fix:
Redeploy the tenant by using ConfD CLI.

Fixed Versions:
17.1.1

1338993 : Failing to fetch the installed RPM, throwing an error Object contains no token child value

Links to More Info: BT1338993

Component: TMOS

Symptoms:
This issue is caused as generation of tokens for root user is restricted because root user is an internal user.

An error is displayed when trying to fetch the list of global installed RPM packages using below tmsh command which makes a REST call to fetch the list by passing an authenticated token to get the authorization:

tmsh list mgmt shared iapp global-installed-packages

Conditions:
This issue occurs when a few iApps are installed and used by customer from BIG-IP and while trying to read the information of the installed packages on BIG-IP using a tmsh command.

Impact:
Limits the generation of token for root user, which subsequently impacts fetching list of global installed RPMs on BIG-IP and also cannot validate whether installation of package is successful or not from tmsh end.

Workaround:
After the package is installed, to get the list of packages installed use the following REST call instead of the tmsh command:

restcurl /shared/iapp/package-management-tasks/12a8b01c-acba-45cb-a03e-644f15fbe8f7
{

Fix:
Unrestricted the token generation for a root user which will enable fetching the list of installed packages.

Fixed Versions:
17.1.1, 16.1.5

1332401-1 : Errors after config sync with FIPS keys

Links to More Info: BT1332401

Component: TMOS

Symptoms:
Sync failing with unable to config sync FIPS key. An error similar to the following is displayed:

Sync error on bigip1.test.xyz: Load failed from /Common/bigip2.test.xyz 01070712:3: Caught configuration exception (0), unable to synchronize FIPS key (/Common/my_fips_private_key).

Conditions:
Config sync failed after replacing FIPS key (create / import / replace).

Impact:
Unable to configsync between units in an high availability (HA) group.

Workaround:
Please contact technical support.

Fixed Versions:
17.1.1

1329477-1 : Auto-initialization does not work with certain MRF connection-mode

Links to More Info: BT1329477

Component: Service Provider

Symptoms:
When using certain connection-mode, no connections are initiated automatically to the peer server.

Conditions:
The following connection mode will not take auto-initialization into account: per-peer-alternate-tmm

Only these will:
per-peer
per-blade
per-tmm

Impact:
Auto-init not working

Workaround:
If possible, use other connection-mode for which auto-initialization is working.

Fixed Versions:
17.1.1, 16.1.5

1325981-1 : DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately

Links to More Info: BT1325981

Component: Global Traffic Manager (DNS)

Symptoms:
TMM crashes when attempting to perform DNS resolution with a DNS resolver or DNS cache, if the outbound-msg-retry configuration value is set to 0.

Additionally, modifications to the outbound-msg-retry value do not immediately take effect, and the DNS cache or resolver may continue to function with the previously-configured value.

Conditions:
A DNS cache or DNS net resolver with outbound-msg-retry set to 0.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not set the 'outbound-msg-retry' value for DNS caches and DNS resolvers to a value of 0.

If making configuration changes to the 'outbound-msg-retry' value, also change the "use-ipv4" or "use-ipv6" setting (i.e. toggle from "yes" to "no", and then back to "yes").

Fix:
The DNS cache and DNS resolver outbound-msg-retry setting is now restricted to being a positive integer (i.e. a value greater than 0).

Changes to the outbound-msg-retry setting now take effect immediately.

Fixed Versions:
17.1.1

1324745-1 : An undisclosed TMUI endpoint may allow unexpected behavior

Links to More Info: K000135689, BT1324745

1324681-4 : Virtual-server might stop responding when traffic-matching-criteria is removed.

Links to More Info: BT1324681

Component: TMOS

Symptoms:
Due to a known issue virtual-server might stop responding to traffic when traffic-matching-criteria (TMC) is removed and ordinary address/port gets defined.

Conditions:
- Disabling traffic-matching-criteria on a virtual-server.

Impact:
Virtual-server stops responding to traffic.

Workaround:
TMM restart will fix this problem.

Fixed Versions:
17.1.1

1322077 : BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Links to More Info: BT1322077

Component: Local Traffic Manager

Symptoms:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Conditions:
A handshake with the following cipher suites is attempted:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Impact:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8

Workaround:
None

Fixed Versions:
17.1.1

1322009 : UCS restore fails with ifile not found error

Links to More Info: BT1322009

Component: TMOS

Symptoms:
The loading configuration process failed.

Conditions:
This issue occurs when installing UCS without ifiles.

Impact:
The loading configuration process failed. UCS restore fails with ifile not found error.

Workaround:
Commenting the line `/bin/rm -rf /config/filestore/files_d/Common_d/ifile_d/*` in /usr/local/bin/install_ucs.pm resolves the issue.

Fix:
None

Fixed Versions:
17.1.1

1321585 : Support AFM DOS TCP vectors behavior

Links to More Info: BT1321585

Component: Advanced Firewall Manager

Symptoms:
Certain AFM DOS TCP vectors are not supported.

Conditions:
-- AFM enabled
-- New TCP vectors are configured.

Impact:
AFM DOS TCP vectors cannot be configured and applied.

Workaround:
None.

Fix:
New TCP vectors supported.

Fixed Versions:
17.1.1

1321221 : Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference.

Links to More Info: BT1321221

Component: Protocol Inspection

Symptoms:
You are unable to make changes in the IPS Profile when it is on a different partition and the device is in a sync-only device group.

Conditions:
1) Create a device group with two devices. (https://my.f5.com/manage/s/article/K63243467)
2) Create a new partition
   System > Users > Partition List > Create > Add device group created in step 1 here in the partition
3) On the right corner in BIG-IP UI you can select the partition. Select the new partition created
3) Create a virtual server
   Local Traffic > Virtual Servers > Virtual server List > create
4) Create a IPS Profile
   Security > Protocol Inspection > Inspection Profiles > new > select the services you want to add to profile.
5) Add the profile to virtual server.
   Local Traffic > Virtual Servers > Virtual server List > click on visual server you created > Security > Policies > Protocol Inspection Profile > enabled > select profile name
6) Now go to the profile and try to make changes to action value of any of the signatures or compliances which require IPS subscription.

Impact:
The changes related to action value cannot be made in the IPS Profile which is in a different partition on a device which is in sync-only device group.

Workaround:
None

Fix:
After fixing the issue, able to make changes in the IPS Profile and also sync the config between the sync-only device group.

Fixed Versions:
17.1.1

1320889-4 : Sock interface driver might fail to forward some packets.

Links to More Info: BT1320889

Component: TMOS

Symptoms:
Sock interface driver might drop packets that require reassembly/re-segmentation on one side of the connection. For example, when client-side is configured with tcp-nagle and the server-side sends a stream of multiple small packets.

This can increase latency on BIG-IP Virtual Edition on Azure when TSO/LRO is enabled.

Drops can be monitored by running the following command:
'tmctl -d blade tmm/ndal_tx_stats -w 300' column 'drop_rej_dd'.

Conditions:
-- sock driver. (See K10142141)
-- BIG-IP performing reassembly/re-segmentation on one side of the connection

Impact:
Some packets might never be forwarded by the BIG-IP system.

Workaround:
In some cases disabling Nagle Algorithm in TCP profile to avoid reassembly/re-segmentation might improve the performance.

Fixed Versions:
17.1.1, 16.1.5

1320513 : Device DOS drop rate limits are not configured correctly on the FPGA.

Links to More Info: BT1320513

Component: Advanced Firewall Manager

Symptoms:
Drop limit in dos_stats tmstat table does not match with configured mitigation in device DoS.

Conditions:
-- VELOS or rSeries platform
-- AFM is enabled
-- Configuring device-level DoS mitigation.

Impact:
Stats might not be correct if mitigation value is high.

Workaround:
None

Fixed Versions:
17.1.1

1319365-1 : Policy with external data group may crash TMM or return nothing with search contains

Links to More Info: BT1319365

Component: Local Traffic Manager

Symptoms:
TMM may crash or return no result found when there is one when using contains external data group.

Conditions:
External data group sets first to "starts-with" and then switch to "contains" may crash the TMM. If on the other hand, TMM is started with search "contains" from the start, no results may be found by policy even though there might be a result.
The is because, the external policy is not populated at all or entirely before the search happens. The starts-with works as it is populating on demand and is the reason and will partially populate it as needed, but when a switch to
 "contains" happens, it expects it to be entirely populated.

Impact:
TMM crashes or result not found when there should be a result.

Workaround:
A workaround is possible if starts-with could be used instead of "contains".

Fix:
Search with "contains" will make sure the policy with external data group is entirely populated, avoiding the crash and making a search result successful if there is a match.

Fixed Versions:
17.1.1, 16.1.5

1318749 : Memory Leakage while decoding Assertion Attributes

Links to More Info: BT1318749

Component: Access Policy Manager

Symptoms:
Memory leakage in a SAML SP Agent.

Conditions:
Dynamically created memory for variables, while decoding assertion attributes, are not freed.

Impact:
Apmd has high memory usage due to the memory leak.

Workaround:
None

Fix:
Free the dynamically created memory.

Fixed Versions:
17.1.1

1318285 : Leakage point in storing assertion attributes-string in tmm

Links to More Info: BT1318285

Component: Access Policy Manager

Symptoms:
Apmd crashes.

Conditions:
This can occur while passing SAML traffic.

Impact:
Apmd cores. Access traffic disrupted while apmd restarts.

Workaround:
None

Fix:
Fixed a crash in apmd.

Fixed Versions:
17.1.1

1317705-1 : TMM may restart on certain DNS traffic

Links to More Info: K000139037, BT1317705

1316529-4 : Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS

Links to More Info: BT1316529

Component: Application Security Manager

Symptoms:
Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails. The machine stays offline.

Conditions:
This issue occurs when the hidden DOS profile exists.

Impact:
The machine stays offline and the update fails.

Workaround:
Change the error response page body from default to custom.

Fix:
Allow DOS hidden profile captcha default to be updated.

Fixed Versions:
17.1.1, 16.1.5

1316277-3 : Large CRL files may only be partially uploaded

Links to More Info: K000137796, BT1316277

Component: TMOS

Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.

Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.

Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load

Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.

Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.

Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.

The log received will look like:

01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.

Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3

1315193-3 : TMM Crash in certain condition when processing IPSec traffic

Links to More Info: K000138728, BT1315193

1314545-1 : Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms

Links to More Info: BT1314545

Component: TMOS

Symptoms:
Unwanted entries are logged on VE vCMP platforms.

Conditions:
VE vCMP Platfoms.

Impact:
Too many entries are logged with unwanted SHM.

Workaround:
None

Fix:
Restricted VwireObject and VwireNtiObject SHM poll for non required platforms.

Fixed Versions:
17.1.1

1314301-1 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled

Links to More Info: K000137334, BT1314301

1313369-5 : Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status

Links to More Info: BT1313369

Component: Global Traffic Manager (DNS)

Symptoms:
Performance drop observed when changing DNS cache resolver to validating resolver for responses with indeterminate and insecure validation status.

To know more about the validation status, check RFC 4035 (section 4.3).

Conditions:
- Create a DNS cache validating resolver.
- Ensure the responses are with Indeterminate and Insecure validation status.
- Observe the performance as compared to responses with secured validation status.

Impact:
Performance of validating resolver will be less than expected.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5

1312057-3 : bd instability when using many remote loggers with Arcsight format

Component: Application Security Manager

Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.

Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.

Impact:
bd will restart and leave a core file.

Workaround:
None.

Fix:
bd processes traffic as expected.

Fixed Versions:
17.1.1, 16.1.4

1311561-2 : Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding

Links to More Info: BT1311561

Component: Advanced Firewall Manager

Symptoms:
Unable to add Geo regions with spaces into blacklist categories.
Ex: New South Wales, West Bengal.
However, we are able to add regions without spaces
Ex:Delhi.

Conditions:
Provision AFM license and try to add any geo regions having spaces into blacklist category.

Impact:
Cannot mitigate traffic from the above particular Geo regions.

Workaround:
No Workaround

Fix:
After the code fix, we are able to add the above regions and mitigate traffic.

Fixed Versions:
17.1.1, 16.1.5

1311169-1 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned

Links to More Info: BT1311169

Component: Global Traffic Manager (DNS)

Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.

Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.

Impact:
DNS response is not signed.

Workaround:
SOA Negative Caching TTL set to a number larger than 0.

Fixed Versions:
17.1.1, 16.1.5

1311125-1 : DDM Receive Power value reported in ltm log is ten times too high

Links to More Info: BT1311125

Component: TMOS

Symptoms:
The BCM56xxd process reports erroneous Receive Power value for an interface when Digital Diagnostics Monitoring (DDM) is enabled. The reporting within /var/log/ltm is erroneous by shifting a decimal point and is off by a factor of 10:

2023-06-14T17:10:35.282+00:00 bigip1 err bcm56xxd[11534]: 012c0017:3: DDM interface:2.2 receive power too high warning. Receive power:7.7933 mWatts


The "show /net interface-ddm" output for this interface displays a different value:

Digital Diagnostic Monitoring Interface:2.2
Laser Transmit and Receive Power Value
Receive Power1 0.7904mW -1.02dBm

Conditions:
DDM is enabled with the "ddm.bcm56xxd.enable" db variable:

sys db ddm.bcm56xxd.enable {
    value "enable"
}

Impact:
Incorrect Receive Power value is recorded in warning logs.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5

1308269-2 : OpenSSL vulnerability CVE-2022-4304

Links to More Info: K000132943, BT1308269

1307697-2 : IPI not working on a new device - 401 invalid device error from BrightCloud

Links to More Info: BT1307697

Component: Advanced Firewall Manager

Symptoms:
IPI update is failing with below error:
 
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)

Conditions:
Only IPI update will stop working.

Impact:
IPI stop working.

Workaround:
No workaround

Fix:
IPI license will work for all platforms.

Fixed Versions:
17.1.1, 15.1.10

1307517-3 : Allow SIP reply with missing FROM

Links to More Info: BT1307517

Component: Service Provider

Symptoms:
SIP Reply with a missing FROM in the header is dropped.

Conditions:
- SIP header not compliant with RFC requirement that a FROM must be present.

Impact:
SIP reply drop impacts the client not getting a response.

Workaround:
None

Fix:
Set allow-unknown-methods to be enabled in the SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.

Fixed Versions:
17.1.1, 16.1.5

1307453-1 : BD daemon may consume excessive resource and crash

Links to More Info: K000137270, BT1307453

1305929 : Tmm crash with QUIC connections

Links to More Info: BT1305929

Component: Local Traffic Manager

Symptoms:
Tmm crashes while processing QUIC connections.

Conditions:
Abnormal disconnect of QUIC connection.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.1.1

1305897 : A platform error can cause DAG context to be out of sync with the tenant

Links to More Info: BT1305897

Component: TMOS

Symptoms:
A platform error can cause the DAG context to be out of sync with the tenant.

Conditions:
- Writing DAG state

Impact:
Performance and connectivity are limited.

Workaround:
Restart the tenant.

Fix:
A platform error can no longer cause dag context to be out of sync with the tenant

Fixed Versions:
17.1.1

1305697-4 : TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed

Links to More Info: BT1305697

Component: Local Traffic Manager

Symptoms:
TMM may crash after performing a full sync

Conditions:
- In-tmm monitors are configured (bigd.tmm = enable)
- Full sync is performed
- Monitors are using a custom ssl profile
- The ssl profile was changed as part of the full sync.

Impact:
Traffic disrupted on the BIG-IP that recieved the config sync while tmm restarts.

Workaround:
Disable in-tmm monitors, and avoid performing a full sync after modifying in-tmm ssl monitors.

Fixed Versions:
17.1.1, 16.1.5

1305361-1 : Flows that are terminated by an ILX streaming plugin may not expire immediately

Links to More Info: BT1305361

Component: Local Traffic Manager

Symptoms:
Flows that are terminated from a plugin may not shutdown/expire properly until expiry timeout which leads to bloating of the flow table

Conditions:
-- ILX streaming plugin configured
-- Connection close initiated from the plugin (flow.client.end)

Impact:
Flows will stay in the table till expiry and may bloat up the flow table

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5

1305125 : Ssh to localhost not working with ssh-rsa

Links to More Info: BT1305125

Component: TMOS

Symptoms:
The password prompt is not displayed when trying ssh to localhost.

Conditions:
1. Create test_user,

# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config

2. Try login localhost using test_user,

config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up

Impact:
SSH to localhost will not work.

Workaround:
Ssh-rsa key was deprecated on 17.1.0,1 and need to replace/copy ECDSA key to ssh_known_hosts.

Replacing the RSA key in ssh_known_hosts with the ECDSA key.

sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts

Fixed Versions:
17.1.1, 16.1.5

1304957-8 : BIG-IP Edge Client for macOS vulnerability CVE-2023-5450

Links to More Info: K000135040, BT1304957

1304289-1 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down

Links to More Info: BT1304289

Component: Local Traffic Manager

Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.

Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
   -- Microsoft SQL
   -- MySQL
   -- Oracle
   -- PostgreSQL
   -- lDAP
   -- Radius
   -- Radius-Accounting
   -- Scripted
   -- SIP
   -- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).

Impact:
A GTM or LTM pool member may occasionally be marked Down in error.

Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.

Fixed Versions:
17.1.1, 16.1.5

1304189-4 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures

Links to More Info: BT1304189

Component: Local Traffic Manager

Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, then when it is later evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".

Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network

Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.

Workaround:
Perform one of the following as a workaround:

- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.

Fixed Versions:
17.1.1, 16.1.5

1303185-6 : Large numbers of URLs in url-db can cause TMM to restart

Links to More Info: BT1303185

Component: SSL Orchestrator

Symptoms:
TMM continuously restarts during startup.

Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".

Impact:
TMM is unusable.

Workaround:
Large numbers of globs that start with the below should be OK:
   ".*://"
   ".*://.*＼＼."
Note that there should be no other special glob characters, so ".*://www.example.com" would be OK but ".*://www.example.com*" might not be.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

1302825-2 : Allow configuration of the number of times the CNAME chase is performed

Links to More Info: BT1302825

Component: Global Traffic Manager (DNS)

Symptoms:
The client receives a SERVFAIL when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The limit is set as 11 for BIG-IP v17.1.0 and later. It is fixed as 8 for earlier releases.

Conditions:
A BIG-IP DNS is configured as a resolver (as a cache or a net resolver). The domain of which CNAME resolution is asked requires chasing more times than what is pre-configured in the DNS Cache.

Impact:
The clients cannot resolve DNS names if the count of the CNAME chases goes beyond the limit configured in the DNS cache.

Workaround:
The providers whose CNAME is queried can be asked to keep chains shorter than the pre-configured limits (the limits vary between different versions of BIG-IP).

Fixed Versions:
17.1.1, 16.1.5

1302689-2 : ASM requests to rechunk payload

Links to More Info: BT1302689

Component: Application Security Manager

Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.

Conditions:
Content-Length header is missing from the HTTP response.

Impact:
Transfer-Encoding: chunked header is added to the response.

Workaround:
None

Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

1302677-2 : Memory leak in PEM when Policy is queried via TCL

Links to More Info: BT1302677

Component: Policy Enforcement Manager

Symptoms:
Memory leak of struct size ummem_alloc_112.

Conditions:
[PEM::session config policy get [IP::client_addr]]

If above configuration is present in irule/format script
and subscriber has ipv6 address.

Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.

Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.

Remove below configuration:
[PEM::session config policy get [IP::client_addr]]

Fix:
Code fixed to avoid memory leak.
 
cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

1302077-1 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server

Links to More Info: BT1302077

Component: Local Traffic Manager

Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.

Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address

Impact:
Incorrect statistics will fail to reflect actual virtual address load.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5

1301529 : Update FIPS-required Service Indicators

Links to More Info: BT1301529

Component: TMOS

Symptoms:
FIPS requires that service indicators be displayed for approved services. SHA-512 is not supported as approved and thus must not show a service indicator.

Conditions:
FIPS mode and use of SHA-512.

Impact:
Incorrect display of service indicator.

Fix:
Removed service indicator for SHA-512.

Fixed Versions:
17.1.1

1301197-1 : Bot Profile screen does not load and display large number of pools/members

Links to More Info: BT1301197

Component: Application Security Manager

Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).

Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.

Impact:
Bot Profile screen cannot be loaded.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

1300925-4 : Shared memory race may cause TMM to core

Links to More Info: BT1300925

Component: Local Traffic Manager

Symptoms:
TMM may core while managing shared memory segments.

Conditions:
Issue is observed during TMM startup.

Impact:
Rare shared memory related TMM cores.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5

1298545 : TMM crashes during SAML negotiations with APM configured as SAML SP.

Links to More Info: BT1298545

Component: Access Policy Manager

Symptoms:
TMM crashes while passing SAML traffic.

Conditions:
SAML is configured as a SP and performing negotiations.

Impact:
Traffic disrupted while TMM restarts.

Workaround:
None

Fix:
Fixed an issue with proper checks and increased robustness in SAML SP key decryption.

Fixed Versions:
17.1.1

1298029-4 : DB_monitor may end the wrong processes

Links to More Info: BT1298029

Component: Local Traffic Manager

Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.

Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.

Impact:
Some linux processes may unexpectedly end.

Workaround:
Preiodically clean up with PID files:

find /var/run/ -iname ＼*SQL__* -mtime +1 -exec rm -vf '{}' ';'

and/or increase the number of available Linux PIDs:

echo 4194304 > /proc/sys/kernel/pid_max

Fixed Versions:
17.1.1, 16.1.5

1297089-1 : Support Dynamic Parameter Extractions in declarative policy

Links to More Info: BT1297089

Component: Application Security Manager

Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.

Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.

Impact:
Dynamic extraction configuration is lost.

Workaround:
Export the policy in xml or binary format.

Fix:
Added support in JSON policy also to dynamic parameter extractions.

Fixed Versions:
17.1.1, 16.1.4

1296489-1 : ASM UI hardening

Links to More Info: K000138047, BT1296489

1296469-1 : ASM UI hardening

Component: Application Security Manager

Symptoms:
The ASM UI does not follow best security practices.

Conditions:
N/A

Impact:
N/A

Workaround:
NA

Fix:
The ASM UI now follows best security practices.

Fixed Versions:
17.1.1, 16.1.4

1295661-1 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418

Links to More Info: K000134746, BT1295661

1295565-1 : BIG-IP DNS not identified in show gtm iquery for local IP

Links to More Info: BT1295565

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.

Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.

Impact:
TMSH show gtm iquery does not show correct server type.

Workaround:
Restart big3d.

Fixed Versions:
17.1.1, 16.1.5

1295481-3 : FIPS keys are not restored when BIG-IP license is renewed after it expires

Links to More Info: BT1295481

Component: TMOS

Symptoms:
FIPS key are deleted

Conditions:
An expired license is renewed on the BIG-IP system.

Impact:
FIPS keys are deleted and cannot be used

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5

1295017 : TMM crash when using MPTCP

Links to More Info: K000138477, BT1295017

1295009-2 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data

Links to More Info: BT1295009

Component: Application Security Manager

Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.

Conditions:
Concurrent HTTP requests contain the same JSON data.

Impact:
JSON schema validation fails.

Workaround:
None

Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

1294993-1 : URL Database download logs are not visible

Links to More Info: BT1294993

Component: Access Policy Manager

Symptoms:
DB download happens either at regular intervals or when explicitly requested by the user. Download status should be visible as part of apm logs and currently, those are missing.

Conditions:
Urldb configured

Impact:
Database download status information will be unknown.

Fix:
- Removing the obsolete DB variables that were used for apm logging, also led to the removal of the log configuration for swg that is being used by urldb and urldbmgrd for logging.

- Updated swg member in the apm log configuration structure during initialization and run-time execution.

Fixed Versions:
17.1.1, 16.1.5

1294089-1 : BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308

Links to More Info: K000137416, BT1294089

1293289-1 : Credentials can be submitted to /my.policy as GET instead of POST

Component: Access Policy Manager

Symptoms:
A user can submit credentials in a GET request to /my.policy instead of POST. This may expose user credentials inappropriately under some circumstances.

Conditions:
1. A basic logon page is configured
2. The user sends a login request to /my.policy using a GET request instead of a POST request.

Impact:
User credentials may be exposed.

Workaround:
An iRule may be used to reject such requests. A sample iRule is given below:

when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
# match /my.policy with query beginning character ?
if { [HTTP::uri] starts_with "/my.policy?" } {

if { [HTTP::method] equals "GET" } {
log local0. "HTTP method GET is not allowed for /my.policy?"
reject
}

}
}

Fix:
APM will no longer accept GET requests to /my.policy requests with credentials.

Fixed Versions:
17.1.1

1293193-3 : Missing MAC filters for IPv6 multicast

Links to More Info: BT1293193

Component: TMOS

Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.

Conditions:
- BIG-IP VE
- Using TMM's IAVF driver

Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.

Workaround:
None

Fixed Versions:
17.1.1, 16.1.5, 15.1.10

1292793-4 : FIX protocol late binding flows that are not PVA accelerated may fail

Links to More Info: BT1292793

Component: Local Traffic Manager

Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.

Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.

Impact:
Connection may stall.