Applies To:
Show VersionsBIG-IP APM
- 17.1.2
BIG-IP Link Controller
- 17.1.2
BIG-IP Analytics
- 17.1.2
BIG-IP LTM
- 17.1.2
BIG-IP PEM
- 17.1.2
BIG-IP AFM
- 17.1.2
BIG-IP FPS
- 17.1.2
BIG-IP DNS
- 17.1.2
BIG-IP ASM
- 17.1.2
BIG-IP Release Information
Version: 17.1.2
Build: 8.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
The blue background highlights fixes |
Cumulative fixes from BIG-IP v17.1.1.4 that are included in this release
Cumulative fixes from BIG-IP v17.1.1.3 that are included in this release
Cumulative fixes from BIG-IP v17.1.1.2 that are included in this release
Cumulative fixes from BIG-IP v17.1.1.1 that are included in this release
Cumulative fixes from BIG-IP v17.1.1 that are included in this release
Cumulative fixes from BIG-IP v17.1.0.3 that are included in this release
Cumulative fixes from BIG-IP v17.1.0.2 that are included in this release
Cumulative fixes from BIG-IP v17.1.0.1 that are included in this release
Known Issues in BIG-IP v17.1.x
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1622609-3 | CVE-2024-3596 | K000141008 | Blast-RADIUS CVE-2024-3596 | 17.1.2 |
1678649-4 | CVE-2024-3596 | K000141008 | Radius client configuration option for CVE-2024-3596 | 17.1.2 |
1622029-1 | CVE-2024-1975 | K000140745 | Upgrade the bind package to fix security vulnerabilities | 17.1.2 |
1622025-1 | CVE-2024-1737 | K000140732 | Upgrade the bind package to fix security vulnerabilities | 17.1.2 |
1621249-3 | CVE-2024-3596 | K000141008 | CVE-2024-3596: Blast Radius | 17.1.2 |
1507913-6 | CVE-2023-50868 | K000139084, BT1507913 | CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources | 17.1.2, 16.1.5 |
1507569-4 | CVE-2023-50387 | K000139092, BT1507569 | KeyTrap: Extreme CPU consumption in DNSSEC validator | 17.1.2, 16.1.5 |
1506049-4 | CVE-2023-4408 | K000138990, BT1506049 | Parsing large DNS messages may cause excessive CPU load | 17.1.2, 16.1.5 |
989373-10 | CVE-2020-14314 | K67830124, BT989373 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | 17.1.2, 16.1.5, 15.1.9 |
1410457-5 | CVE-2023-5678 | K000138242 | OpenSSL vulnerability CVE-2023-5678 | 17.1.2 |
1026873-8 | CVE-2020-27618 | K08641512, BT1026873 | CVE-2020-27618: iconv hangs when converting some invalid inputs from several IBM character sets | 17.1.2, 16.1.5, 15.1.9 |
1075681-2 | CVE-2020-17541 | K000140960, BT1075681 | CVE-2020-17541 libjpeg-turbo: Stack-based buffer overflow in the "transform" component | 17.1.2, 16.1.5 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
722657-4 | 3-Major | BT722657 | Mcpd and bigd monitor states are intermittently out-of-sync | 17.1.2 |
1073673-3 | 3-Major | BT1073673 | Prevent possible early exit from persist sync | 17.1.2 |
1067449-3 | 3-Major | BT1067449 | PEM Bandwidth Controller policies applied to a user session get stuck with the lowest precedence rule | 17.1.2 |
1538285-1 | 4-Minor | BIG-IP splits the PUBLISH message when an MQTT profile is applied | 17.1.2 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
997793-5 | 2-Critical | K34172543, BT997793 | Error log: Failed to reset strict operations; disconnecting from mcpd★ | 17.1.2, 16.1.5 |
967573-4 | 2-Critical | BT967573 | Qkview generation from Configuration Utility fails | 17.1.2 |
929133 | 2-Critical | BT929133 | TMM continually restarts with errors 'invalid index from net device' and 'device_init failed' | 17.1.2 |
756830-7 | 2-Critical | BT756830 | BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict' | 17.1.2, 15.1.9 |
1598465-1 | 2-Critical | Tmm core while modifying traffic selector | 17.1.2 | |
1583201 | 2-Critical | Input validation improvements | 17.1.2 | |
1580229-2 | 2-Critical | BT1580229 | Tmm tunnel failed to respond to ISAKMP | 17.1.2 |
1526589-1 | 2-Critical | BT1526589 | Hostname changes to localhost.localdomain on rebooting other slots | 17.1.2 |
1505305-3 | 2-Critical | CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack | 17.1.2 | |
1410953-1 | 2-Critical | BT1410953 | Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path. | 17.1.2, 16.1.5 |
1360757-3 | 2-Critical | BT1360757 | The OWASP compliance score generation failing with error 501 "Invalid Path" | 17.1.2, 16.1.5 |
1321029-1 | 2-Critical | BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN | 17.1.2 | |
969345-4 | 3-Major | BT969345 | Temporary TMSH files not always removed after session termination | 17.1.2, 16.1.5 |
955897-5 | 3-Major | BT955897 | Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★ | 17.1.2 |
942217-7 | 3-Major | BT942217 | Virtual server rejects connections even though the virtual status is 'available' | 17.1.2, 16.1.5 |
760982-4 | 3-Major | BT760982 | An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios | 17.1.2 |
1689781-1 | 3-Major | TMUI hardening | 17.1.2 | |
1622789-1 | 3-Major | BT1622789 | Traffic levels for NAT64/46 traffic might be different after an upgrade | 17.1.2 |
1617229 | 3-Major | BT1617229 | The tmsh ipsec ike command causes mcp memory leak | 17.1.2 |
1602033-1 | 3-Major | BT1602033 | Delays in REST API Calls post upgrade to 17.1.1.x★ | 17.1.2 |
1593621-1 | 3-Major | TMM core on IPSEC config load/sync stats★ | 17.1.2 | |
1588841-1 | 3-Major | BT1588841 | SA Delete is not send to other end | 17.1.2 |
1582593-2 | 3-Major | BT1582593 | F5OS tenant may not pass FastL4 accelerated traffic through VLAN group | 17.1.2 |
1581001-3 | 3-Major | BT1581001 | Memory leak in ipsec code | 17.1.2 |
1538185-2 | 3-Major | BT1538185 | Broadcast destination MAC may get offloaded | 17.1.2 |
1514669 | 3-Major | Traffic disruption when mac masquerade is used and tmm on one blade goes offline. | 17.1.2 | |
1475041-1 | 3-Major | BT1475041 | Token is getting deleted in 10 mins instead of 20 minutes. | 17.1.2 |
1469897-4 | 3-Major | BT1469897 | Memory leak is observed in IMI when it is invoked via icall script | 17.1.2 |
1462409-1 | 3-Major | BT1462409 | PVA dedicated mode in F5OS tenants needs eviction disabled | 17.1.2 |
1399741-2 | 3-Major | BT1399741 | [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty | 17.1.2 |
1398809-3 | 3-Major | BT1398809 | TMM can not process traffic on Cisco ENIC | 17.1.2 |
1398229-2 | 3-Major | BT1398229 | Enabling support for SSH-RSA in Non FIPS mode | 17.1.2, 16.1.5 |
1389401-1 | 3-Major | BT1389401 | Peer unit incorrectly shows the pool status as unknown after merging the configuration | 17.1.2 |
1354009 | 3-Major | Secure erase of BIG-IP tenant | 17.1.2 | |
1350717-2 | 3-Major | BT1350717 | When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off' | 17.1.2, 16.1.5 |
1350693-1 | 3-Major | BT1350693 | Log publisher using replicated destination with unreliable destination servers may leak xfrags | 17.1.2, 16.1.5 |
1347825-1 | 3-Major | BT1347825 | Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time | 17.1.2 |
1345989-3 | 3-Major | BT1345989 | "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page | 17.1.2, 16.1.5 |
1326501-1 | 3-Major | BT1326501 | Configure DAG fold_bits to improve connection distribution | 17.1.2, 16.1.5 |
1322701-4 | 3-Major | Vulnerability scanner reports BIG-IP is disclosing sensitive information | 17.1.2, 16.1.5 | |
1320389-3 | 3-Major | BT1320389 | vCMP guest loses connectivity because of bad interface mapping | 17.1.2, 16.1.5 |
1297257-1 | 3-Major | BT1297257 | Pool member Forced Offline then Enabled is marked down on peer after Incremental sync | 17.1.2, 16.1.5 |
1294109-4 | 3-Major | BT1294109 | MCP does not properly read certificates with empty subject name | 17.1.2, 16.1.5 |
1292493-1 | 3-Major | BT1292493 | Enforcement of non-approved algorithms in FIPS or Common Criteria mode. | 17.1.2, 16.1.5 |
1291217-2 | 3-Major | BT1291217 | EasySoap++-0.6.2 is not coded to add an SNI | 17.1.2, 16.1.5 |
1282193-1 | 3-Major | BT1282193 | Missing NAT46/64 offload support on F5OS platforms | 17.1.2 |
1269593-1 | 3-Major | K000137127, BT1269593 | SSH client fails to connect using host key type ssh-rsa | 17.1.2, 16.1.5 |
1239905-3 | 3-Major | FCS errors between the switch and HSB on iSeries platforms | 17.1.2 | |
1181757-7 | 3-Major | BT1181757 | BGPD assert when sending an update | 17.1.2, 16.1.5 |
1160805-4 | 3-Major | BT1160805 | The scp-checkfp fail to cat scp.whitelist for remote admin | 17.1.2, 16.1.4, 15.1.9 |
1147849-6 | 3-Major | Rest token creation does not follow all best practices | 17.1.2, 16.1.5 | |
1113693-4 | 3-Major | BT1113693 | SSL Certificate List GUI page takes a long time to load | 17.1.2, 16.1.5 |
1105021-3 | 3-Major | BT1105021 | F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot | 17.1.2 |
1093973-9 | 3-Major | BT1093973 | Tmm may core when BFD peers select a new active device. | 17.1.2, 16.1.5 |
1067145-6 | 3-Major | K30539731 | Excess memory consumption by snmpd when protocols v1 or v2c are disabled | 17.1.2 |
1036461-5 | 3-Major | K81113851, BT1036461 | icrd_child may core with high numbers of open file descriptors. | 17.1.2 |
1035661-5 | 3-Major | BT1035661 | REST Requests return 401 Unauthorized when using Basic Auth | 17.1.2, 16.1.5 |
981325-1 | 4-Minor | Fragmented packets are not distributed in round robin when rrdag configured wth matching port range | 17.1.2 | |
908005-6 | 4-Minor | BT908005 | Limit on log framework configuration size | 17.1.2 |
904661 | 4-Minor | BT904661 | Mellanox NIC speeds may be reported incorrectly on Virtual Edition | 17.1.2, 17.1.0, 16.1.4 |
1589293-1 | 4-Minor | BT1589293 | Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm | 17.1.2 |
1576113-3 | 4-Minor | RFE: Add option to QOS mark egress BGP packets. | 17.1.2 | |
1576109-3 | 4-Minor | RFE: Add option to QOS mark egress BFD packets. | 17.1.2 | |
1497989-3 | 4-Minor | BT1497989 | Community list might get truncated | 17.1.2 |
1355149-4 | 4-Minor | BT1355149 | The icrd_child might block signals to child processes | 17.1.2, 16.1.5 |
1354309-4 | 4-Minor | BT1354309 | IKEv1 over IPv6 does not work on VE | 17.1.2 |
1209589-5 | 4-Minor | BT1209589 | BFD multihop does not work with ECMP routes | 17.1.2 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1353565-3 | 1-Blocking | Certain extreme SSL traffic patterns may impact throughput | 17.1.2 | |
928089-1 | 2-Critical | K40226145 | BIG-IP Oracle health monitor fails for Oracle DB version 12.2 or higher | 17.1.2 |
1586765 | 2-Critical | In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable. | 17.1.2 | |
1572069-1 | 2-Critical | HA connection flaps when vwire config is plugged in into the tenant | 17.1.2 | |
1518977 | 2-Critical | BT1518977 | TMM crashes during startup when there is delay in SEP initialization in main thread | 17.1.2 |
1496457-1 | 2-Critical | TMM crash under certain traffic patterns when an HTTP/2 profile is applied. | 17.1.2, 16.1.5 | |
1322973-1 | 2-Critical | A particular sequence of HTTP packets may cause TMM to crash | 17.1.2, 16.1.5 | |
1060369-3 | 2-Critical | BT1060369 | HTTP MRF Router will not change serverside load balancing method | 17.1.2 |
927633-5 | 3-Major | BT927633 | Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic | 17.1.2, 16.1.5 |
926721-1 | 3-Major | Postgresql monitors do not support scram-sha-256 authentication | 17.1.2 | |
874877-5 | 3-Major | BT874877 | The bigd monitor reports misleading error messages | 17.1.2, 16.1.5 |
1711025 | 3-Major | Added an option to prevent import of private keys into onboard FIPS HSM | 17.1.2 | |
1602697-1 | 3-Major | Full-proxy HTTP/2 may allow unconstrained buffering | 17.1.2 | |
1598945-1 | 3-Major | BT1598945 | Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade | 17.1.2 |
1596637 | 3-Major | TLS1.3 with c3d and ocsp handshake failure | 17.1.2 | |
1580313-2 | 3-Major | BT1580313 | The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log | 17.1.2 |
1567173-1 | 3-Major | Http2 virtual server removes header with empty value on the server side | 17.1.2 | |
1561537-3 | 3-Major | SSL sending duplicate certificates | 17.1.2 | |
1559961-3 | 3-Major | BT1559961 | PVA FastL4 accelerated flows might not honor configured keep-alive-interval. | 17.1.2 |
1558993-1 | 3-Major | BT1558993 | Safenet network HSM installation shows unnecessary additional infinite installation options. | 17.1.2 |
1555525-2 | 3-Major | BT1555525 | WCCP traffic may have its source port changed | 17.1.2 |
1555461-1 | 3-Major | BT1555461 | TCP filter is not setting packet priority on keep-alive tx packets | 17.1.2 |
1554029-3 | 3-Major | BT1554029 | HTML::disable not taking effect in HTTP_REQUEST event | 17.1.2 |
1553761-3 | 3-Major | BT1553761 | Incorrect packet statistics counting upon connection reject/closure. | 17.1.2 |
1550685-1 | 3-Major | Usage of Brainpool curves might lead to instability in the TMM | 17.1.2 | |
1538241-1 | 3-Major | BT1538241 | HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule | 17.1.2 |
1517469-1 | 3-Major | BT1517469 | Database monitor daemon process memory and CPU consumption increases over time | 17.1.2 |
1505649-1 | 3-Major | SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length | 17.1.2 | |
1498361-1 | 3-Major | BT1498361 | Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile. | 17.1.2 |
1497369-3 | 3-Major | HTTP::respond will not always be executed when rate limit on all pool members is reached. | 17.1.2 | |
1494293-5 | 3-Major | BT1494293 | BIG-IP might fail to forward server-side traffic after a routing disruption occurs. | 17.1.2, 16.1.5 |
1494217 | 3-Major | BT1494217 | Server response does not pass through after replacing the profile. | 17.1.2 |
1455953-3 | 3-Major | BT1455953 | The iRule "string first" command might fail to find the search string | 17.1.2 |
1429897-2 | 3-Major | BT1429897 | NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60 | 17.1.2, 16.1.5 |
1408269-2 | 3-Major | Add action and status to monitor_instance table | 17.1.2 | |
1400317-1 | 3-Major | BT1400317 | TMM crash when using internal datagroup | 17.1.2, 16.1.5 |
1399645-1 | 3-Major | BT1399645 | iRule event BOTDEFENSE_ACTION validation failing a subroutine call | 17.1.2, 16.1.5 |
1399241 | 3-Major | BT1399241 | QUIC occasionally erroneously sends connection close with QPACK decoder stream error | 17.1.2, 16.1.5 |
1398925-1 | 3-Major | BT1398925 | Virtual Server status change log message fails to report actual status | 17.1.2 |
1389225-1 | 3-Major | BT1389225 | For certain iRules, TCP::close does not close the TCP connection | 17.1.2, 16.1.5 |
1389033-1 | 3-Major | K000137430, BT1389033 | In an iRule SSL::sessionid returns an empty value★ | 17.1.2, 16.1.5 |
1388621-1 | 3-Major | BT1388621 | Database monitor with no password marks pool member down | 17.1.2, 16.1.5 |
1369673-1 | 3-Major | BT1369673 | OCSP unable to staple certificate chain | 17.1.2, 16.1.5 |
1366593-3 | 3-Major | BT1366593 | HTTPS monitors can fail when multiple bigd processes use the same netHSM | 17.1.2, 16.1.5 |
1366217-1 | 3-Major | BT1366217 | The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator | 17.1.2, 16.1.5 |
1365701-4 | 3-Major | BT1365701 | Core when flow with looped nexthop is torn down | 17.1.2 |
1347569-2 | 3-Major | BT1347569 | TCL iRule not triggered due to handshake state exceeding trigger point | 17.1.2, 16.1.5 |
1326721-2 | 3-Major | BT1326721 | Tmm crash in Google Cloud during a live migration | 17.1.2 |
1322937-3 | 3-Major | BT1322937 | Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed. | 17.1.2 |
1319265-5 | 3-Major | BT1319265 | Tmm crash observed in GCP after a migration | 17.1.2 |
1306249-2 | 3-Major | BT1306249 | Hourly spike in the CPU usage causing delay in TLS connections★ | 17.1.2, 16.1.5 |
1294289-1 | 3-Major | BT1294289 | SSL Persist leaks memory on when client and server hello exceeds MSS | 17.1.2, 16.1.5 |
1284897-3 | 3-Major | BT1284897 | TMM can crash when it exits while still processing traffic | 17.1.2 |
1166261-1 | 3-Major | BT1166261 | HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response | 17.1.2 |
1148113-1 | 3-Major | BT1148113 | The websocket_ep_send_down_ws_message does an extra websockets_frame release | 17.1.2 |
1132105-6 | 3-Major | Database monitor daemon (DBDaemon) uses unsupported Java version | 17.1.2, 16.1.5 | |
1100761-4 | 3-Major | BT1100761 | TMM crashes when DHCP pool member is not reachable. | 17.1.2 |
1091969-5 | 3-Major | BT1091969 | iRule 'virtual' command does not work for connections over virtual-wire. | 17.1.2, 16.1.4, 15.1.9 |
1056941-5 | 3-Major | BT1056941 | HTTPS monitor continues using cached TLS version after receiving fatal alert. | 17.1.2 |
1025089-7 | 3-Major | BT1025089 | Pool members marked DOWN by database monitor under heavy load and/or unstable connections | 17.1.2, 16.1.5 |
1589813-2 | 4-Minor | BT1589813 | Change in behaviour when setting value HTTP::payload to 0 in irule from v16 onwards★ | 17.1.2 |
1489657-1 | 4-Minor | BT1489657 | HTTP/2 MRF incorrectly end stream for 100 Continue | 17.1.2, 16.1.5 |
1469337-2 | 4-Minor | BT1469337 | iRule cycle count statistics may be incorrect | 17.1.2 |
1462885-3 | 4-Minor | BT1462885 | LTM should send ICMP port unreachable upon unsuccessful port selection. | 17.1.2, 16.1.5 |
1400161-1 | 4-Minor | BT1400161 | Enhance HTTP2 receive-window to maximum | 17.1.2 |
1350921-1 | 4-Minor | BT1350921 | SOCKS profile may not immediately expire connections | 17.1.2 |
1348841-2 | 4-Minor | BT1348841 | TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag. | 17.1.2, 16.1.5 |
1320773-1 | 4-Minor | BT1320773 | Virtual server name caused buffer overflow | 17.1.2 |
1312105-3 | 4-Minor | BT1312105 | The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented | 17.1.2, 16.1.5 |
1103117-1 | 4-Minor | BT1103117 | iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests. | 17.1.2, 16.1.5 |
991457-6 | 5-Cosmetic | BT991457 | The mpidump should show sequence number and higher precision date/time | 17.1.2, 16.1.5 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1354977-1 | 2-Critical | BT1354977 | TMM validating resolver performance dramatically decreases | 17.1.2 |
1322497-1 | 2-Critical | BT1322497 | GTM monitor recv string with special characters causes frequent iquery reconnects | 17.1.2, 16.1.5 |
1225061-1 | 2-Critical | BT1225061 | The zxfrd segfault with numerous zone transfers | 17.1.2, 16.1.5 |
1127241-6 | 2-Critical | BT1127241 | AS3 tenants don't sync reliably in GTM sync groups. | 17.1.2 |
1596897-3 | 3-Major | BIND9 upgrade from version 9.16 to 9.18 | 17.1.2 | |
1497861-1 | 3-Major | BT1497861 | DNS query fails with low EDNS0 buffer size | 17.1.2 |
1496205-1 | 3-Major | BT1496205 | Static CNAME pool members may get deleted when corresponding WideIPs are deleted | 17.1.2 |
1410989-1 | 3-Major | BT1410989 | DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section. | 17.1.2, 16.1.5 |
1289313-1 | 3-Major | BT1289313 | Creation of wideip with alias would cause inconsistent zone data across GTM sync group | 17.1.2 |
1205061-5 | 3-Major | BT1205061 | DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down | 17.1.2 |
1154313-3 | 3-Major | BT1154313 | TMM crash due to rrsets structure corruption | 17.1.2 |
1137569-5 | 3-Major | BT1137569 | Set nShield HSM environment variable. | 17.1.2, 16.1.5, 15.1.10 |
1137217-4 | 3-Major | BT1137217 | DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13 | 17.1.2, 16.1.5 |
1128369-2 | 3-Major | BT1128369 | GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state | 17.1.2, 16.1.5 |
1100197-6 | 3-Major | BT1100197 | Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm | 17.1.2, 16.1.5 |
1100169-2 | 3-Major | BT1100169 | GTM iQuery connections may be reset after SSL key renegotiation. | 17.1.2, 16.1.5 |
1086865-3 | 3-Major | BT1086865 | GTM sync fails when trying to create/sync a previously deleted partition. | 17.1.2 |
1436221-3 | 4-Minor | Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b | 17.1.2 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
890037-2 | 2-Critical | BT890037 | Rare BD process core | 17.1.2, 16.1.5 |
1490765-3 | 2-Critical | BT1490765 | Request body can be unordered by bot-defense | 17.1.2, 16.1.5 |
1382365-1 | 2-Critical | BT1382365 | XML policy import fails due to corrupted user-defined Signature Set definition | 17.1.2 |
1366445-1 | 2-Critical | BT1366445 | [CORS] "Replace with" and "Remove header" CORS functionalities does not work | 17.1.2, 16.1.5 |
1365629-3 | 2-Critical | FPS signature and engine update fail to access sys db key proxy.password | 17.1.2 | |
1338929-1 | 2-Critical | Slow DNS response when the 'server-side access to disallowed host' violation is enabled | 17.1.2 | |
1325145-1 | 2-Critical | BT1325145 | SSRF DNS Lookup can cause memory leak | 17.1.2 |
1308673-1 | 2-Critical | BT1308673 | ASM::unblock iRule is ignored for violation rating block reason | 17.1.2 |
1217549-4 | 2-Critical | BT1217549 | Missed ASM Sync on startup | 17.1.2 |
852613-5 | 3-Major | BT852613 | Connection Mirroring and ASM Policy not supported on the same virtual server | 17.1.2, 16.1.5, 14.1.2.7 |
1617101-1 | 3-Major | Bd crash and generate core | 17.1.2 | |
1599213-7 | 3-Major | Deleting a signature takes more time | 17.1.2 | |
1584217-3 | 3-Major | BT1584217 | Captcha prompt not presented | 17.1.2 |
1581533-2 | 3-Major | Existing SameSite attribute for cookie is not detected in response in case of no closing semi-colon after attribute's value | 17.1.2 | |
1579553-1 | 3-Major | BT1579553 | Signatures triggered for cookies with empty values after upgrade to 17.1.1.1★ | 17.1.2 |
1572505-4 | 3-Major | BT1572505 | BD crash with specific iRule | 17.1.2 |
1561713-1 | 3-Major | BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing | 17.1.2 | |
1560001-1 | 3-Major | BT1560001 | Bd crash | 17.1.2 |
1558581-2 | 3-Major | BT1558581 | Host authority sub component not parsed properly | 17.1.2 |
1555021-1 | 3-Major | Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★ | 17.1.2 | |
1553989-1 | 3-Major | BT1553989 | A BD crash on a specific scenario | 17.1.2 |
1553533-3 | 3-Major | BT1553533 | Negative frame number might result in bd crash. | 17.1.2 |
1552441-1 | 3-Major | Error message for bot-signature update failure. | 17.1.2 | |
1482769-3 | 3-Major | BT1482769 | JSON schema failing after upgrade to 15.1.10.2★ | 17.1.2 |
1474749-3 | 3-Major | ASM policy IP Address Exceptions list entry shows incorrect route_domain | 17.1.2 | |
1469889-1 | 3-Major | URI should not raise violation when the SSRF violation is turned off | 17.1.2 | |
1468809-1 | 3-Major | BT1468809 | Attack signature "Staged Since" timestamp is not accurate | 17.1.2, 16.1.5 |
1466325-1 | 3-Major | BT1466325 | Live Update installation window does not disappear when an installation error occurs | 17.1.2 |
1462797-4 | 3-Major | BT1462797 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent | 17.1.2, 16.1.5 |
1407997-1 | 3-Major | BT1407997 | Enforcer crash due to the ASM parameter configuration | 17.1.2 |
1399289-2 | 3-Major | BT1399289 | "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1 | 17.1.2, 16.1.5 |
1388273-1 | 3-Major | BT1388273 | Bd Crash or Performance Degradation in Specific Scenarios | 17.1.2 |
1366153-1 | 3-Major | BT1366153 | "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★ | 17.1.2 |
1360965-1 | 3-Major | BT1360965 | Bd memory leak | 17.1.2 |
1360129-3 | 3-Major | BT1360129 | Tcpdump filter by dosl7d_attack_monitor has no netmask | 17.1.2 |
1359281-1 | 3-Major | BT1359281 | Attack signature is not detected when the value does not have '=' | 17.1.2, 16.1.5 |
1352801-1 | 3-Major | BT1352801 | Unnessecary DNS lookups invoked by the bot defense process | 17.1.2 |
1350141-2 | 3-Major | BT1350141 | Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★ | 17.1.2, 16.1.5 |
1348425-1 | 3-Major | BT1348425 | Header name or parameter name is configured with space. | 17.1.2, 16.1.5 |
1347949-1 | 3-Major | BT1347949 | High CPU for bd process under specific conditions★ | 17.1.2 |
1346461-1 | 3-Major | BT1346461 | Bd crash at some cases | 17.1.2, 16.1.5 |
1332769-1 | 3-Major | BT1332769 | Wildcard order incorrect for JSON Policy Import | 17.1.2, 16.1.5 |
1329893-2 | 3-Major | BT1329893 | TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent | 17.1.2, 16.1.5 |
1318297-1 | 3-Major | Failure configuring GraphQL Schema File with Query type | 17.1.2 | |
1317873-1 | 3-Major | BT1317873 | illegal parameter data type' is detected on 'auto detect | 17.1.2 |
1308113-2 | 3-Major | BT1308113 | Dot at the end of an URL is ignored | 17.1.2 |
1307449-1 | 3-Major | ASM remote logging with non-default route domain is broken | 17.1.2 | |
1300909-1 | 3-Major | Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled | 17.1.2 | |
1300645-1 | 3-Major | Wrong violation attribute is reported on a request. | 17.1.2 | |
1298161-1 | 3-Major | BT1298161 | Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute | 17.1.2, 16.1.5 |
1295057-2 | 3-Major | BT1295057 | Installation of Attack Signatures file reported as fail after 1 hour | 17.1.2, 16.1.5 |
1293829-1 | 3-Major | BT1293829 | The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings | 17.1.2 |
1288517-1 | 3-Major | BT1288517 | Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/ | 17.1.2, 16.1.5 |
1280857-3 | 3-Major | Illegal file type is enabled in Rapid Deployment Template. | 17.1.2 | |
1245221-2 | 3-Major | BT1245221 | ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync | 17.1.2 |
1238449-1 | 3-Major | BT1238449 | Replacement of the same policy from a full JSON file with a non UTF-8 character fails | 17.1.2 |
1235337-2 | 3-Major | BT1235337 | The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL | 17.1.2 |
1231137-1 | 3-Major | BT1231137 | During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition | 17.1.2, 16.1.5 |
1226537-1 | 3-Major | Duplicated details are shown in files preview. | 17.1.2 | |
1224329-2 | 3-Major | No learning suggestion for URL "Override policy allowed methods" attribute | 17.1.2 | |
1211905-3 | 3-Major | BT1211905 | Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts" | 17.1.2, 16.1.5 |
1211009-4 | 3-Major | Policy Builder core dump occurs while modifying or accessing the policies, concurrently | 17.1.2 | |
1210321-2 | 3-Major | BT1210321 | Parameters are not created for properties defined in multipart request body when URL include path parameter | 17.1.2, 16.1.5 |
1168157-1 | 3-Major | BT1168157 | OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8 | 17.1.2, 16.1.5 |
1081285-3 | 3-Major | BT1081285 | ASM::disable iRule command causes HTTP2 RST_STREAM response when MRF is enabled | 17.1.2, 16.1.5 |
1069113-5 | 3-Major | BT1069113 | ASM process watchdog should be less aggressive | 17.1.2 |
1059849-2 | 3-Major | BT1059849 | ASM hostname headers have the route domain incorrectly appended | 17.1.2 |
1628329-1 | 4-Minor | The SSRF - FQDN segment with digits only is considered invalid by mistake | 17.1.2 | |
1600665-1 | 4-Minor | BT1600665 | Editing user-defined attack signature with advanced mode rule may be disabled. | 17.1.2 |
1577773-1 | 4-Minor | BT1577773 | Fix for ID1168157 does not work for some non-basic latin characters. | 17.1.2 |
1557205-1 | 4-Minor | BT1557205 | Alarm and Block flags are enabled for "GraphQL disallowed pattern in response" violation in blank policy template | 17.1.2 |
1493933-1 | 4-Minor | BT1493933 | DNS lookups should be protected by a specific lock | 17.1.2 |
1468769-1 | 4-Minor | Signature Compile error for bot-signature emitted in asm control plane | 17.1.2 | |
1394049-1 | 4-Minor | Login page with URL longer than 128 bytes assigned to brute force causing ASM to restart loop | 17.1.2 | |
1393761-1 | 4-Minor | BT1393761 | ArcSight sends a series of '000000000' values in the remote log in case of Attack Signature Detected. | 17.1.2 |
1382141-5 | 4-Minor | BT1382141 | Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★ | 17.1.2 |
1378405-1 | 4-Minor | BT1378405 | The sub-violation of HTTP compliance "Unescaped space in URL" is wrongly listed in TMUI | 17.1.2 |
1366229-1 | 4-Minor | BT1366229 | Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import | 17.1.2, 16.1.5 |
1330473-3 | 4-Minor | BT1330473 | Response_log_rate_limit is not applied | 17.1.2, 16.1.5 |
1311253-1 | 4-Minor | BT1311253 | Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies | 17.1.2, 16.1.5 |
1293261-1 | 4-Minor | Subviolations (e.g., IP in host header violation) are not reported to the policy builder | 17.1.2 | |
1186661-1 | 4-Minor | BT1186661 | The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes | 17.1.2, 16.1.5 |
1144013-1 | 4-Minor | BT1144013 | Policy import fails with Lock wait timeout exceeded ASM subsystem error | 17.1.2 |
1137245-2 | 4-Minor | BT1137245 | Issue with injected javascript can cause an error in the browser. | 17.1.2, 16.1.5 |
1084157-2 | 4-Minor | BT1084157 | Possible captcha loop when using Single Page Application | 17.1.2, 16.1.5 |
1057713-7 | 4-Minor | "South Sudan" is missing from the ASM Geolocation Enforcement list. | 17.1.2 | |
1030129-5 | 5-Cosmetic | BT1030129 | iHealth unnecessarily flags qkview for H701182 with mcp_module.xml | 17.1.2, 16.1.5 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1505789 | 1-Blocking | K000138683, BT1505789 | VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★ | 17.1.2, 16.1.5 |
1429717 | 1-Blocking | BT1429717 | APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request | 17.1.2 |
1691449 | 2-Critical | TMM core dump during FIPS HSM operations which involve restart of services | 17.1.2 | |
1598345-1 | 2-Critical | BT1598345 | [APM] Unable to access virtual IP when address-list configured | 17.1.2 |
1561697 | 2-Critical | Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations | 17.1.2 | |
1552685-1 | 2-Critical | K000138771, BT1552685 | Issues are observed with APM Portal Access on Chrome browser version 122 or later | 17.1.2, 16.1.5 |
1496841-1 | 2-Critical | BT1496841 | CRLDP Lookup fails for lower update-interval value | 17.1.2 |
1455677-1 | 2-Critical | ACCESS Policy hardening | 17.1.2, 16.1.5 | |
1400257 | 2-Critical | Citrix Autodetect fails when STA is configured in Storefront | 17.1.2 | |
1381689 | 2-Critical | BT1381689 | SAML SP does not properly sign the SAML Auth Request sent to SAML IdP when http-redirect with detached signature | 17.1.2 |
1366401-2 | 2-Critical | BT1366401 | [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation | 17.1.2, 16.1.5 |
1355377 | 2-Critical | BT1355377 | Subroutine gating criteria utilizing TCL may cause TMM to restart | 17.1.2, 16.1.5 |
1354345-2 | 2-Critical | BT1354345 | Including RelayState while validating SLO Response Signature | 17.1.2 |
1353021 | 2-Critical | BT1353021 | Memory Leak in TMM due to SAML SSO after upgrading★ | 17.1.2 |
1342013-1 | 2-Critical | BT1342013 | [APM][SSO]TMM core in SAML use case. | 17.1.2 |
1321713-1 | 2-Critical | K000135858, BT1321713 | BIG-IP Rewrite Profile GUI and URI Validation is inconsistent | 17.1.2, 16.1.5 |
1020881-2 | 2-Critical | BT1020881 | TMM crashes while passing APM traffic. | 17.1.2, 16.1.5 |
903501-1 | 3-Major | BT903501 | VPN Tunnel establishment fails with some ipv6 address | 17.1.2 |
1634801 | 3-Major | [APM] [SSO] Cleaning the config snapshot when pcb->cfg is set in v17.1.x | 17.1.2 | |
1632397 | 3-Major | BT1632397 | BIG-IP as SP, SLO request does not include SessionIndex | 17.1.2 |
1602449 | 3-Major | BT1602449 | Kerberos Auth failed (-1) | 17.1.2 |
1593413-3 | 3-Major | CVE-2023-37369: Qt issue leads to Bufferoverflow | 17.1.2 | |
1593125-3 | 3-Major | Qt Component lead to infinite loop | 17.1.2 | |
1589481 | 3-Major | BT1589481 | In IDP-initiated flow, Relay state sent in SAML response is not considered by the SP and SP rather uses Relay state configured in its config | 17.1.2 |
1575325 | 3-Major | SAML SP not sending Authnrequest and throwing an error "Failed to get authentication request from session variable 'session.samlcryptodata.CompressAuthnRQ' for SAML Agent: /Common/SP_access_policy_act_saml_auth_ag." | 17.1.2 | |
1506009-2 | 3-Major | BT1506009 | Oauth core | 17.1.2, 16.1.5 |
1506005-3 | 3-Major | BT1506005 | TMM core occurs due to OAuth invalid number of keys or credential block size | 17.1.2, 16.1.5 |
1491481-1 | 3-Major | BT1491481 | Server changes to support QT upgrade of Mac Clients | 17.1.2, 16.1.5 |
1490833-2 | 3-Major | BT1490833 | OAuth agent gets misconfigured when adding a new Scope/Claim in VPE | 17.1.2, 16.1.5 |
1473701-1 | 3-Major | BT1473701 | Oauth Discovery task is struck at "SAVE_AND_APPLY" state | 17.1.2, 16.1.5 |
1473589 | 3-Major | BT1473589 | SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion★ | 17.1.2 |
1472609-1 | 3-Major | BT1472609 | [APM]Some user roles unable view Access config GUI, getting 403 error | 17.1.2, 16.1.5 |
1409453-1 | 3-Major | BT1409453 | [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config | 17.1.2, 16.1.5 |
1407973-1 | 3-Major | BT1407973 | [APM][SAML] Assertion is not occurring when the Binding is set to POST in clientless mode | 17.1.2 |
1402421-2 | 3-Major | BT1402421 | Virtual Servers haviing adfs proxy configuration might have all traffic blocked | 17.1.2, 16.1.5 |
1400497 | 3-Major | Nlad unstable after upgrade★ | 17.1.2 | |
1377421-1 | 3-Major | BT1377421 | APMD processing of MCP messages is inefficient | 17.1.2 |
1359245-2 | 3-Major | BT1359245 | Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html | 17.1.2, 16.1.5 |
1354673 | 3-Major | BT1354673 | Failure to read assertion after upgrade★ | 17.1.2 |
1352945-2 | 3-Major | BT1352945 | Rewrite plugin memory leak | 17.1.2, 16.1.5 |
1350273-1 | 3-Major | BT1350273 | Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★ | 17.1.2, 16.1.5 |
1348153-1 | 3-Major | BT1348153 | Assigned IP Address session variable always as IPv6 Address | 17.1.2, 16.1.5 |
1341849-2 | 3-Major | BT1341849 | APM- tmm core SIGSEGV in saml artifact usage | 17.1.2, 16.1.5 |
1338837-1 | 3-Major | BT1338837 | [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message | 17.1.2, 16.1.5 |
1328433-1 | 3-Major | BT1328433 | TMM cores while using VPN with ipv6 configured | 17.1.2, 16.1.5 |
1318397 | 3-Major | BT1318397 | SAML Auth error "Failed to get authentication request from session variable 'session.samlcryptodata.Result'"★ | 17.1.2 |
1301853 | 3-Major | BT1301853 | Misleading error logs in SAML flow | 17.1.2 |
1273881-3 | 3-Major | BT1273881 | TMM crashes while processing traffic on the virtual server | 17.1.2, 16.1.5 |
1269709-4 | 3-Major | BT1269709 | GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles | 17.1.2, 16.1.5 |
1238329-1 | 3-Major | BT1238329 | Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND | 17.1.2, 16.1.5 |
1217365-2 | 3-Major | BT1217365 | OIDC: larger id_token encoded incorrectly by APM | 17.1.2 |
1190025-3 | 3-Major | BT1190025 | The OAuth process crash | 17.1.2, 16.1.5 |
1188417-4 | 3-Major | BT1188417 | OpenSSL: DRBG Continuous RNG test failed: DRBG stuck. | 17.1.2, 16.1.5 |
1145989-3 | 3-Major | BT1145989 | ID token sub-session variables are not populated | 17.1.2, 16.1.5 |
1099833-3 | 3-Major | Add additional server side support for f5-epi links. | 17.1.2, 16.1.5 | |
1059757 | 3-Major | Auth code not issued when PKCE allow-plain-code-challenge is enabled in OAuth profile | 17.1.2 | |
1058873-3 | 3-Major | BT1058873 | Configuring source address as "address list" in a virtual server causes APMD to restart | 17.1.2 |
963129-5 | 4-Minor | BT963129 | RADIUS Accounting Stop message fails via layered virtual server | 17.1.2 |
1612885-1 | 4-Minor | BT1612885 | [PORTAL] Handle error in get_frameElement() | 17.1.2 |
1505413-1 | 4-Minor | BT1505413 | Error in Wrapper for Array.slice Method When F5_window_link is Undefined | 17.1.2, 16.1.5 |
1468589-1 | 4-Minor | BT1468589 | TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions | 17.1.2, 16.1.5 |
1382329-2 | 4-Minor | BT1382329 | Handling 'active' attribute in introspection response | 17.1.2, 16.1.5 |
1381065-2 | 4-Minor | BT1381065 | Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property. | 17.1.2, 16.1.5 |
1354145-3 | 4-Minor | BT1354145 | Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop | 17.1.2 |
1351493-2 | 4-Minor | BT1351493 | Invalid JSON node type while support-introspection enabled | 17.1.2, 16.1.5 |
1350997-2 | 4-Minor | BT1350997 | Changes to support pre-logon when secondary logon service is disabled on windows edge client | 17.1.2, 16.1.5 |
504374-3 | 5-Cosmetic | BT504374 | Cannot search Citrix Applications inside folders | 17.1.2, 16.1.5 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1588901-3 | 2-Critical | Instrumentation for ID 1156149 can cause TMM to crash | 17.1.2 | |
1391161-1 | 2-Critical | sipmsg_parse_sdp crashes when SIP receives certain traffic pattern. | 17.1.2, 16.1.5 | |
1304297-1 | 2-Critical | A certain client sequence via MRF passthrough may cause TMM to core | 17.1.2, 16.1.5 | |
1270497-3 | 2-Critical | BT1270497 | MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method | 17.1.2, 16.1.5 |
1230757-5 | 2-Critical | Handling concurrent lookups can cause memory leak in MRF | 17.1.2 | |
1566721-1 | 3-Major | BT1566721 | The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby | 17.1.2 |
1466293-1 | 3-Major | SIP MRF over TCP might cause excessive memory buffering | 17.1.2, 16.1.5 | |
1466289-4 | 3-Major | SIP MRF might leave orphaned connections | 17.1.2, 16.1.5 | |
1441433-1 | 3-Major | BT1441433 | BIG-IP may not remove the topmost via header from a SIP response before forwarding to server | 17.1.2 |
1399193-3 | 3-Major | BT1399193 | SIP parser not parsing response when ;; in the to: or from: | 17.1.2 |
1399861-2 | 4-Minor | SIP message parser should have warning logs for drops | 17.1.2 | |
1395281-1 | 4-Minor | BT1395281 | UDP payloads not ending with CRLF are being treated as BAD messages. | 17.1.2, 16.1.5 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1615101 | 1-Blocking | BT1615101 | BIG-IP AFM hardware DoS protection is incompatible when vCMP host or guest uses different versions | 17.1.2 |
1605125-1 | 2-Critical | BT1605125 | TMM might crash when AFM is used on the Virtual Edition of BIG-IP | 17.1.2 |
1048425-6 | 2-Critical | BT1048425 | Packet tester crashes TMM when vlan external source-checking is enabled | 17.1.2, 16.1.4 |
997169-1 | 3-Major | BT997169 | AFM rule not triggered | 17.1.2, 15.1.4.1 |
984965-5 | 3-Major | BT984965 | While intentionally exiting, sshplugin may invoke functions out of sequence and crash | 17.1.2, 16.1.5 |
968953-5 | 3-Major | BT968953 | Unnecessary authorization header added in the response for an IP intelligence feed list request | 17.1.2 |
955773-4 | 3-Major | BT955773 | Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4 | 17.1.2, 15.1.10 |
915221-7 | 3-Major | BT915221 | DoS unconditionally logs MCP messages to /var/tmp/mcpd.out | 17.1.2, 16.1.5 |
1596445-4 | 3-Major | BT1596445 | TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG. | 17.1.2 |
1391525-5 | 3-Major | BT1391525 | Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms | 17.1.2 |
1388985-1 | 3-Major | BT1388985 | The daemon dwbld uses 100% CPU when max port value configured in TMC port list | 17.1.2, 16.1.5 |
1384509-4 | 3-Major | BT1384509 | The ePVA syncookie protection stays activated in hardware | 17.1.2 |
1325681-3 | 3-Major | K000136894, BT1325681 | VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★ | 17.1.2 |
1209409-5 | 3-Major | BT1209409 | Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU | 17.1.2, 16.1.4 |
928653-2 | 4-Minor | BT928653 | [tmsh]:list security nat policy rules showing automap though the value set is None | 17.1.2, 16.1.5 |
760355-6 | 4-Minor | BT760355 | Firewall rule to block ICMP/DHCP from 'required' to 'default'★ | 17.1.2, 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1 |
1307605-3 | 4-Minor | AFM does not detect NXdomain attack (for DNS express) | 17.1.2 | |
1302869-1 | 4-Minor | BT1302869 | AFM is not accounting Nxdomain attack for TCP query | 17.1.2, 16.1.5 |
1014609-2 | 4-Minor | BT1014609 | Tunnel_src_ip support for dslite event log for type field list | 17.1.2, 15.1.4 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1496701-3 | 2-Critical | BT1496701 | PEM CPPE reporting buffer overflow resulting in core | 17.1.2, 16.1.5 |
1613689-1 | 3-Major | Handling multiple requests can cause memory leak when handling Diameter requests | 17.1.2 | |
1470329-1 | 3-Major | BT1470329 | PEM: Multiple layers of callback cookies need input validation in order to prevent crashes. | 17.1.2, 16.1.5 |
1462393-2 | 3-Major | BT1462393 | Quota is not getting updated from the PEM side | 17.1.2, 16.1.5 |
1394601-3 | 3-Major | BT1394601 | PEM AVR onbox reporting stall | 17.1.2, 16.1.5 |
1389049-3 | 3-Major | BT1389049 | Frequent instances of provisioning-pending count spiking on various PEM devices | 17.1.2, 16.1.5 |
1277381-2 | 3-Major | PEM resource leak in MW layer leads to crash of Diameter interface | 17.1.2, 16.1.5 | |
1231001-3 | 3-Major | BT1231001 | PEM flow-term-on-sess-delete can cause cores | 17.1.2, 16.1.5 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1496313-3 | 2-Critical | Use of XLAT:: iRule command can lead to the TMM crash | 17.1.2 | |
1620897-1 | 3-Major | BT1620897 | Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low★ | 17.1.2 |
1317773-4 | 4-Minor | BT1317773 | CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate | 17.1.2 |
Fraud Protection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1060393-3 | 3-Major | K24102225, BT1060393 | Extended high CPU usage caused by JavaScript Obfuscator. | 17.1.2, 16.1.5 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1481929 | 2-Critical | BT1481929 | Possible TMM crash on a race of BADOS and DOSL7 mitigations | 17.1.2 |
1628065-2 | 3-Major | BT1628065 | TMM crash upon replacing L7 DOS policy | 17.1.2 |
1589045-1 | 3-Major | BT1589045 | When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack | 17.1.2 |
1566921-1 | 3-Major | BT1566921 | Client connection gets reset after upgrade to 17.1.1★ | 17.1.2 |
1538173-1 | 3-Major | BT1538173 | Bados TLS fingerprints works incorrectly with chrome's new versions | 17.1.2, 16.1.5 |
1408381-2 | 3-Major | BT1408381 | BADOS signals might no sync on HA setups | 17.1.2, 16.1.5 |
1388341-1 | 3-Major | BT1388341 | tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN) | 17.1.2, 16.1.5 |
1381565-1 | 3-Major | ADMD stability improvements when configured with TLS signatures | 17.1.2, 16.1.5 |
Traffic Classification Engine Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1591353-1 | 2-Critical | urlcat categorization improvements | 17.1.2 | |
1598421 | 3-Major | When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected | 17.1.2 | |
1573629-2 | 3-Major | wr_urldbd cloud lookup is not optimal using a connection | 17.1.2 | |
1472685-3 | 3-Major | BT1472685 | Add support for 4 new Webroot Categories | 17.1.2, 16.1.5 |
1604377 | 4-Minor | BT1604377 | When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected | 17.1.2 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
985329-3 | 3-Major | BT985329 | Saving UCS takes longer and leaves temp files when iControl LX extension is installed | 17.1.2, 16.1.5 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1004697-5 | 3-Major | BT1004697 | Saving UCS files can fail if /var runs out of space | 17.1.2, 16.1.4, 15.1.10 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1579213-1 | 2-Critical | TMM instability when processing IPS pattern matches under load | 17.1.2 | |
1461597-3 | 3-Major | BT1461597 | IPS IM upgrade is taking more time | 17.1.2, 16.1.5 |
1324197-1 | 3-Major | BT1324197 | The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI | 17.1.2 |
1269845-4 | 3-Major | BT1269845 | When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id' | 17.1.2, 16.1.5 |
1075001-4 | 3-Major | BT1075001 | Types 64-65 in IPS Compliance 'Unknown Resource Record Type' | 17.1.2, 16.1.5 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1289845-4 | 3-Major | BT1289845 | Pool member marked as offline while matching both receive string and receive disable strings | 17.1.2, 16.1.5 |
1287045-4 | 3-Major | BT1287045 | In-TMM monitor may mark pool member offline despite its response matches Receive Disable String | 17.1.2, 16.1.5 |
Cumulative fixes from BIG-IP v17.1.1.4 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1593681-1 | CVE-2024-45844 | K000140061, BT1593681 | Monitor validation improvements | 17.1.1.4, 16.1.5, 15.1.10.5 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1378329-1 | 2-Critical | K000137353 | Secure internal communication between Tomcat and Apache | 17.1.1.4, 16.1.5, 15.1.10.5 |
1615861-1 | 3-Major | TMUI hardening | 17.1.1.4, 16.1.5.1, 15.1.10.5 |
Cumulative fixes from BIG-IP v17.1.1.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1495217-2 | CVE-2024-31156 | K000138636, BT1495217 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1492361-1 | CVE-2024-33604 | K000138894, BT1492361 | TMUI Security Hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1449709-1 | CVE-2024-28889 | K000138912, BT1449709 | Possible TMM core under certain Client-SSL profile configurations | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1366025-1 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
1360917-5 | CVE-2024-27202 | K000138520, BT1360917 | TMUI hardening | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Functional Change Fixes
None
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1494833-1 | 2-Critical | K000138898, BT1494833 | A single signature does not match when exceeding 65535 states | 17.1.1.3, 16.1.4.3, 15.1.10.4 |
Cumulative fixes from BIG-IP v17.1.1.2 that are included in this release
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1492681 | 1-Blocking | BT1492681 | Running tcpdump on a busy system may cause traffic drop. | 17.1.1.2 |
1429149-1 | 1-Blocking | K000138191, BT1429149 | VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★ | 17.1.1.2 |
1409537-1 | 2-Critical | BT1409537 | The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses | 17.1.1.2 |
1351049-2 | 2-Critical | BT1351049 | Platform recv queue is getting filled with requests from TMM. | 17.1.1.2 |
1447389 | 3-Major | BT1447389 | Dag context may not match the current cluster state | 17.1.1.2 |
1410509 | 3-Major | BT1410509 | A F5 CDP timeout for a single blade may override the DAG context for the whole system | 17.1.1.2 |
1353957-1 | 3-Major | K000137505, BT1353957 | The message "Error getting auth token from login provider" is displayed in the GUI★ | 17.1.1.2, 16.1.5 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1472817 | 2-Critical | BT1472817 | Blade disconnects from BIG-IP clusters during high traffic flow. | 17.1.1.2 |
1505669 | 3-Major | BT1505669 | Excessive broadcast traffic might cause backplane F5CDP packets to to dropped | 17.1.1.2 |
Cumulative fixes from BIG-IP v17.1.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1361169-1 | CVE-2023-40534 | K000133467, BT1361169 | Connections may persist after processing HTTP/2 requests | 17.1.1.1, 16.1.4.2 |
1117229-5 | CVE-2022-26377 | K26314875, BT1117229 | CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1391357-4 | CVE-2023-43125 | K000136909, BT1391357 | Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1381357-1 | CVE-2023-46748 | K000137365, BT1381357 | CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1304957-8 | CVE-2023-5450 | K000135040, BT1304957 | BIG-IP Edge Client for macOS vulnerability CVE-2023-5450 | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
1240121-5 | CVE-2022-36760 | K000132643, BT1240121 | CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1354253-1 | 3-Major | K000137322, BT1354253 | HTTP Request smuggling with redirect iRule | 17.1.1.1, 16.1.4.2, 15.1.10.3 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1395081 | 1-Blocking | K000137514, BT1395081 | Remote users are unable to generate authentication tokens | 17.1.1.1, 16.1.5 |
Cumulative fixes from BIG-IP v17.1.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
981917-8 | CVE-2020-8286 | K15402727 | CVE-2020-8286 - cUrl Vulnerability | 17.1.1, 16.1.4, 15.1.10 |
949857-9 | CVE-2024-22389 | K32544615, BT949857 | Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync | 17.1.1, 16.1.4, 15.1.9 |
1317705-1 | CVE-2024-25560 | K000139037, BT1317705 | TMM may restart on certain DNS traffic | 17.1.1, 16.1.4 |
1315193-3 | CVE-2024-33608 | K000138728, BT1315193 | TMM Crash in certain condition when processing IPSec traffic | 17.1.1, 16.1.4 |
1314301-1 | CVE-2024-23805 | K000137334, BT1314301 | TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled | 17.1.1, 16.1.4, 15.1.10 |
1307453-1 | CVE-2024-21789 | K000137270, BT1307453 | BD daemon may consume excessive resource and crash | 17.1.1 |
1295661-1 | CVE-2023-38418 | K000134746, BT1295661 | BIG-IP Edge Client for macOS vulnerability CVE-2023-38418 | 17.1.1, 16.1.4 |
1294089-1 | CVE-2024-23308 | K000137416, BT1294089 | BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308 | 17.1.1 |
1289189-4 | CVE-2024-24775 | K000137333, BT1289189 | In certain traffic patterns, TMM crash | 17.1.1, 16.1.4, 15.1.10 |
1271349-5 | CVE-2023-25690 | K000133098, BT1271349 | CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy | 17.1.1, 16.1.4, 15.1.9 |
1238629-2 | CVE-2024-21763 | K000137521, BT1238629 | TMM core when processing certain DNS traffic with bad actor (BA) enabled | 17.1.1, 16.1.4, 15.1.10 |
1223369-1 | CVE-2024-23982 | K000135946, BT1223369 | Classification of certain UDP traffic may cause crash | 17.1.1, 16.1.3.4, 15.1.10 |
1220629-1 | CVE-2024-23314 | K000137675, BT1220629 | TMM may crash on response from certain backend traffic | 17.1.1, 16.1.4, 15.1.9 |
1208001-3 | CVE-2023-22374 | K000130415, BT1208001 | iControl SOAP vulnerability CVE-2023-22374 | 17.1.1, 17.1.0, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1195489-6 | CVE-2024-22093 | K000137522, BT1195489 | iControl REST input sanitization | 17.1.1, 16.1.4, 15.1.9 |
1189461-1 | CVE-2023-36858 | K000132563, BT1189461 | BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858 | 17.1.1, 16.1.4 |
1167929-6 | CVE-2022-40674 | K44454157, BT1167929 | CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1167897-9 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 17.1.1, 16.1.4, 15.1.9 |
1153969-6 | CVE-2024-23979 | K000134516, BT1153969 | Excessive resource consumption when processing LDAP and CRLDP auth traffic | 17.1.1, 16.1.4, 15.1.9 |
1105589-4 | CVE-2024-39778 | K05710614, BT1105589 | HSB lockup using stateless virtual server | 17.1.1, 16.1.5 |
1075657-5 | CVE-2020-12825 | K01074825, BT1075657 | CVE-2020-12825 - libcroco vulnerability | 17.1.1, 16.1.4, 15.1.10 |
1070753-6 | CVE-2020-27216 CVE-2021-28169 CVE-2021-34428 CVE-2018-12536 |
K33548065, BT1070753 | CVE-2020-27216: Eclipse Jetty vulnerability | 17.1.1, 16.1.4, 15.1.9 |
1061977-1 | CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, CVE-2019-6111 | K31781390, BT1061977 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 17.1.1, 16.1.4, 15.1.10 |
972545-9 | CVE-2024-23976 | K91054692, BT972545 | iApps LX does not follow best practices in appliance mode | 17.1.1, 16.1.4, 15.1.9 |
948725-9 | CVE-2024-41723 | K10438187, BT948725 | An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users | 17.1.1, 16.1.5 |
1308269-2 | CVE-2022-4304 | K000132943, BT1308269 | OpenSSL vulnerability CVE-2022-4304 | 17.1.1, 16.1.5 |
1295017 | CVE-2024-41164 | K000138477, BT1295017 | TMM crash when using MPTCP | 17.1.1, 16.1.5, 15.1.10 |
1235801 | CVE-2023-0286 | K000132941, BT1235801 | OpenSSL vulnerability CVE-2023-0286 | 17.1.1, 16.1.4, 15.1.10 |
1123537-10 | CVE-2022-28615 | K40582331, BT1123537 | CVE-2022-28615 (httpd): out-of-bounds read in ap_strcmp_match() | 17.1.1, 16.1.4, 15.1.9 |
1099341-7 | CVE-2018-25032 | K21548854, BT1099341 | CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs | 17.1.1, 16.1.4, 15.1.9 |
1088445-11 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 17.1.1, 16.1.4, 15.1.9 |
1070905-6 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 17.1.1, 16.1.4, 15.1.9 |
1041577 | CVE-2024-21782 | K98606833, BT1041577 | SCP file transfer system, completing fix for 994801 | 17.1.1, 16.1.4, 15.1.9 |
1296489-1 | CVE-2024-23603 | K000138047, BT1296489 | ASM UI hardening | 17.1.1, 16.1.4, 15.1.10 |
Functional Change Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
737692-7 | 2-Critical | BT737692 | Handle x520 PF DOWN/UP sequence automatically by VE | 17.1.1, 16.1.5, 15.1.3.1 |
1211513-3 | 3-Major | BT1211513 | Data payload validation is added to HSB validation loopback packets | 17.1.1, 16.1.4, 15.1.10 |
1069441-5 | 3-Major | BT1069441 | Cookie without '=' sign does not generate rfc violation | 17.1.1, 16.1.5, 15.1.10 |
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1322009 | 1-Blocking | BT1322009 | UCS restore fails with ifile not found error | 17.1.1 |
994033-4 | 2-Critical | BT994033 | The daemon httpd_sam does not recover automatically when terminated | 17.1.1, 16.1.4, 15.1.9 |
993481-5 | 2-Critical | BT993481 | Jumbo frame issue with DPDK eNIC | 17.1.1, 16.1.4, 15.1.10 |
965897-5 | 2-Critical | BT965897 | Disruption of mcpd with a segmentation fault during config sync | 17.1.1, 16.1.5, 15.1.10 |
950201-6 | 2-Critical | BT950201 | Tmm core on GCP | 17.1.1, 16.1.4, 15.1.9 |
776117-6 | 2-Critical | BT776117 | BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type | 17.1.1, 16.1.5, 15.1.10 |
723109-4 | 2-Critical | BT723109 | FIPS HSM: SO login failing when trying to update firmware | 17.1.1, 16.1.4, 15.1.10 |
1295481-3 | 2-Critical | BT1295481 | FIPS keys are not restored when BIG-IP license is renewed after it expires | 17.1.1, 16.1.5 |
1290889-1 | 2-Critical | K000134792, BT1290889 | TMM disconnects from processes such as mcpd causing TMM to restart | 17.1.1, 16.1.4, 15.1.9 |
1286433-2 | 2-Critical | BT1286433 | Improve ASM performance for BIG-IP instances running on r2k / r4k appliances | 17.1.1, 15.1.9 |
1282513-1 | 2-Critical | BT1282513 | Redirections on the lowest numbered blade in mirroring configuration. | 17.1.1, 15.1.9 |
1256841-3 | 2-Critical | BT1256841 | AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script | 17.1.1, 16.1.4, 15.1.10 |
1225789-1 | 2-Critical | BT1225789 | The iHealth API is transitioning from SSODB to OKTA | 17.1.1, 16.1.4, 15.1.9 |
1209709-5 | 2-Critical | BT1209709 | Memory leak in icrd_child when license is applied through BIG-IQ | 17.1.1, 16.1.4, 15.1.9 |
1191137-5 | 2-Critical | BT1191137 | WebUI crashes when the localized form data fails to match the expectations | 17.1.1, 16.1.5, 15.1.9 |
1113609-4 | 2-Critical | BT1113609 | GUI unable to load Bot Profiles and tmsh is unable to list them as well. | 17.1.1, 16.1.5 |
1105901-6 | 2-Critical | BT1105901 | Tmm crash while doing high-speed logging | 17.1.1, 16.1.4, 15.1.10 |
1075713-3 | 2-Critical | Multiple libtasn1 vulnuerabilities | 17.1.1, 16.1.4 | |
1075677-1 | 2-Critical | Multiple GnuTLS Mend findings | 17.1.1, 16.1.4, 15.1.10 | |
997561-6 | 3-Major | BT997561 | TMM CPU imbalance with GRE/TB and GRE/MPLS traffic | 17.1.1, 16.1.5, 15.1.10 |
989501-3 | 3-Major | BT989501 | A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus | 17.1.1, 16.1.4, 15.1.10 |
964125-7 | 3-Major | BT964125 | Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members. | 17.1.1, 16.1.4, 15.1.10 |
950153-4 | 3-Major | BT950153 | LDAP remote authentication fails when empty attribute is returned | 17.1.1, 16.1.5, 15.1.10 |
936093-7 | 3-Major | BT936093 | Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline | 17.1.1, 16.1.4, 15.1.9 |
906273-4 | 3-Major | BT906273 | MCPD crashes receiving a message from bcm56xxd | 17.1.1, 16.1.4, 15.1.10 |
804529-4 | 3-Major | BT804529 | REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools | 17.1.1, 16.1.4, 15.1.10 |
715748-4 | 3-Major | BT715748 | BWC: Flow fairness not in acceptable limits | 17.1.1, 16.1.5, 15.1.10 |
1338993 | 3-Major | BT1338993 | Failing to fetch the installed RPM, throwing an error Object contains no token child value | 17.1.1, 16.1.5 |
1332401-1 | 3-Major | BT1332401 | Errors after config sync with FIPS keys | 17.1.1 |
1316277-3 | 3-Major | K000137796, BT1316277 | Large CRL files may only be partially uploaded | 17.1.1, 16.1.4.2, 15.1.10.3 |
1314545-1 | 3-Major | BT1314545 | Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms | 17.1.1 |
1311125-1 | 3-Major | BT1311125 | DDM Receive Power value reported in ltm log is ten times too high | 17.1.1, 16.1.5 |
1305897 | 3-Major | BT1305897 | A platform error can cause DAG context to be out of sync with the tenant | 17.1.1 |
1305125 | 3-Major | BT1305125 | Ssh to localhost not working with ssh-rsa | 17.1.1, 16.1.5 |
1301529 | 3-Major | BT1301529 | Update FIPS-required Service Indicators | 17.1.1 |
1293193-3 | 3-Major | BT1293193 | Missing MAC filters for IPv6 multicast | 17.1.1, 16.1.5, 15.1.10 |
1289705-2 | 3-Major | BT1289705 | MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant | 17.1.1 |
1288729-2 | 3-Major | BT1288729 | Memory corruption due to use-after-free in the TCAM rule management module | 17.1.1, 15.1.10 |
1287981-2 | 3-Major | BT1287981 | Hardware SYN cookie mode may not exit | 17.1.1, 15.1.10 |
1287821-2 | 3-Major | BT1287821 | Missing Neuron/TCAM rules | 17.1.1, 15.1.10 |
1232521-4 | 3-Major | SCTP connection sticking on BIG-IP even after connection terminated | 17.1.1, 16.1.4, 15.1.9 | |
1215613-3 | 3-Major | BT1215613 | ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address | 17.1.1, 15.1.10 |
1183901 | 3-Major | BT1183901 | VLAN name greater than 31 characters results in invalid F5OS tenant configuration | 17.1.1, 15.1.10 |
1155861-3 | 3-Major | BT1155861 | 'Unlicensed objects' error message appears despite there being no unlicensed configuration | 17.1.1, 15.1.9 |
1154381-6 | 3-Major | BT1154381 | The tmrouted might crash when management route subnet is received over a dynamic routing protocol | 17.1.1, 16.1.5, 15.1.10 |
1136921-6 | 3-Major | BT1136921 | BGP might delay route updates after failover | 17.1.1, 16.1.4, 15.1.10 |
1135961-6 | 3-Major | BT1135961 | The tmrouted generates core with double free or corruption | 17.1.1, 16.1.5, 15.1.9 |
1134509-5 | 3-Major | BT1134509 | TMM crash in BFD code when peers from ipv4 and ipv6 families are in use. | 17.1.1, 16.1.5, 15.1.10 |
1134057-6 | 3-Major | BT1134057 | BGP routes not advertised after graceful restart | 17.1.1, 16.1.5, 15.1.9 |
1124209-5 | 3-Major | BT1124209 | Duplicate key objects when renewing certificate using pkcs12 bundle | 17.1.1, 16.1.4, 15.1.9 |
1117305-8 | 3-Major | BT1117305 | The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials | 17.1.1, 16.1.4, 15.1.9 |
1112537-6 | 3-Major | BT1112537 | LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete. | 17.1.1, 16.1.4, 15.1.10 |
1104773-8 | 3-Major | REST API Access hardening | 17.1.1, 16.1.5 | |
1102425-1 | 3-Major | BT1102425 | F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary | 17.1.1, 15.1.10 |
1086393-4 | 3-Major | BT1086393 | Sint Maarten and Curacao are missing in the GTM region list | 17.1.1, 16.1.5 |
1077533-6 | 3-Major | BT1077533 | Status is showing INOPERATIVE after an upgrade and reboot★ | 17.1.1, 16.1.4, 15.1.10 |
1067797 | 3-Major | BT1067797 | Trunked interfaces that share a MAC address may be assigned in the incorrect order. | 17.1.1 |
1052893-5 | 3-Major | BT1052893 | Configuration option to delay reboot if dataplane becomes inoperable | 17.1.1, 16.1.2.2 |
1044089-5 | 3-Major | BT1044089 | ICMP echo requests to virtual address gets a response even when the virtual server is offline when updated from GUI. | 17.1.1, 16.1.4, 15.1.10 |
1040573-5 | 3-Major | BT1040573 | REST operation takes a long time when two different users perform tasks in parallel | 17.1.1, 16.1.5, 15.1.10 |
1040117-4 | 3-Major | BT1040117 | BIG-IP Virtual Edition drops UDP packets | 17.1.1, 16.1.5, 15.1.10 |
1020129-5 | 3-Major | BT1020129 | Turboflex page in GUI reports 'profile.Features is undefined' error★ | 17.1.1, 16.1.5, 15.1.10 |
964533-6 | 4-Minor | BT964533 | Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs. | 17.1.1, 16.1.4, 15.1.10 |
939757-7 | 4-Minor | BT939757 | Deleting a virtual server might not trigger route injection update. | 17.1.1, 16.1.4, 15.1.10 |
838405-5 | 4-Minor | BT838405 | Listener traffic-group may not be updated when spanning is in use | 17.1.1, 16.1.4, 15.1.10 |
1324681-4 | 4-Minor | BT1324681 | Virtual-server might stop responding when traffic-matching-criteria is removed. | 17.1.1 |
1320889-4 | 4-Minor | BT1320889 | Sock interface driver might fail to forward some packets. | 17.1.1, 16.1.5 |
1280281-4 | 4-Minor | BT1280281 | SCP allow list may have issues with file paths that have spaces in them | 17.1.1, 16.1.5, 15.1.10 |
1256777-5 | 4-Minor | BT1256777 | In BGP, as-origination interval not persisting after restart when configured on a peer-group. | 17.1.1, 16.1.4 |
1252537-4 | 4-Minor | BT1252537 | Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role | 17.1.1, 16.1.4 |
1185257-6 | 4-Minor | BT1185257 | BGP confederations do not support 4-byte ASNs | 17.1.1, 16.1.4, 15.1.10 |
1147633-3 | 4-Minor | Hardening of token creation by users with an administrative role | 17.1.1, 16.1.5 | |
1145729-2 | 4-Minor | BT1145729 | Partition description between GUI and REST API/TMSH does not match | 17.1.1, 16.1.5 |
1136837-5 | 4-Minor | BT1136837 | TMM crash in BFD code due to incorrect timer initialization | 17.1.1, 16.1.5, 15.1.10 |
1044893-4 | 4-Minor | BT1044893 | Kernel warnings from NIC driver Realtek 8139 | 17.1.1, 16.1.5, 15.1.10 |
1003081-5 | 4-Minor | BT1003081 | GRE/TB-encapsulated fragments are not forwarded. | 17.1.1, 16.1.5, 15.1.10 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1339201 | 1-Blocking | BT1339201 | ICMP traffic fails to reach tenant after a couple of continuous reboots | 17.1.1 |
1289981 | 1-Blocking | BT1289981 | Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat" | 17.1.1 |
1132801-2 | 1-Blocking | BT1132801 | Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured | 17.1.1 |
1319365-1 | 2-Critical | BT1319365 | Policy with external data group may crash TMM or return nothing with search contains | 17.1.1, 16.1.5 |
1305697-4 | 2-Critical | BT1305697 | TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed | 17.1.1, 16.1.5 |
1298029-4 | 2-Critical | BT1298029 | DB_monitor may end the wrong processes | 17.1.1, 16.1.5 |
1286357-2 | 2-Critical | BT1286357 | Reducing packet loss for BIG-IP instance running on r2k / r4k appliances | 17.1.1, 15.1.9 |
1282357-3 | 2-Critical | BT1282357 | Double HTTP::disable can lead to tmm core | 17.1.1, 16.1.4, 15.1.10 |
1209945-2 | 2-Critical | BT1209945 | Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs | 17.1.1, 15.1.9 |
1205501-4 | 2-Critical | BT1205501 | The iRule command SSL::profile can select server SSL profile with outdated configuration | 17.1.1, 16.1.4, 15.1.9 |
1146377-6 | 2-Critical | BT1146377 | FastHTTP profiles do not insert HTTP headers triggered by iRules | 17.1.1, 16.1.4, 15.1.9 |
1126093-1 | 2-Critical | BT1126093 | DNSSEC Key creation failure with internal FIPS card. | 17.1.1, 16.1.4 |
1100721-5 | 2-Critical | BT1100721 | IPv6 link-local floating self-IP breaks IPv6 query to BIND | 17.1.1, 15.1.10 |
1024241-5 | 2-Critical | BT1024241 | Empty TLS records from client to BIG-IP results in SSL session termination | 17.1.1, 16.1.4, 15.1.9 |
996649-7 | 3-Major | BT996649 | Improper handling of DHCP flows leading to orphaned server-side connections | 17.1.1, 16.1.5, 15.1.10 |
985925-5 | 3-Major | BT985925 | Ipv6 Routing Header processing not compatible as per Segments Left value. | 17.1.1, 16.1.4, 15.1.10 |
921541-7 | 3-Major | BT921541 | When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker. | 17.1.1, 16.1.4, 15.1.10 |
878641-7 | 3-Major | BT878641 | TLS1.3 certificate request message does not contain CAs | 17.1.1, 16.1.4, 15.1.9 |
876569-6 | 3-Major | BT876569 | QAT compression codec produces gzip stream with CRC error | 17.1.1, 16.1.4, 15.1.10 |
851121-8 | 3-Major | BT851121 | Database monitor DBDaemon debug logging not enabled consistently | 17.1.1, 16.1.4, 15.1.10 |
842425-7 | 3-Major | BT842425 | Mirrored connections on standby are never removed in certain configurations | 17.1.1, 16.1.4, 15.1.10 |
693473-3 | 3-Major | BT693473 | The iRulesLX RPC completion can cause invalid or premature TCL rule resumption | 17.1.1, 16.1.4, 15.1.9 |
1305361-1 | 3-Major | BT1305361 | Flows that are terminated by an ILX streaming plugin may not expire immediately | 17.1.1, 16.1.5 |
1304189-4 | 3-Major | BT1304189 | Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures | 17.1.1, 16.1.5 |
1302077-1 | 3-Major | BT1302077 | Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server | 17.1.1, 16.1.5 |
1300925-4 | 3-Major | BT1300925 | Shared memory race may cause TMM to core | 17.1.1, 16.1.5 |
1292793-4 | 3-Major | BT1292793 | FIX protocol late binding flows that are not PVA accelerated may fail | 17.1.1, 16.1.4, 15.1.10 |
1291565-3 | 3-Major | BT1291565 | BIG-IP generates more multicast packets in multicast failover high availability (HA) setup | 17.1.1, 16.1.4, 15.1.10 |
1284993-2 | 3-Major | BT1284993 | TLS extensions which are configured after session_ticket are not parsed from Client Hello messages | 17.1.1, 16.1.4 |
1284261-4 | 3-Major | BT1284261 | Constant traffic on DHCPv6 virtual servers may cause a TMM crash. | 17.1.1, 16.1.5, 15.1.10 |
1281637-2 | 3-Major | BT1281637 | When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE | 17.1.1, 16.1.4, 15.1.9 |
1272501-1 | 3-Major | BT1272501 | Connections are reset with the cause "F5RST:HTTP redirect rewrite failure"★ | 17.1.1, 16.1.5 |
1269733-1 | 3-Major | BT1269733 | HTTP GET request with headers has incorrect flags causing timeout | 17.1.1, 16.1.4, 15.1.10 |
1250085-4 | 3-Major | BT1250085 | BPDU is not processed with STP passthough mode enabled in BIG-IP | 17.1.1, 16.1.4 |
1238529-3 | 3-Major | BT1238529 | TMM might crash when modifying a virtual server in low memory conditions | 17.1.1, 16.1.5 |
1238413-4 | 3-Major | BT1238413 | The BIG-IP might fail to update ARL entry for a host in a VLAN-group | 17.1.1, 16.1.4, 15.1.10 |
1229417-1 | 3-Major | BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 | |
1229369-4 | 3-Major | BT1229369 | The fastl4 TOS mimic setting towards client may not function | 17.1.1, 16.1.4, 15.1.10 |
1210469-1 | 3-Major | BT1210469 | TMM can crash when processing AXFR query for DNSX zone | 17.1.1, 16.1.4, 15.1.9 |
1144117-5 | 3-Major | BT1144117 | "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands | 17.1.1, 16.1.4, 15.1.9 |
1126841-5 | 3-Major | BT1126841 | HTTP::enable can rarely cause cores | 17.1.1, 16.1.4, 15.1.10 |
1117609-5 | 3-Major | BT1117609 | VLAN guest tagging is not implemented for CX4 and CX5 on ESXi | 17.1.1, 16.1.4, 15.1.10 |
1112385-6 | 3-Major | BT1112385 | Traffic classes match when they shouldn't | 17.1.1, 16.1.5, 15.1.10 |
1107565-3 | 3-Major | BT1107565 | SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2 | 17.1.1, 16.1.4 |
1104553-1 | 3-Major | BT1104553 | HTTP_REJECT processing can lead to zombie SPAWN flows piling up | 17.1.1, 15.1.7 |
1096893-6 | 3-Major | BT1096893 | TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection | 17.1.1, 16.1.4, 15.1.9 |
1088597-6 | 3-Major | BT1088597 | TCP keepalive timer can be immediately re-scheduled in rare circumstances | 17.1.1, 16.1.5, 15.1.10 |
1084965-4 | 3-Major | BT1084965 | Low visibility of attack vector | 17.1.1, 16.1.5 |
1083621-6 | 3-Major | BT1083621 | The virtio driver uses an incorrect packet length | 17.1.1, 16.1.5, 15.1.9 |
1061513-1 | 3-Major | BT1061513 | Adding support for C3D(Client Certificate Constrained Delegation) with TLS1.3 | 17.1.1 |
1057121-1 | 3-Major | BT1057121 | MQTT Over Websockets in Websocket Termination mode is not working | 17.1.1 |
1037257-1 | 3-Major | BT1037257 | SSL::verify_result showing wrong output for revoked cert during Dynamic CRL check | 17.1.1, 15.1.10 |
1016589 | 3-Major | BT1016589 | Incorrect expression in STREAM::expression might cause a tmm crash | 17.1.1 |
1012813-6 | 3-Major | BT1012813 | Statsd can deadlock with rrdshim with the error that a stats file "is not an RRD file" | 17.1.1, 16.1.4 |
1000561-7 | 3-Major | BT1000561 | HTTP chunked encoding markers incorrectly passed to HTTP/2 client-side | 17.1.1, 16.1.4, 15.1.9 |
960677-8 | 4-Minor | BT960677 | Improvement in handling accelerated TLS traffic | 17.1.1, 16.1.4, 15.1.9 |
929429-10 | 4-Minor | BT929429 | Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed | 17.1.1, 16.1.5, 15.1.10 |
1322077 | 4-Minor | BT1322077 | BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8 | 17.1.1 |
1305929 | 4-Minor | BT1305929 | Tmm crash with QUIC connections | 17.1.1 |
1304289-1 | 4-Minor | BT1304289 | Pool member monitored by both GTM and LTM monitors may be erroneously marked Down | 17.1.1, 16.1.5 |
1281709-4 | 4-Minor | BT1281709 | Traffic-group ID may not be updated properly on a TMM listener | 17.1.1, 16.1.4, 15.1.10 |
1280769 | 4-Minor | BT1280769 | Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant. | 17.1.1 |
1269773-1 | 4-Minor | BT1269773 | Convert network-order to host-order for extensions in TLS1.3 certificate request | 17.1.1, 16.1.5, 15.1.10 |
1253481 | 4-Minor | BT1253481 | Traffic loss observed after reconfiguring Virtual Networks | 17.1.1, 15.1.10 |
1251033-1 | 4-Minor | BT1251033 | HA is not established between Active and Standby devices when the vwire configuration is added | 17.1.1, 15.1.10 |
1240937-4 | 4-Minor | BT1240937 | The FastL4 TOS specify setting towards server may not function for IPv6 traffic | 17.1.1, 16.1.4, 15.1.10 |
1211189-4 | 4-Minor | BT1211189 | Stale connections observed and handshake failures observed with errors | 17.1.1, 16.1.4 |
1137717-6 | 4-Minor | BT1137717 | There are no dynconfd logs during early initialization | 17.1.1, 16.1.4, 15.1.10 |
1133557-7 | 4-Minor | BT1133557 | Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name | 17.1.1, 16.1.4, 15.1.10 |
1128505-3 | 4-Minor | BT1128505 | HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy | 17.1.1, 16.1.4 |
1121349-6 | 4-Minor | BT1121349 | CPM NFA may stall due to lack of other state transition | 17.1.1, 16.1.5 |
979213-7 | 5-Cosmetic | BT979213 | Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM. | 17.1.1, 16.1.5, 15.1.10 |
Performance Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1194077 | 1-Blocking | BT1194077 | The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000 | 17.1.1 |
Global Traffic Manager (DNS) Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1081473-3 | 2-Critical | BT1081473 | GTM/DNS installations may observe the mcpd process crashing | 17.1.1, 16.1.5 |
1325981-1 | 3-Major | BT1325981 | DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately | 17.1.1 |
1313369-5 | 3-Major | BT1313369 | Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status | 17.1.1, 16.1.5 |
1302825-2 | 3-Major | BT1302825 | Allow configuration of the number of times the CNAME chase is performed | 17.1.1, 16.1.5 |
1250077-6 | 3-Major | BT1250077 | TMM memory leak | 17.1.1, 15.1.10 |
1182353-6 | 3-Major | BT1182353 | DNS cache consumes more memory because of the accumulated mesh_states | 17.1.1, 16.1.4, 15.1.9 |
1137677-3 | 3-Major | BT1137677 | GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources | 17.1.1, 15.1.9 |
1133201-2 | 3-Major | BT1133201 | Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools | 17.1.1, 16.1.5 |
1111361-5 | 3-Major | BT1111361 | Refreshing DNS wide IP pool statistics returns an error | 17.1.1 |
1108237-3 | 3-Major | BT1108237 | Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM. | 17.1.1, 16.1.4 |
1103477-5 | 3-Major | BT1103477 | Refreshing pool member statistics results in error while processing requests | 17.1.1, 15.1.10 |
1311169-1 | 4-Minor | BT1311169 | DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned | 17.1.1, 16.1.5 |
1295565-1 | 4-Minor | BT1295565 | BIG-IP DNS not identified in show gtm iquery for local IP | 17.1.1, 16.1.5 |
1186789-4 | 4-Minor | BT1186789 | DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x | 17.1.1, 16.1.5 |
Application Security Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1284081-1 | 1-Blocking | BT1284081 | Incorrect Enforcement After Sync | 17.1.1 |
923821-5 | 2-Critical | BT923821 | Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack | 17.1.1, 16.1.4, 15.1.9 |
850141-5 | 2-Critical | BT850141 | Possible tmm core when using Dosl7/Bot Defense profile | 17.1.1, 16.1.4, 15.1.9 |
1286621-1 | 2-Critical | BT1286621 | BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header | 17.1.1 |
1282281-5 | 2-Critical | BT1282281 | Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns | 17.1.1, 16.1.5, 15.1.10 |
1132697-5 | 2-Critical | BT1132697 | Use of proactive bot defense profile can trigger TMM crash | 17.1.1, 16.1.4, 15.1.9 |
939097-7 | 3-Major | BT939097 | Error messages related to long request allocation appear in the bd.log incase of big chunked requests | 17.1.1, 16.1.5 |
928997-5 | 3-Major | BT928997 | Less XML memory allocated during ASM startup | 17.1.1, 16.1.4, 15.1.9 |
890169-6 | 3-Major | BT890169 | URLs starting with double slashes might not be loaded when using a Bot Defense Profile. | 17.1.1, 16.1.4, 15.1.10 |
1316529-4 | 3-Major | BT1316529 | Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS | 17.1.1, 16.1.5 |
1312057-3 | 3-Major | bd instability when using many remote loggers with Arcsight format | 17.1.1, 16.1.4 | |
1302689-2 | 3-Major | BT1302689 | ASM requests to rechunk payload | 17.1.1, 16.1.5, 15.1.10 |
1301197-1 | 3-Major | BT1301197 | Bot Profile screen does not load and display large number of pools/members | 17.1.1, 16.1.5, 15.1.10 |
1297089-1 | 3-Major | BT1297089 | Support Dynamic Parameter Extractions in declarative policy | 17.1.1, 16.1.4 |
1296469-1 | 3-Major | ASM UI hardening | 17.1.1, 16.1.4 | |
1295009-2 | 3-Major | BT1295009 | "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data | 17.1.1, 16.1.5, 15.1.10 |
1292685-4 | 3-Major | BT1292685 | The date-time RegExp pattern through swagger would not cover all valid options | 17.1.1, 16.1.5, 15.1.10 |
1292645-1 | 3-Major | BT1292645 | False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★ | 17.1.1, 16.1.5 |
1286101-2 | 3-Major | BT1286101 | JSON Schema validation failure with E notation number | 17.1.1, 16.1.4, 15.1.10 |
1284073-1 | 3-Major | BT1284073 | Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies" | 17.1.1, 16.1.5 |
1281397-3 | 3-Major | BT1281397 | SMTP requests are dropped by ASM under certain conditions | 17.1.1, 16.1.5 |
1281381-1 | 3-Major | BT1281381 | BD continuously restarting after upgrade to 17.1.0.1★ | 17.1.1 |
1273997-1 | 3-Major | BT1273997 | BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty | 17.1.1 |
1270133-1 | 3-Major | BT1270133 | bd crash during configuration update | 17.1.1, 16.1.5 |
1250209-1 | 3-Major | BT1250209 | The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs | 17.1.1 |
1229813-4 | 3-Major | BT1229813 | The ref schema handling fails with oneOf/anyOf | 17.1.1, 16.1.5, 15.1.10 |
1216297-3 | 3-Major | BT1216297 | TMM core occurs when using disabling ASM of request_send event | 17.1.1, 16.1.4 |
1207793-2 | 3-Major | BT1207793 | Bracket expression in JSON schema pattern does not work with non basic latin characters | 17.1.1, 16.1.5, 15.1.10 |
1196537-5 | 3-Major | BT1196537 | BD process crashes when you use SMTP security profile | 17.1.1, 16.1.4, 15.1.9 |
1196185-1 | 3-Major | BT1196185 | Policy Version History is not presented correctly with scrolling | 17.1.1 |
1194173-5 | 3-Major | BT1194173 | BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value | 17.1.1, 16.1.4, 15.1.9 |
1190365-1 | 3-Major | BT1190365 | OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly | 17.1.1, 16.1.4, 15.1.10 |
1186401-4 | 3-Major | BT1186401 | Using REST API to change policy signature settings changes all the signatures. | 17.1.1, 16.1.4, 15.1.9 |
1184841-6 | 3-Major | BT1184841 | Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API | 17.1.1, 16.1.4, 15.1.10 |
1173493-2 | 3-Major | BT1173493 | Bot signature staging timestamp corrupted after modifying the profile | 17.1.1, 16.1.4, 15.1.10 |
1156889-5 | 3-Major | BT1156889 | TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions | 17.1.1, 16.1.4, 15.1.9 |
1148009-8 | 3-Major | BT1148009 | Cannot sync an ASM logging profile on a local-only VIP | 17.1.1, 16.1.4, 15.1.9 |
1144497-5 | 3-Major | BT1144497 | Base64 encoded metachars are not detected on HTTP headers | 17.1.1, 16.1.4, 15.1.9 |
1137993-6 | 3-Major | BT1137993 | Violation is not triggered on specific configuration | 17.1.1, 16.1.4, 15.1.9 |
1132981-5 | 3-Major | BT1132981 | Standby not persisting manually added session tracking records | 17.1.1, 16.1.4, 15.1.9 |
1132741-7 | 3-Major | BT1132741 | Tmm core when html parser scans endless html tag of size more then 50MB | 17.1.1, 16.1.4, 15.1.9 |
1117245-5 | 3-Major | BT1117245 | Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file | 17.1.1, 16.1.4, 15.1.10 |
1098609-3 | 3-Major | BT1098609 | BD crash on specific scenario | 17.1.1, 16.1.4, 15.1.9 |
1085661-6 | 3-Major | BT1085661 | Standby system saves config and changes status after sync from peer | 17.1.1, 16.1.4, 15.1.10 |
1078065-5 | 3-Major | BT1078065 | The login page shows blocking page instead of CAPTCHA or showing blocking page after resolving a CAPTCHA. | 17.1.1, 16.1.4, 15.1.9 |
1069729-4 | 3-Major | BT1069729 | TMM might crash after a configuration change. | 17.1.1, 16.1.4, 15.1.9 |
1067557-5 | 3-Major | BT1067557 | Value masking under XML and JSON content profiles does not follow policy case sensitivity | 17.1.1, 16.1.4, 15.1.9 |
1059513-3 | 3-Major | BT1059513 | Virtual servers may appear as detached from security policy when they are not. | 17.1.1, 16.1.4, 15.1.10 |
1048949-8 | 3-Major | BT1048949 | TMM xdata leak on websocket connection with asm policy without websocket profile | 17.1.1, 16.1.4, 15.1.9 |
1038689-5 | 3-Major | BT1038689 | "Mandatory request body is missing" violation should trigger for "act as a POST" methods only | 17.1.1, 16.1.5 |
1023889-5 | 3-Major | BT1023889 | HTTP/HTTPS protocol option in storage filter do not suppress WS/WSS server->client message | 17.1.1, 16.1.4, 15.1.10 |
987977-1 | 4-Minor | BT987977 | VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation | 17.1.1, 16.1.5 |
942617-6 | 4-Minor | BT942617 | Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable | 17.1.1, 16.1.4, 15.1.10 |
1284097-1 | 4-Minor | BT1284097 | False positive 'Illegal cross-origin request' violation | 17.1.1, 16.1.5 |
1245209-1 | 4-Minor | BT1245209 | Introspection query violation is reported regardless the flag status | 17.1.1 |
1189865-5 | 4-Minor | BT1189865 | "Cookie not RFC-compliant" violation missing the "Description" in the event logs | 17.1.1, 16.1.4, 15.1.9 |
1133997-4 | 4-Minor | BT1133997 | Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import | 17.1.1, 16.1.4 |
1123153-5 | 4-Minor | BT1123153 | "Such URL does not exist in policy" error in the GUI | 17.1.1, 16.1.4, 15.1.9 |
1113753-5 | 4-Minor | BT1113753 | Signatures might not be detected when using truncated multipart requests | 17.1.1, 16.1.4, 15.1.10 |
1099765-1 | 4-Minor | BT1099765 | Inconsistent behavior in violation detection with maximum parameter enforcement | 17.1.1, 16.1.4, 15.1.10 |
1084857-6 | 4-Minor | BT1084857 | ASM::support_id iRule command does not display the 20th digit | 17.1.1, 16.1.4, 15.1.10 |
1083513-4 | 4-Minor | BT1083513 | BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd | 17.1.1, 16.1.4, 15.1.10 |
1076825-3 | 4-Minor | BT1076825 | "Live Update" configuration and list of update files reverts to default after upgrade to v16.1.x and v17.1.x from earlier releases.★ | 17.1.1, 16.1.4 |
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
831737-5 | 2-Critical | BT831737 | Memory Leak when using Ping Access profile | 17.1.1, 16.1.5, 15.1.6.1 |
1355117 | 2-Critical | K000137374, BT1355117 | TMM core due to extensive memory usage★ | 17.1.1, 16.1.5, 15.1.10.3 |
1349797 | 2-Critical | BT1349797 | Websense database download fails | 17.1.1 |
1318285 | 2-Critical | BT1318285 | Leakage point in storing assertion attributes-string in tmm | 17.1.1 |
1293289-1 | 2-Critical | Credentials can be submitted to /my.policy as GET instead of POST | 17.1.1 | |
1282105 | 2-Critical | K000134865, BT1282105 | Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★ | 17.1.1 |
1270501 | 2-Critical | BT1270501 | Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump | 17.1.1 |
1111149-4 | 2-Critical | BT1111149 | Nlad core observed due to ERR_func_error_string can return NULL | 17.1.1, 16.1.4, 15.1.9 |
1110489-4 | 2-Critical | BT1110489 | TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event | 17.1.1, 16.1.4, 15.1.9 |
1104517-3 | 2-Critical | BT1104517 | In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map | 17.1.1, 16.1.5, 15.1.10 |
738716-2 | 3-Major | BT738716 | Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients | 17.1.1, 16.1.5 |
427094-3 | 3-Major | BT427094 | Accept-language is not respected if there is no session context for page requested. | 17.1.1, 16.1.5, 15.1.10 |
1318749 | 3-Major | BT1318749 | Memory Leakage while decoding Assertion Attributes | 17.1.1 |
1298545 | 3-Major | BT1298545 | TMM crashes during SAML negotiations with APM configured as SAML SP. | 17.1.1 |
1294993-1 | 3-Major | BT1294993 | URL Database download logs are not visible | 17.1.1, 16.1.5 |
1292141-2 | 3-Major | BT1292141 | TMM crash while processing myvpn request | 17.1.1, 16.1.5 |
1268521-1 | 3-Major | BT1268521 | SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned. | 17.1.1, 16.1.4, 15.1.10 |
1251157-1 | 3-Major | BT1251157 | Ping Access filter can accumulate connections increasing the memory use | 17.1.1, 16.1.5, 15.1.10 |
1232977-4 | 3-Major | BT1232977 | TMM leaking memory in OAuth scope identifiers when parsing scope lists | 17.1.1, 16.1.4 |
1232629-1 | 3-Major | BT1232629 | Support to download Linux ARM64 VPN Client in BIG-IP | 17.1.1 |
1208949-4 | 3-Major | BT1208949 | TMM cored with SIGSEGV at 'vpn_idle_timer_callback' | 17.1.1, 16.1.4, 15.1.10 |
1207821-1 | 3-Major | BT1207821 | APM internal virtual server leaks memory under certain conditions | 17.1.1, 16.1.5, 15.1.10 |
1205029-1 | 3-Major | BT1205029 | WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application | 17.1.1, 16.1.4 |
1180365-3 | 3-Major | BT1180365 | APM Integration with Citrix Cloud Connector | 17.1.1, 16.1.4, 15.1.10 |
1167985-3 | 3-Major | BT1167985 | Network Access resource settings validation errors | 17.1.1, 16.1.4 |
1147621-3 | 3-Major | BT1147621 | AD query do not change password does not come into effect when RSA Auth agent used | 17.1.1, 16.1.5, 15.1.9 |
1145361-1 | 3-Major | BT1145361 | When JWT is cached the error "JWT Expired and cannot be used" is observed | 17.1.1, 16.1.4 |
1111397-6 | 3-Major | BT1111397 | [APM][UI] Wizard should also allow same patterns as the direct GUI | 17.1.1, 16.1.4, 15.1.9 |
1070029-3 | 3-Major | BT1070029 | GSS-SPNEGO SASL mechanism issue with AD Query to Synology Directory Service | 17.1.1, 16.1.4, 15.1.10 |
1060477-2 | 3-Major | BT1060477 | iRule failure "set userName [ACCESS::session data get "session.logon.last.username"]/[ACCESS::session sid]". | 17.1.1, 16.1.4, 15.1.9 |
1046401-3 | 3-Major | BT1046401 | APM logs shows truncated OCSP URL path while performing OCSP Authentication. | 17.1.1, 16.1.4, 15.1.10 |
1044457-4 | 3-Major | BT1044457 | APM webtop VPN is no longer working for some users when CodeIntegrity is enabled. | 17.1.1, 16.1.5, 15.1.10 |
1041985-5 | 3-Major | BT1041985 | TMM memory utilization increases after upgrade★ | 17.1.1, 16.1.4, 15.1.9 |
1039941-4 | 3-Major | BT1039941 | The webtop offers to download F5 VPN when it is already installed | 17.1.1, 16.1.4, 15.1.10 |
1252005-1 | 4-Minor | BT1252005 | VMware USB redirection does not work with DaaS | 17.1.1, 16.1.4, 15.1.10 |
1224409-1 | 4-Minor | BT1224409 | Unable to set session variables of length >4080 using the -secure flag | 17.1.1, 16.1.4, 15.1.10 |
1218813-6 | 4-Minor | BT1218813 | "Timeout waiting for TMM to release running semaphore" after running platform_diag | 17.1.1, 16.1.5, 15.1.9 |
1195385-1 | 4-Minor | BT1195385 | OAuth Scope Internal Validation fails upon multiple providers with same type | 17.1.1, 16.1.4 |
1142389-2 | 4-Minor | BT1142389 | APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request | 17.1.1, 16.1.5, 15.1.10 |
1100561-3 | 4-Minor | BT1100561 | AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth | 17.1.1, 16.1.5 |
1040829-5 | 4-Minor | BT1040829 | Errno=(Invalid cross-device link) after SCF merge | 17.1.1, 16.1.4, 15.1.10 |
1028081-3 | 4-Minor | BT1028081 | [F5 Access Android] F5 access in android gets "function () {[native code]}" in logon page | 17.1.1, 16.1.4, 15.1.9 |
Service Provider Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1269889-1 | 2-Critical | BT1269889 | LTM crashes are observed while running SIP traffic and pool members are offline | 17.1.1, 16.1.4, 15.1.10 |
1239901-3 | 2-Critical | BT1239901 | LTM crashes while running SIP traffic | 17.1.1, 16.1.4, 15.1.9 |
1307517-3 | 3-Major | BT1307517 | Allow SIP reply with missing FROM | 17.1.1, 16.1.5 |
1291149-5 | 3-Major | BT1291149 | Cores with fail over and message routing | 17.1.1, 16.1.4, 15.1.10 |
1287313-3 | 3-Major | BT1287313 | SIP response message with missing Reason-Phrase or with spaces are not accepted | 17.1.1, 16.1.4, 15.1.10 |
1189513-6 | 3-Major | BT1189513 | SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header | 17.1.1, 16.1.4, 15.1.9 |
1038057-5 | 3-Major | BT1038057 | Unable to add a serverssl profile into a virtual server containing a FIX profile | 17.1.1, 16.1.4, 15.1.9 |
1329477-1 | 4-Minor | BT1329477 | Auto-initialization does not work with certain MRF connection-mode | 17.1.1, 16.1.5 |
1251013-1 | 4-Minor | BT1251013 | Allow non-RFC compliant URI characters | 17.1.1, 16.1.5, 15.1.10 |
1225797 | 4-Minor | BT1225797 | SIP alg inbound_media_reinvite test fails | 17.1.1, 16.1.5 |
1213469-5 | 4-Minor | BT1213469 | MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped | 17.1.1, 16.1.4 |
Advanced Firewall Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1320513 | 2-Critical | BT1320513 | Device DOS drop rate limits are not configured correctly on the FPGA. | 17.1.1 |
1215161-4 | 2-Critical | BT1215161 | A new CLI option introduced to display rule-number for policy, rules and rule-lists | 17.1.1 |
1106273-5 | 2-Critical | BT1106273 | "duplicate priming" assert in IPSECALG | 17.1.1, 16.1.4, 15.1.9 |
1080957-1 | 2-Critical | BT1080957 | TMM Seg fault while Offloading virtual server DOS attack to HW | 17.1.1, 15.1.10 |
998701-3 | 3-Major | BT998701 | Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value. | 17.1.1, 15.1.10 |
844597-7 | 3-Major | BT844597 | AVR analytics is reporting null domain name for a dns query | 17.1.1, 16.1.5, 15.1.10 |
793217-6 | 3-Major | BT793217 | HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation | 17.1.1 |
1321585 | 3-Major | BT1321585 | Support AFM DOS TCP vectors behavior | 17.1.1 |
1311561-2 | 3-Major | BT1311561 | Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding | 17.1.1, 16.1.5 |
1307697-2 | 3-Major | BT1307697 | IPI not working on a new device - 401 invalid device error from BrightCloud | 17.1.1, 15.1.10 |
1229401-2 | 3-Major | BT1229401 | TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats | 17.1.1 |
1199025-3 | 3-Major | BT1199025 | DNS vectors auto-threshold events are not seen in webUI | 17.1.1, 15.1.10 |
1196053-4 | 3-Major | BT1196053 | The autodosd log file is not truncating when it rotates | 17.1.1, 16.1.5, 15.1.10 |
1190765-1 | 3-Major | BT1190765 | VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed | 17.1.1 |
1167949-2 | 3-Major | BT1167949 | Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware | 17.1.1, 15.1.9 |
1156753 | 3-Major | BT1156753 | Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore ) | 17.1.1 |
1126401-1 | 3-Major | BT1126401 | Variables are not displayed in Debug log messages for MGMT network firewall rules | 17.1.1, 15.1.9 |
1112781-2 | 3-Major | BT1112781 | DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record. | 17.1.1, 16.1.4, 15.1.9 |
1110281-7 | 3-Major | BT1110281 | Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable | 17.1.1, 16.1.4, 15.1.9 |
1106341-1 | 3-Major | BT1106341 | /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition | 17.1.1, 15.1.7 |
1101653-3 | 3-Major | BT1101653 | Query Type Filter in DNS Security Profile blocks allowed query types | 17.1.1, 15.1.10 |
1082453-1 | 3-Major | BT1082453 | Dwbld stops working after adding an IP address to IPI category manually | 17.1.1, 15.1.9 |
1078625-1 | 3-Major | BT1078625 | TMM crashes during DoS processing | 17.1.1, 16.1.4 |
1042153-3 | 3-Major | BT1042153 | AFM TCP connection issues when tscookie-vlans enabled on server/client side VLAN. | 17.1.1, 17.0.0, 16.1.5, 15.1.10 |
1084901-3 | 4-Minor | BT1084901 | Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh | 17.1.1 |
1069265 | 4-Minor | BT1069265 | New connections or packets from the same source IP and source port can cause unnecessary port block allocations. | 17.1.1, 16.1.4, 15.1.10 |
Policy Enforcement Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1186925-6 | 2-Critical | BT1186925 | When FUA in CCA-i, PEM does not send CCR-u for other rating-groups | 17.1.1, 16.1.4, 15.1.9 |
1302677-2 | 3-Major | BT1302677 | Memory leak in PEM when Policy is queried via TCL | 17.1.1, 16.1.5, 15.1.10 |
1259489-2 | 3-Major | BT1259489 | PEM subsystem memory leak is observed when using PEM::subscriber information | 17.1.1, 16.1.4, 15.1.10 |
1238249-5 | 3-Major | BT1238249 | PEM Report Usage Flow log is inaccurate | 17.1.1, 16.1.4, 15.1.10 |
1226121-5 | 3-Major | BT1226121 | TMM crashes when using PEM logging enabled on session | 17.1.1, 16.1.4, 15.1.9 |
1207381 | 3-Major | BT1207381 | PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored | 17.1.1, 16.1.4, 15.1.9 |
1190353-4 | 3-Major | BT1190353 | The wr_urldbd BrightCloud database downloading from a proxy server is not working | 17.1.1, 16.1.4, 15.1.10 |
1174085-7 | 3-Major | BT1174085 | Spmdb_session_hash_entry_delete releases the hash's reference | 17.1.1, 16.1.4, 15.1.9 |
1093357-6 | 3-Major | BT1093357 | PEM intra-session mirroring can lead to a crash | 17.1.1, 16.1.4, 15.1.10 |
1020041-7 | 3-Major | BT1020041 | "Can't process event 16, err: ERR_NOT_FOUND" seen in tmm logs | 17.1.1, 16.1.4, 15.1.10 |
Carrier-Grade NAT Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1096317-6 | 3-Major | BT1096317 | SIP msg alg zombie flows | 17.1.1, 15.1.10 |
Anomaly Detection Services Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211297-1 | 2-Critical | BT1211297 | Handling DoS profiles created dynamically using iRule and L7Policy | 17.1.1, 16.1.4, 15.1.9 |
Device Management Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
954001-9 | 3-Major | REST File Upload hardening | 17.1.1, 16.1.4, 15.1.10 | |
943257-8 | 3-Major | BT943257 | REST framework support for IPv6 ConfigSync addresses | 17.1.1, 16.1.5 |
1196477-8 | 3-Major | BT1196477 | Request timeout in restnoded | 17.1.1, 16.1.4, 15.1.9 |
1049237-6 | 4-Minor | BT1049237 | Restjavad may fail to cleanup ucs file handles even with ID767613 fix | 17.1.1, 16.1.4, 15.1.10 |
iApp Technology Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1093933-5 | 3-Major | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 17.1.1, 16.1.4, 15.1.9 |
Protocol Inspection Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1321221 | 3-Major | BT1321221 | Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference. | 17.1.1 |
1122205-2 | 3-Major | BT1122205 | The 'action' value changes when loading protocol-inspection profile config | 17.1.1, 16.1.4, 15.1.10 |
In-tmm monitors Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1211985-6 | 3-Major | BT1211985 | BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring | 17.1.1, 16.1.5, 15.1.10 |
SSL Orchestrator Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1303185-6 | 3-Major | BT1303185 | Large numbers of URLs in url-db can cause TMM to restart | 17.1.1, 16.1.5, 15.1.10 |
1289417-2 | 3-Major | BT1289417 | SSL Orchestrator SEGV TMM core | 17.1.1, 16.1.5 |
1289365 | 3-Major | BT1289365 | The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★ | 17.1.1, 16.1.4, 15.1.10 |
F5OS Messaging Agent Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1289997-2 | 3-Major | BT1289997 | Tenant clustering fails when adding a lower number slot to Tenant | 17.1.1, 15.1.10 |
1015001 | 3-Major | BT1015001 | LTM log file shows error message do_grpc_call_to_platform: Bad return code from gRPC call to platform | 17.1.1 |
Cumulative fixes from BIG-IP v17.1.0.3 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1324745-1 | CVE-2023-41373 | K000135689, BT1324745 | An undisclosed TMUI endpoint may allow unexpected behavior | 17.1.0.3, 16.1.4.1, 15.1.10.2, 14.1.5.6 |
1189465-1 | CVE-2023-24461 | K000132539, BT1189465 | Edge Client allows connections to untrusted APM Virtual Servers | 17.1.0.3, 16.1.4, 15.1.9 |
Functional Change Fixes
None
Access Policy Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1283645-4 | 2-Critical | BT1283645 | Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued | 17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6 |
Cumulative fixes from BIG-IP v17.1.0.2 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1285173-1 | CVE-2023-38138 | K000133474, BT1285173 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1265425-1 | CVE-2023-38423 | K000134535, BT1265425 | Improper query string handling on undisclosed pages | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
1185421-8 | CVE-2023-38419 | K000133472, BT1185421 | iControl SOAP uncaught exception when handling certain payloads | 17.1.0.2, 16.1.3.5, 15.1.9.1 |
Functional Change Fixes
None
Cumulative fixes from BIG-IP v17.1.0.1 that are included in this release
Vulnerability Fixes
ID Number | CVE | Links to More Info | Description | Fixed Versions |
1213305-6 | CVE-2023-27378 | K000132726, BT1213305 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204961-1 | CVE-2023-27378 | K000132726, BT1204961 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1204793-6 | CVE-2023-27378 | K000132726, BT1204793 | Improper query string handling on undisclosed pages | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
1238321-6 | CVE-2022-4304 | K000132943 | OpenSSL Vulnerability CVE-2022-4304 | 17.1.0.1, 16.1.4, 15.1.10 |
1235813 | CVE-2023-0215 | K000132946, BT1235813 | OpenSSL vulnerability CVE-2023-0215 | 17.1.0.1, 16.1.4, 15.1.10 |
1096373-8 | CVE-2023-28742 | K000132972, BT1096373 | Unexpected parameter handling in BIG3d | 17.1.0.1, 16.1.3.4, 15.1.8.2, 14.1.5.4 |
Functional Change Fixes
None
TMOS Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1284969 | 1-Blocking | BT1284969 | Adding ssh-rsa key for passwordless authentication | 17.1.0.1, 16.1.4 |
1273041-3 | 1-Blocking | BT1273041 | Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts | 17.1.0.1 |
1226585-1 | 1-Blocking | BT1226585 | Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode | 17.1.0.1 |
1252093 | 3-Major | BT1252093 | BIG-IP OpenSSL now supports Extended Master Secret | 17.1.0.1 |
1238693-1 | 3-Major | BT1238693 | Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519 | 17.1.0.1, 16.1.4 |
Local Traffic Manager Fixes
ID Number | Severity | Links to More Info | Description | Fixed Versions |
1267317-6 | 3-Major | BT1267317 | Disabling Access and/or WebSSO for flows causes memory leak | 17.1.0.1 |
1235085-1 | 3-Major | BT1235085 | Reinitialization of FIPS HSM in BIG-IP tenant. | 17.1.0.1 |
Cumulative fix details for BIG-IP v17.1.2 that are included in this release
998701-3 : Active_zombie_port_blocks counter from fw_lsn_pool_pba_stat stats may reach unrealistically large value.
Links to More Info: BT998701
Component: Advanced Firewall Manager
Symptoms:
Under certain conditions, the active_zombie_port_blocks counter from fw_lsn_pool_pba_stat statistics may reach an unrealistically large value.
Conditions:
-- VIPRION system with more than one blade
-- ASM is provisioned
-- Network address translation is in use
-- Source translation type: Dynamic PAT
-- PAT mode: Port Block Allocation
Impact:
Active_zombie_port_blocks counter indications are incorrect. Otherwise system functionality is unaffected.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
997793-5 : Error log: Failed to reset strict operations; disconnecting from mcpd★
Links to More Info: K34172543, BT997793
Component: TMOS
Symptoms:
After rebooting the device you are unable to access the GUI. When checking the LTM logs in the SSH/console, it repeatedly prompts an error: tmm crash.
Failed to reset strict operations; disconnecting from mcpd.
Conditions:
-- APM provisioned.
-- Previous EPSEC packages that are still residing on the system from earlier BIG-IP versions are installed upon boot.
Impact:
Mcpd fails to fully load and the device fails to come up fully, and it cannot pass traffic.
An internal timer might cause the installation to be aborted and all daemons to be restarted through bigstart restart. Traffic is disrupted while tmm restarts.
Workaround:
You can recover by restarting the services. Traffic will be disrupted while tmm restarts:
1. Stop the overdog daemon first by issuing the command:
systemctl stop overdog.
2. Restart all services by issuing the command:
bigstart restart.
3. Wait for 10 to 20 mins until EPSEC packages are successfully installed and mcpd successfully starts.
4. Start the overdog daemon after the system is online
systemctl start overdog.
Impact of workaround: it is possible that the EPSEC rpm database is or could be corrupted. If you find that you cannot access the GUI after appying this workaround, see https://cdn.f5.com/product/bugtracker/ID1188857.html
Fix:
After rebooting the device, you can now access the GUI without a 'Failed to reset' error.
Fixed Versions:
17.1.2, 16.1.5
997561-6 : TMM CPU imbalance with GRE/TB and GRE/MPLS traffic
Links to More Info: BT997561
Component: TMOS
Symptoms:
When handling unidirectional GRE traffic, a lack of inner payload entropy can lead to CPU pinning.
In some circumstances, handling this traffic should not require maintaining state across TMMs.
Conditions:
This occurs with GRE/TB (transparent ethernet bridging) and GRE/MPLS traffic.
Impact:
TMM utilization across CPUs is imbalanced, which can impact overall device performance.
Workaround:
None
Fix:
The BIG-IP now has a 'iptunnel.ether_nodag' DB key, which defaults to 'disable'. When this DB key is enabled, the BIG-IP system always processes tunnel-encapsulated traffic on the TMM that handles the tunnel packet, rather than re-disaggregating it.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
997169-1 : AFM rule not triggered
Links to More Info: BT997169
Component: Advanced Firewall Manager
Symptoms:
An AFM rule is not triggered when it should be.
Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route
Impact:
A firewall rule is not triggered and the default deny rule is used.
Workaround:
Alter the route to use an IP address and not a pool.
Fix:
Firewall rules are now triggered when gateway pools are used.
Fixed Versions:
17.1.2, 15.1.4.1
996649-7 : Improper handling of DHCP flows leading to orphaned server-side connections
Links to More Info: BT996649
Component: Local Traffic Manager
Symptoms:
When there are multiple client-side flows tied to a single server-side DHCP flow, timeout handling on the client-side flows is incorrect and might lead to a server-side flow getting orphaned. This results in traffic from the server not making its way back to the client.
Conditions:
Regular DHCP virtual server in use.
Impact:
Traffic is not passed to the client.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
994033-4 : The daemon httpd_sam does not recover automatically when terminated
Links to More Info: BT994033
Component: TMOS
Symptoms:
APM policy redirecting users to incorrect domain, the httpd_sam daemon not running.
Conditions:
Daemon httpd_sam stopped with the terminate command.
Impact:
APM policy performing incorrect redirects.
Workaround:
Restart the daemons httpd_apm and httpd_sam.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
993481-5 : Jumbo frame issue with DPDK eNIC
Links to More Info: BT993481
Component: TMOS
Symptoms:
TMM crashes
Conditions:
-- TMM is using DPDK driver with Cisco eNIC
-- TMM receives jumbo sized packet
Impact:
Traffic disrupted while TMM restarts.
Workaround:
- Use a different driver such as sock.
- Do not use or accept jumbo frames, use the following TMSH command to set the MTU to less than or equal to 1500:
tmsh modify net vlan external mtu 1500
Fix:
Skipped initialization of structures.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
991457-6 : The mpidump should show sequence number and higher precision date/time
Links to More Info: BT991457
Component: Local Traffic Manager
Symptoms:
The mpidump command does not some data that would be useful in a troubleshooting situation.
Conditions:
Running mpidump to gather data.
Impact:
Comparing tcpdumps with mpidumps is almost impossible due to the lack of timestamp precision in the mpidump tool's verbose text output. When doing analysis, it makes it extremely difficult, if not impossible without this precision
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
989501-3 : A dataplane_inoperable_t action should be triggered when HSB falls off of PCI bus
Links to More Info: BT989501
Component: TMOS
Symptoms:
In some rare circumstances, the High-Speed Bridge (HSB) device might fall or drop off of PCI bus, resulting in the BIG-IP system not being able to process traffic. If this happens, a daemon_heartbeat failsafe gets triggered instead of dataplane_inoperable_t action.
Conditions:
The conditions that lead to HSB to fall off of PCI bus are unknown at this time.
Impact:
The BIG-IP system unable to pass traffic and a failover is triggered.
Workaround:
Reboot the device or the blade to recover from the situation and monitor for re-occurrence. If it happens again, it could indicate potential underlying hardware issue.
Fix:
The dataplane_inoperable_t High Availability (HA) event should be triggered by overdog process (which monitors high availability (HA) table for failover action types of restart, restart-all, or reboot) and allow for system to be rebooted to recover.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
987977-1 : VIOL_HTTP_RESPONSE_STATUS is set in violation_details of remote logging message even if ALM/BLK flags are disabled for the violation
Links to More Info: BT987977
Component: Application Security Manager
Symptoms:
Remote logging message, violation_details field, includes XML document for VIOL_HTTP_RESPONSE_STATUS even though it is configured not to do so (Learn/Alarm/Block are all disabled) with VIOL_HTTP_RESPONSE_STATUS violation.
Conditions:
When all the following conditions are met
-- Response status code is not one of 'Allowed Response Status Codes'.
-- Learn/Alarm/Block flags are disabled with 'Illegal HTTP status in response'.
-- Logging profile is configured for remote storage.
-- Storage format is comma-separated.
-- Both violation_details and violations fields are set.
Impact:
Remote logging server receives inaccurate message.
Workaround:
None
Fix:
No longer includes 'violation_details' field in remote logging message in the scenario, but includes it only when it is appropriate.
Fixed Versions:
17.1.1, 16.1.5
985925-5 : Ipv6 Routing Header processing not compatible as per Segments Left value.
Links to More Info: BT985925
Component: Local Traffic Manager
Symptoms:
Packet should forward the packet with the route header unmodified when Segments Left is 0 (zero). It performs as expected when Segments Left is non-zero by dropping the packet and sending an ICMP error.
Conditions:
-- An IPv6 packet whose Next Header in IP header is Routing Header IPv6.
-- In the Routing Header IPv6 header, the Type field is 0.
-- In the Routing Header IPv6 header, the Segment Left field is 0.
Impact:
With Next Header field in IP header being Routing Header for IPv6, BIG-IP system fails to forward the ICMPv6 Echo Request packet to server, rather, it drops the packet.
Workaround:
None
Fix:
Now the ICMP packet is forwarded with both IPv6 extension headers present.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
985329-3 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed
Links to More Info: BT985329
Component: Device Management
Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed, and it may leave /shared/tmp/rpm-tmp* files.
You may also see errors logged in /var/log/restjavad.0.log:
[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
at java.lang.Thread.run(Thread.java:748)
Errors logged in /var/log/ltm:
err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery
Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.
Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).
/shared/tmp directory is filled with rpm-tmp* files.
Workaround:
The fix of another ID 929213 introduced a new database key iapplxrpm.timeout (default 60 seconds), which allows the RPM build timeout value to be increased.
sys db iapplxrpm.timeout {
default-value "60"
scf-config "true"
value "60"
value-range "integer min:30 max:600"
}
For example:
tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad
Increasing the db key and restarting restjavad should not be traffic impacting.
Fix:
Temp files under /shared/tmp is now cleaned up correctly.
Fixed Versions:
17.1.2, 16.1.5
984965-5 : While intentionally exiting, sshplugin may invoke functions out of sequence and crash
Links to More Info: BT984965
Component: Advanced Firewall Manager
Symptoms:
The sshplugin process used by the AFM module may continually restart and deposit a large number of core-dump files, displaying a SIGSEGV Segmentation fault.
In the file /var/log/sshplugin.start, errors may be logged including these lines:
shmget name:/var/run/tmm.mp.sshplugin18, key:0xeb172db6, size:7, total:789184 : Invalid argument
tm_register failed: Bad file descriptor
Conditions:
-- AFM provisioned and in use.
-- Heavy system load makes problem more likely.
Impact:
-- Extra processing load from relaunching sshplugin processes.
-- The large number of core files might fill up /var/core.
Workaround:
First, attempt a clean process restart:
# bigstart restart sshplugin
If that is not effective, rebooting the entire system may clear the condition.
Fixed Versions:
17.1.2, 16.1.5
981917-8 : CVE-2020-8286 - cUrl Vulnerability
Links to More Info: K15402727
981325-1 : Fragmented packets are not distributed in round robin when rrdag configured wth matching port range
Component: TMOS
Symptoms:
if packets are fragmented, even the port matches rrdag setting, it will be disaggregated based on default dag.
Form example, if SIP traffic is coming from a single source and destination port 5060, all the packets are redirected to a single tmm though it has rrdag enabled with port range set to 5060 in rrdag setting.
Conditions:
Always with fragmented packets even after rrdag enabled with correct port range setting
Impact:
Performance may be degraded as the fragmented packets distribution may not optimal and may load few tmms heavily.
Workaround:
No work around or mitigation except upgrading to a release with this fix.
Fix:
Proper rrdag selection values are propagated to the platform.
Fixed Versions:
17.1.2
979213-7 : Spurious spikes are visible in Throughput(bits) and Throughput(packets) performance graphs following a restart of TMM.
Links to More Info: BT979213
Component: Local Traffic Manager
Symptoms:
Upon reviewing the performance graphs in the GUI, you may notice significant spikes in the Throughput(bits) and Throughput(packets) graphs.
The spikes may report unrealistically high levels of traffic.
Note: Detailed throughput graphs are not affected by this issue.
Conditions:
This issue occurs when the following conditions are met:
-- The BIG-IP device is a physical system.
-- TMM was restarted on the system.
-- At some point, at least one interface was up on the system and recorded some traffic.
Impact:
This issue is purely cosmetic but might cause concern when reviewing the performance graphs.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
969345-4 : Temporary TMSH files not always removed after session termination
Links to More Info: BT969345
Component: TMOS
Symptoms:
Temporary TMSH-related subdirectories and files located in /var/system/tmp/tmsh may not be properly cleaned up after a TMSH session is terminated. These files can accumulate and eventually cause disk-space issues.
Conditions:
A TMSH session is terminated abruptly rather than ended gracefully.
Impact:
The /var filesystem may fill up, causing any of a variety of problems as file-I/O operations fail for various software subsystems.
Workaround:
The BIG-IP software includes a shell script (/usr/local/bin/clean_tmsh_tmp_dirs) which can be run by the system administrator to clean up excess temporary files in the directories /var/tmp/tmsh and /var/system/tmp/tmsh.
Fixed Versions:
17.1.2, 16.1.5
968953-5 : Unnecessary authorization header added in the response for an IP intelligence feed list request
Links to More Info: BT968953
Component: Advanced Firewall Manager
Symptoms:
Empty authorization header in the response for an IP intelligence feed list request.
Conditions:
Feed list configured without username/password pair.
Impact:
Feed List request from dwbld adds unnecessary Authorization header. The backend server may blocking the request because the HTTP header Authorization is included.
Workaround:
None.
Fixed Versions:
17.1.2
967573-4 : Qkview generation from Configuration Utility fails
Links to More Info: BT967573
Component: TMOS
Symptoms:
When you attempt to generate a qkview using the Configuration Utility, the system fails to generate a qkview.
Conditions:
Trying to generate a Qkview using the Configuration Utility.
Impact:
The Configuration Utility cannot be used to generate a qkview.
Workaround:
Use the qkview command to generate a qkview from the command line.
Fixed Versions:
17.1.2
965897-5 : Disruption of mcpd with a segmentation fault during config sync
Links to More Info: BT965897
Component: TMOS
Symptoms:
The mcpd process on the peer device fails with a segfault, restarts and then segfaults again in a loop
Numerous messages may be logged in the "daemon" logfile of the following type:
emerg logger[2020]: Re-starting mcpd
Conditions:
-- High availability (HA) configuration
-- A port-and-address list configuration is changed to be only an address list
-- A config sync occurs
Impact:
Continuous restarts of mcpd process on the peer device.
Workaround:
One possible measure for getting the peer-machine "mcpd" out of its failure mode is to command the still-functioning system to push a "full" config sync to the appropriate device group. Doing this twice consecutively may be necessary.
# tmsh run /cm config-sync force-full-load-push to-group APPROPRIATE-DEVICE-GROUP
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
964533-6 : Multiple session_process_pending_event_callback ERROR: could not send callback messages get logged in the tmm logs.
Links to More Info: BT964533
Component: TMOS
Symptoms:
The BIG-IP system tmm logs show multiple session_process_pending_event_callback errors.
Conditions:
If a session is deleted before all the session db callback events are handled, this error can occur while passing normal traffic.
Impact:
Numerous error event entries found in the TMM log:
notice session_process_pending_event_callback ERROR: could not send callback to 10.10.10.10:460 - 10.10.10.10:80 ERR_NOT_FOUND.
There is no impact other than additional log entries.
Workaround:
None.
Fix:
Log level has been changed so this issue no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
964125-7 : Mcpd cores while processing a query for node statistics when there are thousands of FQDN nodes and pool members.
Links to More Info: BT964125
Component: TMOS
Symptoms:
Mcpd might core and restart if it fails to process a query for all node statistics in less than 5 minutes.
There is more then one avenue where node statistics would be queried.
The BIG-IP Dashboard for LTM from the GUI is one example.
Conditions:
Thousands of FQDN nodes and pools with FQDN pool members and a query for all node statistics.
Impact:
Mcpd restarted which will cause services to failover. Traffic and configuration disrupted while mcpd restarts.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
963129-5 : RADIUS Accounting Stop message fails via layered virtual server
Links to More Info: BT963129
Component: Access Policy Manager
Symptoms:
RADIUS Stop messages do not exit the BIG-IP device after a client disconnects.
Conditions:
BIG-IP is configured with APM and multiple virtual servers and an iRule.
Impact:
RADIUS Accounting Stop is not sent.
Workaround:
None
Fixed Versions:
17.1.2
960677-8 : Improvement in handling accelerated TLS traffic
Links to More Info: BT960677
Component: Local Traffic Manager
Symptoms:
Rare aborted TLS connections.
Conditions:
None
Impact:
Certain rare traffic patterns may cause TMM to abort some accelerated TLS connections.
Workaround:
None
Fix:
The aborted connections will no longer be aborted and will complete normally.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
955897-5 : Configuration may fail to load with named virtual-address for 0.0.0.0 in a non-zero route domain★
Links to More Info: BT955897
Component: TMOS
Symptoms:
When reading the configuration from /config files, the BIG-IP system may fail to load the configuration regarding a virtual server with a named virtual-address for address 0.0.0.0 in a non-default route domain:
err mcpd[21812]: 0107028b:3: The source (0.0.0.0%123) and destination (0.0.0.0) addresses for virtual server (/Common/vs1) must be in the same route domain.
Unexpected Error: Loading configuration process failed.
Conditions:
-- An LTM virtual-address object with a name.
-- The virtual-address's address is 0.0.0.0 (or the keyword 'any'). The IPv6 address :: (or the keyword 'any6') is not affected.
-- The virtual-address's address is in a route domain other than route domain 0. The route domain can be the partition's default route domain.
-- An LTM virtual server that uses the affected address as its destination.
Example:
tmsh create net route-domain 123
tmsh create ltm virtual-address allzeros-rd123 address 0.0.0.0%123
tmsh create ltm virtual allzeros-rd123 destination 0.0.0.0%123:0
tmsh save sys config
Impact:
The configuration fails to load from disk when the affected objects do not yet exist in running memory or binary cache, for example, during:
- Reinstalling
- Upgrading
- Loading manual changes to the /config/*.conf files
- MCP force-reload
Other operations such as rebooting, relicensing, and reloading the same configuration (such as 'tmsh load sys config' are not affected.
Workaround:
Replace the configuration that uses a named virtual-address with the direct address. Here is an example of the configuration in bigip.conf:
ltm virtual-address allzeros-rd123 {
address any%123
mask any
}
ltm virtual allzeros-rd123 {
destination allzeros-rd123:0
mask any
source 0.0.0.0%123
}
This can be rewritten to remove the virtual-address object, and replace the virtual server destination with the address (0.0.0.0 or 'any'):
ltm virtual allzeros-rd123 {
destination any%123:0
mask any
source 0.0.0.0%123
}
Fixed Versions:
17.1.2
955773-4 : Fw_lsn_pool_pba_stat: excessively high active_port_blocks stat for IPv4
Links to More Info: BT955773
Component: Advanced Firewall Manager
Symptoms:
TMM specific stats shows unrealistic values.
Conditions:
The respective TMMs have shortage of NAT PBAs.
Impact:
No functional impact. Only on stats reporting side impact.
Fixed Versions:
17.1.2, 15.1.10
954001-9 : REST File Upload hardening
Component: Device Management
Symptoms:
REST file upload does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Only upload trusted files to the BIG-IP.
Fix:
REST file uploads now follow best security practices.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
950201-6 : Tmm core on GCP
Links to More Info: BT950201
Component: TMOS
Symptoms:
When BIG-IP Virtual Edition (VE) is running on Google Cloud Platform (GCP) with mergeable buffers enabled, tmm might core while passing traffic. Subsequently, the kernel locks up, which prevents the whole system from recovering.
TMM panic with this message in a tmm log file:
panic: ../dev/ndal/virtio/if_virtio.c:2038: Assertion "Valid num_buffers" failed.
Conditions:
-- VE running on GCP.
-- Mergeable buffers (mrg_rxbuf) is enabled on the guest with direct descriptors.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
You can use either of the following workarounds:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
-- Request an Engineering Hotfix from F5, with mrg_rxbuf and lro turned off.
Note: Using either workaround has a performance impact.
Fix:
- Added error handling to prevent crashing when a bad packet gets received
- Added a new column 'invalid_header' into tmm/virtio_rx_stats table to track incidents
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
950153-4 : LDAP remote authentication fails when empty attribute is returned
Links to More Info: BT950153
Component: TMOS
Symptoms:
LDAP/AD Remote authentication fails and the authenticating service may crash.
The failure might be intermittent.
Conditions:
LDAP/AD server SearchResEntry includes attribute with empty or NULL value.
This can be seen in tcpdump of the LDAP communication in following ways
1. No Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue:
2. 1. NULL Value for attribute . Example in tcpdump taken on affected user :
vals: 1 item
AttributeValue: 00
Impact:
Logging in via the GUI will fail silently
Logging in via ssh will cause the sshd service on LTM to crash and logs will be seen under /var/log/kern.log
The logs will be similar to :
info kernel: : [460810.000004] sshd[31600]: segfault at 0 ip 00002b3abcb2ef3e sp 00007fffef3431a0 error 4 in pam_ldap.so[2b3abcb2c000+7000]
info kernel: : [460810.002036] traps: sshd[31598] general protection ip:fffffffffffffff3 sp:80000 error:0
Workaround:
There is no Workaround on the LTM side.
For LDAP, you change/add the value from none/NULL on the affected attribute to ANY dummy value which will prevent the issue
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
949857-9 : Updates and deletions to iControl REST API tokens for non-admin users (both remote and local) do not sync
948725-9 : An undisclosed iControl REST endpoint may provide a list of usernames to unauthorized users
943257-8 : REST framework support for IPv6 ConfigSync addresses
Links to More Info: BT943257
Component: Device Management
Symptoms:
In an HA sync environment, the REST framework reads the ConfigSync IP address retrieved through the tm/cm/device iCRD API. For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Conditions:
Add support for IPv6 ConfigSync IP addresses in the REST framework in an HA sync environment.
Impact:
For an IPv6 address, the REST framework discards the related device certificate, which leads to the REST/gossip/sync failure.
Workaround:
None
Fix:
Valid device trust certificates are created with their name set to uniquely generated IPv4 address from the given IPv6 address. This helps in establishing the trust between the hosts thereby eliminating the REST/Gossip-sync failures.
Fixed Versions:
17.1.1, 16.1.5
942617-6 : Heading or tailing white spaces of variable are not trimmed in configuration utility System Variable
Links to More Info: BT942617
Component: Application Security Manager
Symptoms:
Bot Defense does not accept the system variables with heading or tailing white space.
Conditions:
Create a system variable with heading or tailing white space in,
Security ›› Options : Application Security : Advanced Configuration : System Variables
Impact:
The HttpOnly cookie attribute is configured, but does not appear in TSCookie.
Workaround:
Create the system variables even with whitspaces through CLI, it omits the blank space from system variable name.
Fix:
Trim() to delete the whitspaces.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
942217-7 : Virtual server rejects connections even though the virtual status is 'available'
Links to More Info: BT942217
Component: TMOS
Symptoms:
With certain configurations, a virtual server keeps rejecting connections with reset cause 'VIP down' after 'trigger' events occur.
Conditions:
Required Configuration:
-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop' and 'connection-limit' to be any (not 0).
-- The pool member has rate-limit enabled.
Required Conditions:
-- Monitor flap, or adding/removing monitor or set the connection limit to be zero or configuration change made with service-down-immediate-action.
-- At that time, one of the above events occur, the pool member's rate-limit is active.
Impact:
Virtual server keeps rejecting connections.
Workaround:
Delete one of the conditions.
Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.
Fixed Versions:
17.1.2, 16.1.5
939757-7 : Deleting a virtual server might not trigger route injection update.
Links to More Info: BT939757
Component: TMOS
Symptoms:
When multiple virtual servers share the same virtual address, deleting a single virtual server might not trigger a route injection update.
Conditions:
-- Multiple virtual servers sharing the same destination address
-- One of the virtual servers is deleted
Impact:
The route remains in the routing table.
Workaround:
Disable and re-enable the virtual address after deleting a virtual server.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
939097-7 : Error messages related to long request allocation appear in the bd.log incase of big chunked requests
Links to More Info: BT939097
Component: Application Security Manager
Symptoms:
bd.log shows error messages
Conditions:
Big chunked requests are sent
Impact:
Unexpected error messages seen in the bd.log
Workaround:
None
Fix:
The error messages related to long request allocation are no longer appearing.
Fixed Versions:
17.1.1, 16.1.5
936093-7 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
Links to More Info: BT936093
Component: TMOS
Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.
Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.
Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.
Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:
/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr
This can be accomplished using a command such as:
truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
929429-10 : Oracle/SQL database monitor uses excessive CPU when Platform FIPS is licensed
Links to More Info: BT929429
Component: Local Traffic Manager
Symptoms:
Whenever you create Oracle or SQL (mssql, mysql or postgresql) database monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.
Conditions:
-- Create an Oracle or SQL database LTM monitor.
-- Add a pool member to the Oracle or SQL database monitor created.
-- Platform FIPS is licensed.
Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
929133 : TMM continually restarts with errors 'invalid index from net device' and 'device_init failed'
Links to More Info: BT929133
Component: TMOS
Symptoms:
VLANs with a name that that start with "eth" will cause tmm to fail and restart.
Conditions:
Vlan name that starts with "eth"
Impact:
Since tmm fails to start, the BIG-IP cannot serve traffic.
Workaround:
Rename all vlans that start with "eth"
Fixed Versions:
17.1.2
928997-5 : Less XML memory allocated during ASM startup
Links to More Info: BT928997
Component: Application Security Manager
Symptoms:
Smaller total_xml_memory is selected during ASM startup.
For example, platforms with 32GiB or more RAM should give ASM 1GiB of XML memory, but it gives 450MiB only. Platform with 16MiB should give ASM 450MiB but it gives 300MiB.
Conditions:
Platforms with 16GiB, 32GiB, or more RAM
Impact:
Less XML memory allocated
Workaround:
Use this ASM internal parameter to increase XML memory size.
additional_xml_memory_in_mb
For more details, refer to the https://support.f5.com/csp/article/K10803 article.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
928653-2 : [tmsh]:list security nat policy rules showing automap though the value set is None
Links to More Info: BT928653
Component: Advanced Firewall Manager
Symptoms:
The tmsh command 'tmsh list security nat policy rules' shows automap even though the value is set to None
Conditions:
1. AFM provisioned
2. NAT rules configured
Impact:
The tmsh commands 'tmsh save sys config; and 'tmsh load sys config' modify the None value to automap on the NAT policy rules.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
928089-1 : BIG-IP Oracle health monitor fails for Oracle DB version 12.2 or higher
Links to More Info: K40226145
Component: Local Traffic Manager
Symptoms:
The BIG-IP Oracle health monitor marks pool members down.
As a result, you may observe an error message similar to the following example in the /var/log/DBDaemon-0.log file:
java.sql.SQLException: ORA-28040: No matching authentication protocol
This occurs because the existing JDBC library ojdbc6.jar on the BIG-IP system used for Oracle database monitoring is not compatible with Oracle database version 12.2 or later. According to Oracle's documentation, Oracle database version 12.2 or later requires ojdbc8.jar.
For more information, refer to the "Oracle JDBC FAQ" document at:
https://www.oracle.com/database/technologies/faq-jdbc.html
Conditions:
-- You have Oracle monitor configured
-- You have Oracle database running version 12.2 or later configured as your pool member.
Impact:
You are unable to use the BIG-IP provided Oracle monitor to monitor the health of Oracle database server pool members.
Workaround:
F5 recommends that you use an alternative health monitor such as the TCP health monitor to continue monitoring your Oracle database pool members.
Depending on your application environment, you may want to consider removing the profile parameter SQLNET.ALLOWED_LOGON_VERSION = 12 from the affected Oracle database pool member to allow legacy Oracle clients to connect to the Oracle database.
SQLNET.ALLOWED_LOGON_VERSION is deprecated since 18c and replaced with the SQLNET.ALLOWED_LOGON_VERSION_SERVER
To allow legacy Oracle clients to be connected to Oracle database on DB Server with version 18c and higher, add following line to sqlnet.ora
SQLNET.ALLOWED_LOGON_VERSION_SERVER=11
and restart a service:
lsnrctl stop && lsnrctl start
Important: However doing so would expose the Oracle database to a potential security vulnerability.
This vulnerability is called Stealth Password Cracking Vulnerability. This vulnerability affects Oracle 10g/11g clients including 11.2.0.3. That is why the client version needs to be 11.2.0.4 or higher. Please see the following bulletin from NIST’s national vulnerability database. https://nvd.nist.gov/vuln/detail/CVE-2012-3137
For more information, refer to the "Check for the SQLNET.ALLOWED_LOGON_VERSION Parameter Behavior" document at:
https://docs.oracle.com/en/database/oracle/oracle-database/18/spmsu/check-for-sqlnet-allowed-logon-version-parameter-behavior.html
Fixed Versions:
17.1.2
927633-5 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
Links to More Info: BT927633
Component: Local Traffic Manager
Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
and to /var/log/tmmX:
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.
Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.
Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.
Workaround:
None.
Fixed Versions:
17.1.2, 16.1.5
926721-1 : Postgresql monitors do not support scram-sha-256 authentication
Component: Local Traffic Manager
Symptoms:
If a Postgresql server is configured to use the SCRAM-SHA-256 authentication method and configured as an LTM or GTM pool member, an LTM or GTM postgresql monitor will mark the pool member DOWN.
Conditions:
-- Postgresql server is configured to use the SCRAM-SHA-256 authentication method
-- Postgresql server is configured as an LTM or GTM pool member
-- The pool/member is configured to use an LTM or GTM postgresql monitor
Impact:
You will be unable to use a postgresql monitor to monitor the health of the Postgresql server
Workaround:
To work around this issue, configure the Postgresql server to use MD5 authentication.
Fixed Versions:
17.1.2
923821-5 : Captcha is not shown after successful CSI challenge when configured action is CSI followed by captcha in case of credential stuffing attack
Links to More Info: BT923821
Component: Application Security Manager
Symptoms:
When mitigated action is set to CSI followed by captcha for credential stuffing attack, captcha is not triggered even after successful CSI challenge.
Conditions:
1) Mitigated action is set to CSI followed by captcha for credential stuffing attack.
2) Credential stuffing attack occurs.
3) CSI challenge is success.
Impact:
Captcha is not triggered leading to less than configured mitigation action for credential stuffing attack.
Workaround:
None
Fix:
Captcha will now be triggered after successful CSI challenge.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
921541-7 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
Links to More Info: BT921541
Component: Local Traffic Manager
Symptoms:
The HTTP session initiated by curl hangs.
Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
+ B4450N (A114)
+ i4000 (C115)
+ i10000 (C116/C127)
+ i7000 (C118)
+ i5000 (C119)
+ i11000 (C123)
+ i11000 (C124)
+ i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.
Impact:
Connection hangs, times out, and resets.
Workaround:
Use software compression.
Fix:
The HTTP session hang no longer occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
915221-7 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
Links to More Info: BT915221
Component: Advanced Firewall Manager
Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.
Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.
-- Access to DoS dashboard.
Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.
Workaround:
Delete or purge /var/tmp/mcpd.out.
Fixed Versions:
17.1.2, 16.1.5
908005-6 : Limit on log framework configuration size
Links to More Info: BT908005
Component: TMOS
Symptoms:
While the system config is loading, numerous error messages can be seen:
-- err errdefsd[26475]: 01940010:3: errdefs: failed to add splunk destination.
-- err errdefsd[585]: 01940015:3: errdefs: failure publishing errdefs configuration.
Conditions:
This can occur during a log-config update/load that has numerous log-config objects configured.
Impact:
The system does not log as expected.
Workaround:
None. An Engineering Hotfix is available and can be requested through F5 Support.
Fixed Versions:
17.1.2
906273-4 : MCPD crashes receiving a message from bcm56xxd
Links to More Info: BT906273
Component: TMOS
Symptoms:
Under rare circumstances, the Broadcom switch daemon bcm56xxd, can send more then one message at a time to MCPD.
This can cause MCPD to either fail immediately or have it hang and be terminated by sod 5 minutes later.
One of the messages being sent is in response to a link status change. The second message is a reply to a query, for instance a query for l2 forward statistics.
Conditions:
- BIG-IP with a Broadcom switch.
- Link status change is available.
- MCPD sends a query to bcm56xxd, that is, for l2 forward statistics.
Impact:
MCPD failure and restarts causing a failover.
Workaround:
None
Fix:
The Broadcom switch daemon bcm56xxd will not send more then one message to MCPD at a time.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
904661 : Mellanox NIC speeds may be reported incorrectly on Virtual Edition
Links to More Info: BT904661
Component: TMOS
Symptoms:
Speeds for Mellanox NICs on BIG-IP Virtual Edition may be reported incorrectly. The behavior varies depending on what driver is in use:
- Speeds are always reported as 10G when the mlxvf5 driver is used, regardless of the actual speed of the interface.
- Speeds are reported as either 10G or 40G when the xnet driver is used. This is accurate unless the actual NIC speed is greater than 40G, in which is it will still be reported as 40G.
Conditions:
-- BIG-IP Virtual Edition
-- Using a Mellanox NIC with the mlxvf5 or xnet driver
Impact:
Possibly incorrect media speed reported. (Actual speed is correct, regardless of what is displayed.)
Fixed Versions:
17.1.2, 17.1.0, 16.1.4
903501-1 : VPN Tunnel establishment fails with some ipv6 address
Links to More Info: BT903501
Component: Access Policy Manager
Symptoms:
VPN Tunnel establishment fails with some ipv6 address
Conditions:
- APM is provisioned.
- Network Access with IPv6 virtual server is configured.
Impact:
VPN Tunnel cannot be established.
Workaround:
1. Disable the DB variable isession.ctrl.apm:
tmsh modify sys db isession.ctrl.apm value disable
2. Perform 'Apply Access Policy' for the access policy attached to the virtual server.
Important: The iSession control channel is needed if optimized apps are configured, so use this workaround only when 'No optimized apps are configured' is set (available in the GUI by navigating to Access :: Connectivity / VPN : Network Access (VPN) : Network Access Lists :: {NA resources} :: 'Optimization' tab).
Fixed Versions:
17.1.2
890169-6 : URLs starting with double slashes might not be loaded when using a Bot Defense Profile.
Links to More Info: BT890169
Component: Application Security Manager
Symptoms:
When a URL starts with double slashes (i.e. "http://HOST//path"), and Bot Defense Profile decides to perform simple redirect, the request results with loading failure.
Conditions:
-- Bot Defense profile on blocking mode (or "Verification and Device-ID Challenges in Transparent Mode" is enabled) is attached to a virtual server.
-- A request is sent to a URL starting with double slash, to a non-qualified URL, during the profile's grace period.
Impact:
Request is not loaded (failure message is seen on browser), and the browser may be identified as a suspicious browser by Bot Defense.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
890037-2 : Rare BD process core
Links to More Info: BT890037
Component: Application Security Manager
Symptoms:
The BD process crashes leaving a core dump. ASM restarts happening failover.
Conditions:
Traffic load to some extent, but beside that we do not know the conditions leading to this.
Impact:
Failover, traffic disturbance.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
878641-7 : TLS1.3 certificate request message does not contain CAs
Links to More Info: BT878641
Component: Local Traffic Manager
Symptoms:
TLS1.3 certificate request message does not include CAs
https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.4
Conditions:
TLS1.3 and client authentication
Impact:
The Advertised Certificate Authorities option on Client SSL profiles does not function when TLS 1.3 is selected
Fix:
Certificate request message now may contain CAs
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
876569-6 : QAT compression codec produces gzip stream with CRC error
Links to More Info: BT876569
Component: Local Traffic Manager
Symptoms:
When an HTTP compression profile is enabled on BIG-IP platforms with Intel QuickAssist Technology (Intel QAT) compression accelerators, gzip errors are produced.
Conditions:
This occurs when the following conditions are met:
-- The following platforms with Intel QAT are affected:
+ 4450 blades
+ i4600/i4800
+ i10600/i10800
+ i7600/i7800
+ i5600/i5800
+ i11600/i11800
+ i11400/i11600/i11800
+ i15600/i15800
-- The compression.qat.dispatchsize variable is set to any of the following values:
+ 65535
+ 32768
+ 16384
+ 8192
-- The size of the file being compressed is a multiple of the compression.qat.dispatchsize value, for exampld:
+ 65355*32768
+ 8192*32768
Impact:
Clients cannot decompress the compressed file because there is an invalid gzip footer.
Workaround:
Disable hardware compression and use software compression.
Fix:
The system now handles gzip errors seen with QAT compression.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
874877-5 : The bigd monitor reports misleading error messages
Links to More Info: BT874877
Component: Local Traffic Manager
Symptoms:
When a recv string is used with an HTTP/HTTP2/HTTPS/TCP monitor, the HTTP status code is collected and in the event of failure, the most recent value (from before the failure) is retrieved and used as part of the log output. This can result in a message that is misleading.
Conditions:
- The BIG-IP system configured to monitor an HTTP/HTTP2 server.
- The BIG-IP system configured to monitor an HTTPS/TCP monitor.
Impact:
Generates a misleading log messages, difficulty in identifying the actual cause of the monitor failure.
This occurs because the system stores the 'last error' string for these monitors. This can be misleading, especially when a receive string is used. Following is an example:
-- A BIG-IP system is monitoring an HTTP server that is returning proper data (i.e., matching the receive string).
-- The HTTP server goes down. Now the BIG-IP system will have a last error string of 'No successful responses received before deadline' or 'Unable to connect'.
-- The HTTP server goes back up and works for a while.
-- For some reason, the HTTP server's responses no longer match the receive string.
In this case, a message is logged on the BIG-IP system:
notice mcpd[6060]: 01070638:5: Pool /Common/http member /Common/n.n.n.n:n monitor status down. [ /Common/my_http_monitor: down; last error: /Common/my_http_monitor: Unable to connect @2020/01/09 04:18:20. ] [ was up for 4hr:18mins:46sec ]
The 'Unable to connect' last error reason is not correct: the BIG-IP system can connect to the HTTP server and gets responses back, but they do not match the received string.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
852613-5 : Connection Mirroring and ASM Policy not supported on the same virtual server
Links to More Info: BT852613
Component: Application Security Manager
Symptoms:
Connection Mirroring used together with ASM is not supported by the BIG-IP system, and a config validation prevents associating an ASM Policy with a virtual server that is configured with Connection Mirroring.
Conditions:
Virtual Server is attempted to be configured with Connection Mirroring and ASM Policy together.
Impact:
Connection Mirroring and ASM Policy cannot be configured on the same virtual server.
Workaround:
None.
Fix:
Connection Mirroring and ASM Policy can now be configured on the same virtual server. Only a subset of ASM features are supported. Please refer to the documentation for support and limitations when using Connection Mirroring with ASM.
Fixed Versions:
17.1.2, 16.1.5, 14.1.2.7
851121-8 : Database monitor DBDaemon debug logging not enabled consistently
Links to More Info: BT851121
Component: Local Traffic Manager
Symptoms:
Debug logging in the database monitor daemon (DBDaemon) for database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle) is enabled on a per-monitor basis.
When a ping is initiated for a particular monitor with debug logging enabled in the monitor configuration, debug logging in DBDaemon is enabled.
When a ping is initiated for a particular monitor with debug logging disabled in the monitor configuration, debug logging in DBDaemon is disabled.
When monitoring database pool members with a mix of monitors with debug logging enabled versus disabled, the result can be that debug logging in DBDaemon is enabled and disabled at times which do not correspond to all actions related to a specific database monitor, or pool members monitored by that monitor.
In addition, debug messages logging internal DBDaemon state related to the management of the full collection of monitored objects, active threads, and other may not be logged consistently.
Conditions:
-- Using multiple database health monitors (Microsoft SQL, MySQL, PostgreSQL, Oracle).
-- Enabling debug logging on one or more database health monitors, but not all.
Debug logging for database health monitors is enabled by configuring the "debug" property of the monitor with a value of "yes".
Debug logging is disabled by configuring the "debug" property with a value of "no" (default).
# tmsh list ltm monitor mysql mysql_example debug
ltm monitor mysql mysql_example {
debug yes
}
Impact:
Logging of database monitor activities by DBDaemon may be inconsistent and incomplete, impeding efforts to diagnose issues related to database health monitors.
Workaround:
When attempting to diagnose database health monitor issues with DBDaemon debug logging, enable debug logging for ALL database monitors currently in use.
Once diagnostic data collection is completed, disable debug logging for all database monitors currently configured/in use.
Fix:
DBDaemon debug logging can now be enabled globally to facilitate diagnosing database health monitor issues.
DBDaemon debug logging can be enabled globally by creating the following touch file:
-- /var/run/DBDaemon.debug
DBDaemon global debug logging can be disabled by removing or unlinking the above touch file.
Creating or removing the above touch file has immediate effect.
This mechanism enables/disables DBDaemon debug logging globally for all instances of DBDaemon which may be running under different route domains.
In addition, when debug logging is enabled for a specific database monitor (Microsoft SQL, MySQL, PostgreSQL, Oracle), DBDaemon accurately logs all events for that monitor. The per-monitor debug logging is enabled independent of the global DBDaemon debug logging status.
The timestamps in DBDaemon logs (/var/log/DBDaemon-*.log*) are now written using the local timezone configured for the BIG-IP system.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
850141-5 : Possible tmm core when using Dosl7/Bot Defense profile
Links to More Info: BT850141
Component: Application Security Manager
Symptoms:
Tmm crashes.
Conditions:
-- Dosl7/Bot defense profile is attached to a virtual server
-- A request is sent with a trusted bot signature and requires a rDNS.
-- An asynchronous iRule is attached to the virtual server
OR:
-- Device ID feature is enabled, and the current request requires a complex Device ID generation.
-- The connection is closed before the response arrives.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
844597-7 : AVR analytics is reporting null domain name for a dns query
Links to More Info: BT844597
Component: Advanced Firewall Manager
Symptoms:
AVR analytics is reporting null domain name for a DNS query if DNS DoS profile is attached to a virtual server, but the profile does not have the matching type vector enabled to the query type.
Conditions:
-- DNS DoS profile is attached to a virtual server.
-- The query type in the DNS query does not match an enabled DNS vector on the DNS profile.
Impact:
DNS domain name is reported as NULL
Workaround:
Enable the matching type vector on the DNS DoS profile.
Fix:
The domain name is now reported correctly under these conditions.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
842425-7 : Mirrored connections on standby are never removed in certain configurations
Links to More Info: BT842425
Component: Local Traffic Manager
Symptoms:
When the conditions are met, if the interface of the connection on the active system changes, the peer does not get notified of this, and that connection persists on the standby system even after the connection on the active system has been destroyed.
Conditions:
-- Using mirrored connections in a DSC.
-- Not using auto-lasthop with mirrored connections.
-- VLAN-keyed connections are enabled.
Impact:
Leaking connections on the standby system.
Workaround:
You can use either of the following workarounds:
-- Use auto-lasthop with mirrored connections.
-- Depending on the BIG-IP system's configuration, disabling VLAN-keyed connections may resolve this.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
838405-5 : Listener traffic-group may not be updated when spanning is in use
Links to More Info: BT838405
Component: TMOS
Symptoms:
BIG-IP may fail to update configuration of a virtual server when disabling or enabling spanning on the virtual address.
Conditions:
Spanning is disabled or enabled on a virtual address.
Impact:
Disabling or enabling spanning on a virtual address has no effect on the virtual-server configuration.
Depending on the configuration, virtual server may or may not forward the traffic when expected.
Workaround:
Enable/Disable spanning together with changing a traffic-group (both options have to be changed simultaneously):
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-2 spanning disabled
> modify ltm virtual-address 0.0.0.0 traffic-group traffic-group-1 spanning enabled
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
831737-5 : Memory Leak when using Ping Access profile
Links to More Info: BT831737
Component: Access Policy Manager
Symptoms:
The memory usage by pingaccess keeps going up when sending request with expired session cookie to a virtual server with PingAccess Profile.
Conditions:
1. BIG-IP virtual server that contains PingAccess Profile.
2. Request sent with expired session cookie.
Impact:
Memory leak occurs in which ping access memory usage increases.
Fix:
Fixed a memory link with the Ping Access profile.
Fixed Versions:
17.1.1, 16.1.5, 15.1.6.1
804529-4 : REST API to /mgmt/tm/ltm/pool/members/stats/<specific pool> will fail for some pools
Links to More Info: BT804529
Component: TMOS
Symptoms:
The GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats for a specific pool may fail with Error 404.
Conditions:
Pools that start with the letter 'm'. This is because those endpoints contain objects with incorrect selflinks.
For example:
- Query to the below pool that starts with the letter 'm' will work as it contains the right selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/~Common~m/stats?ver=x.x.x.x"
- Query to the below pool that does not start with the letter 'm' may not work as it contains the wrong selflink.
- Pool: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats"
- selfLink: "https://localhost/mgmt/tm/ltm/pool/members/~Common~a/stats?ver=x.x.x.x"
In the above example, the word 'members' is displayed in selflink.
Impact:
Errors are observed with GET requests to REST endpoint /mgmt/tm/ltm/pool/members/stats.
Workaround:
The following workarounds are available:
1. Use /mgmt/tm/ltm/pool/members/stats without a specific pool, which does return the pool member stats for every pool.
2. For each pool member in /mgmt/tm/ltm/pool, issue a GET for:
/mgmt/tm/ltm/pool/<pool>/members/<member>/stats
Fix:
The REST endpoint /mgmt/tm/ltm/pool/members/stats/<specific pool> will have the working endpoints returned.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
793217-6 : HW DoS on BIG-IP i2800/i4800 might have up to 10% inaccuracy in mitigation
Links to More Info: BT793217
Component: Advanced Firewall Manager
Symptoms:
Depending on traffic patterns, when HW DoS on BIG-IP i2800/i4800 is configured, HW DoS might mitigate up to 10% more aggressively. If the rate-limit configured is 1000pps, the device might allow only 900pps.
Conditions:
-- HW DoS on BIG-IP i2800/i4800 platforms.
-- Attack pattern is distributed evenly on all tmm threads.
Impact:
HW DoS mitigates more aggressively, which might result in seeing fewer packets than what is configured.
Workaround:
Configure the rate-limit to be 10% more than what is desired.
Fix:
HW DoS now shows mitigation more accurately.
Fixed Versions:
17.1.1
776117-6 : BIG-IP Virtual Edition virtio driver incompatible with Q35 machine type
Links to More Info: BT776117
Component: TMOS
Symptoms:
The BIG-IP Virtual Edition's virtio driver is incompatible with the Q35 machine type.
Conditions:
-- BIG-IP Virtual Edition with the virtio driver.
-- Setting the machine type to Q35 on the hypervisor.
Impact:
The BIG-IP will not use the virtio driver, using the sock (or unic, in versions prior to 14.1.0) driver instead.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
760982-4 : An NLRI with a default route information is not propagated on 'clear ip bgp <neighbor router-id> soft out' command in some scenarios
Links to More Info: BT760982
Component: TMOS
Symptoms:
Soft out reset does not work for the default route.
Conditions:
-- BGP enabled
-- A route configuration change is made and 'clear ip bgp <IP-addr> soft in/out' is executed
Impact:
A default-route is not propagated in Network Layer Reachability Information (NLRI) by 'soft out' request.
Workaround:
None
Fix:
The 'clear ip bgp <IP-addr> soft in/out' command now sends all the known routes.
Fixed Versions:
17.1.2
760355-6 : Firewall rule to block ICMP/DHCP from 'required' to 'default'★
Links to More Info: BT760355
Component: Advanced Firewall Manager
Symptoms:
If a firewall is configured on the management port with an ICMP rule, after upgrading to v14.1.x or later, the ICMP rule does not work.
Conditions:
- Firewall is configured on the management port.
- Firewall is configured with an ICMP rule to block.
- Firewall is configured with an ICMP rule to allow.
Impact:
ICMP packets cannot be blocked with a firewall rule to drop on the management port. ICMP packets are allowed from the management port and will not increase the counter even if explicitly allowed by a rule.
Workaround:
Run the following commands after upgrading to v14.1.x or later from earlier versions.
# /sbin/iptables -N id760355
# /sbin/iptables -I INPUT 1 -j id760355
# /sbin/iptables -A id760355 -i mgmt -p icmp --icmp-type 8 -s 172.28.4.32 -j DROP
Fix:
ICMP firewall rule has been moved from the f5-required to f5-default.
Fixed Versions:
17.1.2, 16.1.4, 15.1.9, 15.0.1.1, 14.1.2.1
756830-7 : BIG-IP may fail source translation for connections when connection mirroring is enabled on a virtual server that also has source port set to 'preserve strict'
Links to More Info: BT756830
Component: TMOS
Symptoms:
The BIG-IP system may fail source translation for connections matching a virtual server that has connection mirroring enabled and source port selection set to 'preserve strict'.
Conditions:
Connections match a virtual server that has following settings:
- Connection mirroring is enabled.
- Source Port set to 'Preserve Strict'.
In addition, CMP hash selection (DAG mode) on the corresponding VLANs is set to 'Default DAG'.
Impact:
Source translation may fail on BIG-IP system, leading to client connection failures.
Workaround:
You can try either of the following:
-- Do not use the Source Port setting of 'Preserve Strict'.
-- Disable connection mirroring on the virtual server.
Fixed Versions:
17.1.2, 15.1.9
738716-2 : Add support for "Restart Desktop" setting in View clients, native as well as HTML5 clients
Links to More Info: BT738716
Component: Access Policy Manager
Symptoms:
When VMware resources are accessed through APM VMware VDI, the "Restart Desktop" setting is not seen on enumerated for Desktop resource. The same issue is observed with HTML5 clients.
Conditions:
- VMware Native or HTML5 client is used
- APM VMware VDI is used
- Desktop resources should be enumerated
- Right click on resource
Impact:
Unable to restart desktop from native and HTML5 clients.
Workaround:
None
Fix:
Restart desktop is successful and it works as expected.
Fixed Versions:
17.1.1, 16.1.5
737692-7 : Handle x520 PF DOWN/UP sequence automatically by VE
Links to More Info: BT737692
Component: TMOS
Symptoms:
When BIG-IP VE is running on a host, there is the host interface's Physical Function (PF, i.e. the actual interface on the host device), and Virtual Function (VF, a virtual PCI device that the BIG-IP VE can use). If an x520 device's PF is marked down and then up, tmm does not recover traffic on that interface.
Conditions:
-- VE is using a VF from a PF.
-- The PF is set down and then up.
Impact:
VE does not process any traffic on that VF.
Workaround:
Reboot VE.
Fix:
Tmm now restarts automatically when the PF comes back up after going down.
Behavior Change:
Tmm now restarts automatically when the PF comes back up after going down.
Fixed Versions:
17.1.1, 16.1.5, 15.1.3.1
723109-4 : FIPS HSM: SO login failing when trying to update firmware
Links to More Info: BT723109
Component: TMOS
Symptoms:
After FIPS device initialization when trying to update the FIPS firmware. It may fail on SO login.
Conditions:
When trying to update FIPS firmware.
Impact:
This will not be able to upgrade the FIPS firmware.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
722657-4 : Mcpd and bigd monitor states are intermittently out-of-sync
Links to More Info: BT722657
Component: Local Traffic Manager
Symptoms:
Bigd only informs mcpd of the state of a node on a state change. If the pool member status happens to be incorrect, this can cause the following symptoms.
-- Pool member status may be incorrect for a long time
-- Traffic may be directed to a pool member that is actually down.
Conditions:
-- Monitor is attached to pool member and bigd does not inform the state change event for a long time in certain corner cases.
-- No periodic events from bigd to mcpd.
Impact:
-- False monitor status in UI/CLI.
-- Large number of RST connections as traffic is directed to a pool member that is actually DOWN
Workaround:
None
Fix:
Added new db variable, bigd.stateupdateinterval, to create additional messages that correct the pool member status in certain conditions.
Behavior Change:
The bigd daemon can now create additional messages to inform mcpd of the status change for a monitored node or pool member, in case the message indicating the initial status change is not received or processed successfully by mcpd.
This feature for a BIG-IP system by configuring the following sys db variable to a non-zero value:
sys db bigd.stateupdateinterval {
default-value "0"
scf-config "true"
value "0"
value-range "integer min:0 max:600"
}
This value represents the number of seconds after an initial status change that bigd will wait before beginning to send additional status-change messages to mcpd.
The first such additional message will be sent approximately the configured number of seconds after the initial message triggered by the monitored object's initial status change.
Subsequent such messages will be sent at intervals approximately equal to two (2) times and four (4) the initial delay.
This sequence of messages restarts after each change in the monitored object's status detected by bigd as a result of monitor pings.
Since the processing of such messages triggers a modest amount of additional processing by mcpd, this value can be tuned for the desired balance between quick response and recovery from such conditions, and acceptable mcpd processing overhead.
Fixed Versions:
17.1.2
715748-4 : BWC: Flow fairness not in acceptable limits
Links to More Info: BT715748
Component: TMOS
Symptoms:
Flow fairness for BWC dynamic policy instance has reduced.
Conditions:
The flow fairness is up to 50%. It is expected to be within 25%.
Impact:
Flow fairness of BWC dynamic policy across sessions is not as expected.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
693473-3 : The iRulesLX RPC completion can cause invalid or premature TCL rule resumption
Links to More Info: BT693473
Component: Local Traffic Manager
Symptoms:
RPC completion will attempt to resume the RPC iRule execution when there is subsequent iRule activity on the flow - CLIENT/SERVER_CLOSED, for instance, which keeps the flow alive and blocks in an iRule event.
Conditions:
Blocking the iRule event When an RPC call is outstanding and the flow is aborted.
Impact:
It will cause the iRule event blocking when RPC call is outstanding and the flow is aborted
Workaround:
None
Fix:
Cancel ILX RPC TCL resumption if iRule event is aborted before resumption (reply or timeout) occurs.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
504374-3 : Cannot search Citrix Applications inside folders
Links to More Info: BT504374
Component: Access Policy Manager
Symptoms:
Search in webtop will not consider Citrix applications inside folders while searching.
Conditions:
Citrix applications available inside folder
Impact:
Unable to search Citrix applications inside folders.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
427094-3 : Accept-language is not respected if there is no session context for page requested.
Links to More Info: BT427094
Component: Access Policy Manager
Symptoms:
Localization settings are determined when the session is created.
As a result, when the user logs out, there is user context left for APM to determine what language to present to the user.
So, when user is using the localized logon page, after the refresh it turns to the default language.
Conditions:
After configuring the preferred language, When refreshing login page twice, language is changed to default Eng.
Impact:
APM page doesn't load the preferred language after refreshing twice.
Workaround:
N/A
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1711025 : Added an option to prevent import of private keys into onboard FIPS HSM
Component: Local Traffic Manager
Symptoms:
By default, keys can be created or imported into the onboard FIPS HSM.
Conditions:
Create or import private keys into the onboard FIPS HSM.
Impact:
Private keys can be created and imported into the FIPS card.
Workaround:
None
Fix:
Added an option "-k ... Disable PEM key import during INIT." to fipsutil to prevent the import of keys into the HSM. This option is to be provided as input to fipsutil when initializing the partition in the tenant. Once initialized with this option, key import restriction applies until the partition is re-initialized. This cannot be modified while the partition is in use.
Fixed Versions:
17.1.2
1691449 : TMM core dump during FIPS HSM operations which involve restart of services
Component: Access Policy Manager
Symptoms:
You may see a TMM core dump from one out of twenty services using "tmsh start sys service all"
Conditions:
Running "tmsh start sys service all" command on a FIPS-supported device.
Impact:
TMM core generated while other services are starting.
Workaround:
None
Fix:
While services come up tmm should not core.
Fixed Versions:
17.1.2
1689781-1 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No work around
Fix:
Best security practices are now applied.
Fixed Versions:
17.1.2
1678649-4 : Radius client configuration option for CVE-2024-3596
Links to More Info: K000141008
1634801 : [APM] [SSO] Cleaning the config snapshot when pcb->cfg is set in v17.1.x
Component: Access Policy Manager
Symptoms:
Running tmctl memory_usage_stat | sort -n -k2 -r | grep sso_saml indicates a huge amount of memory is consumed.
Conditions:
SAML SSO configured.
Impact:
Memory leaks. Traffic disrupted while restarting the services
Workaround:
None
Fix:
Addressed the leak with added function to make sure the current pcb->cfg is released.
Fixed Versions:
17.1.2
1632397 : BIG-IP as SP, SLO request does not include SessionIndex
Links to More Info: BT1632397
Component: Access Policy Manager
Symptoms:
SLO request does not include SessionIndex
Conditions:
-- The BIG-IP system is running version 17.1.x
-- A virtual server is configured as SAML SP/IDP
Impact:
Prevents SLO from logging out the session on some external IdP
Workaround:
None
Fixed Versions:
17.1.2
1628329-1 : The SSRF - FQDN segment with digits only is considered invalid by mistake
Component: Application Security Manager
Symptoms:
The hostname validation incorrectly requires a letter in each segment of FQDN (it could not be comprised of only digits). However, FQDNs may contain any combination of letters, digits, and hyphens in each segment.
Conditions:
- Illegal parameter data type enabled
- Add parameter as 'uri' data-type
- Send a request configured with uri data-type parameter as a value, such as "abc.123.co.in.us:80" with segments containing only digits.
Impact:
The request is blocked due to an “Illegal parameter data type” violation.
Workaround:
None
Fix:
The request passes with no violations.
Fixed Versions:
17.1.2
1628065-2 : TMM crash upon replacing L7 DOS policy
Links to More Info: BT1628065
Component: Anomaly Detection Services
Symptoms:
TMM crashes.
Conditions:
- ADOS L7 configured
- Replacing DOS policy under traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
TMM does not crash upon replacing L7 DOS policy.
Fixed Versions:
17.1.2
1622789-1 : Traffic levels for NAT64/46 traffic might be different after an upgrade
Links to More Info: BT1622789
Component: TMOS
Symptoms:
Starting from version 16.X BIG-IP supports hardware acceleration of NAT64/46 traffic. Due to a software defect part of accelerated traffic might not be reported properly in connection statistics.
Conditions:
Nat64/46 virtual server with fastL4 PVA acceleration enabled.
Impact:
Part of accelerated traffic might not be reported properly in connection statistics.
Workaround:
None
Fixed Versions:
17.1.2
1622609-3 : Blast-RADIUS CVE-2024-3596
Links to More Info: K000141008
1622029-1 : Upgrade the bind package to fix security vulnerabilities
Links to More Info: K000140745
1622025-1 : Upgrade the bind package to fix security vulnerabilities
Links to More Info: K000140732
1621249-3 : CVE-2024-3596: Blast Radius
Links to More Info: K000141008
1620897-1 : Flow will abruptly get dropped if "PVA Offload Initial Priority" is set to High/Low★
Links to More Info: BT1620897
Component: Carrier-Grade NAT
Symptoms:
Flows are dropped.
This can affect FTP active data channels.
Conditions:
-- "PVA Offload Initial Priority" is set to High/Low
-- Upgrading from 15.1.x to 17.x
Impact:
Traffic is disrupted.
Workaround:
Enable the FTP data channel to inherit the TCP profile used by the control channel.
Fix:
Fix the problem, so that FTP ALG works without an issue
Fixed Versions:
17.1.2
1617229 : The tmsh ipsec ike command causes mcp memory leak
Links to More Info: BT1617229
Component: TMOS
Symptoms:
Memory leak occurs while using the tmsh show or delete command with ike-peer and traffic-selection name options.
Conditions:
Execute the tmsh show or delete command with ike-sa with name option.
Impact:
There is a memory leak.
Workaround:
Do not include a specific ike-peer name or traffic-selector name as part of tmsh show or delete ike-sa command.
Fixed Versions:
17.1.2
1617101-1 : Bd crash and generate core
Component: Application Security Manager
Symptoms:
Bd crashes
Conditions:
Unknown
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.2
1615861-1 : TMUI hardening
Component: TMOS
Symptoms:
In certain scenarios, TMUI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
No work around
Fix:
Best security practices are now applied
Fixed Versions:
17.1.1.4, 16.1.5.1, 15.1.10.5
1615101 : BIG-IP AFM hardware DoS protection is incompatible when vCMP host or guest uses different versions
Links to More Info: BT1615101
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP AFM hardware DoS protection is incompatible when the vCMP host or guest uses different versions (where one runs in BIG-IP 17.1.0 or later versions and the other runs in the version before BIG-IP 17.1.0).
Conditions:
- vCMP capable platform
- vCMP enabled
- DoS hardware offload enabled
- The software version of the guest is before BIG-IP 17.1.0, and the host version is BIG-IP 17.1.0 or later.
Or
- The software version of the host is before BIG-IP 17.1.0, and the guest version is BIG-IP 17.1.0 or later.
Impact:
The BIG-IP system drops packets that may be legitimate, thus reducing throughput and disrupting the existing services.
Because of this issue, one or more of the following symptoms may occur:
The throughput is lower than expected.
The BIG-IP system intermittently drops legitimate TCP connections.
Workaround:
While running the dissimilar BIG-IP versions, you can resolve this issue by disabling the hardware DoS protection on a vCMP guest using the TMSH modify /sys db dos.forceswdos value true command.
Fix:
Added support for setting the DoS version in the hardware register based on the guest software version, thereby addressing the DoS vectors incompatibility for the vCMP platform when the host version is BIG-IP 17.1.0 or later and the guest version is before BIG-IP 17.1.0.
Fixed Versions:
17.1.2
1613689-1 : Handling multiple requests can cause memory leak when handling Diameter requests
Component: Policy Enforcement Manager
Symptoms:
TMM memory spike up under certain conditions which causes memory leak.
Conditions:
A virtual server is equipped with a PEM profile, Gx Diameter endpoint, Policy configuration via Gx from PCRF.
Impact:
Due to this memory leak, the system can run out of memory.
Workaround:
N/A
Fix:
Memory leaks do not occur when handling large number of requests
Fixed Versions:
17.1.2
1612885-1 : [PORTAL] Handle error in get_frameElement()
Links to More Info: BT1612885
Component: Access Policy Manager
Symptoms:
You may see get_frameElement() related errors in Devtools Console:
cache-fm-Modern.js:1494 Uncaught TypeError: Cannot read properties of undefined (reading 'document')
Conditions:
Portal Access configured on APM
Impact:
Failure in loading application through Portal Access.
Workaround:
None
Fixed Versions:
17.1.2
1605125-1 : TMM might crash when AFM is used on the Virtual Edition of BIG-IP
Links to More Info: BT1605125
Component: Advanced Firewall Manager
Symptoms:
TMM might crash when AFM is used on the Virtual Edition of BIG-IP.
Conditions:
- BIG-IP virtual edition.
- AFM with DoS vectors is enabled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable the "tscookie" feature within the tcp-ack-ts vector.
This can be accomplished with the commands below:
tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie disabled }}
Fix:
The software change has resolved the crash.
Fixed Versions:
17.1.2
1604377 : When feed list has multiple URLs with multiple subdomains then url cat-query is not working as expected
Links to More Info: BT1604377
Component: Traffic Classification Engine
Symptoms:
When the feed list has multiple URLs with various subdomains, as shown below:
google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646
The URL google.com/subdomain1/subdomain2 is not being classified as expected
Conditions:
The feed list has to be created with multiple URLs with various subdomains similar to the below:
google.com,16569
google.com/subdomain1,24630
google.com/subdomain1/subdomain2,24646
Impact:
The URL might not get classified as expected
Workaround:
None
Fix:
With the fix changes the url will get classified as expected.
Fixed Versions:
17.1.2
1602697-1 : Full-proxy HTTP/2 may allow unconstrained buffering
Component: Local Traffic Manager
Symptoms:
tmm crashes and restarts due to memory pressure
Conditions:
When using HTTP2 Full proxy configuration, under certain conditions, tmm restarts.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
NA
Fix:
No unconstrained buffering is seen after the fix
Fixed Versions:
17.1.2
1602449 : Kerberos Auth failed (-1)
Links to More Info: BT1602449
Component: Access Policy Manager
Symptoms:
NTLM authentication starts failing all of a sudden.
Users keep getting an authentication window.
/var/log/apm shows logs such as:
err eca[22803]: 0162000e:3: Kerberos Auth failed (-1)
modules/Authentication/Kerberos/KerberosAuthAgent.cpp func: "KerberosAuthAgentexecuteInstance()" line: 446 Msg: EXCEPTION getObjectConfigData() failed
Running such command on the BIG-IP is showing a lot of results:
netstat -panoW | grep eca | grep CLOSE_WAIT
...
tcp 0 0 127.0.0.1:49096 127.0.0.1:10003 CLOSE_WAIT 14966/eca off (0.00/0/0)
tcp 0 0 127.0.0.1:35004 127.0.0.1:10003 CLOSE_WAIT 14966/eca off (0.00/0/0)
...
Conditions:
-- BIG-IP is running on version 17.1.x
-- NTLM authentication is configured
Impact:
Users cannot access resources protected by NTLM authentication
Workaround:
Run the following command to restart eca:
bigstart restart eca
Fix:
Handled the eca fd by closing them after use, i.e. after required communication with the apmd is done.
Fixed Versions:
17.1.2
1602033-1 : Delays in REST API Calls post upgrade to 17.1.1.x★
Links to More Info: BT1602033
Component: TMOS
Symptoms:
You encounter delays in REST API calls after upgrading to version 17.1.1.x. Async commands may time out and expired operation exceptions may occur.
Symptoms you may see
-- "Error 500 AsyncContext timeout" in restjavad.0.log
-- The system occasionally does not grant a REST API token
-- High CPU utilization by java
-- GUI timeout
-- Spurious 400 / 500 errors from iControl REST
Conditions:
The problem occurs after upgrading to version 17.1.1.x despite configuring timeout values to 300 for icrd and restjavad
Impact:
The delays in REST API calls and recurring timeout exceptions can disrupt normal operations, leading to degraded system performance and potential service disruptions. Users relying on the affected REST API endpoints may experience slower response times, leading to decreased productivity and efficiency.
Workaround:
Restarting restjavad mitigates the issue but the issue may occur again.
Fixed Versions:
17.1.2
1600665-1 : Editing user-defined attack signature with advanced mode rule may be disabled.
Links to More Info: BT1600665
Component: Application Security Manager
Symptoms:
Editing a user-defined signature with a rule defined in advanced mode (and which cannot be converted into simple mode) is not enabled, since the Update button remains disabled even when the rule is changed.
Conditions:
1. Create a user defined attack signature in Security ›› Options : Application Security : Attack Signatures : Attack Signatures List page, with advanced mode rule, which cannot be converted to simple mode: e.g. valuecontent:"%test2dsa%";
2. Save the signature and open it. In the opened window, change the rule. The Update button is still disabled.
Impact:
You are unable to save the edited rule.
Workaround:
Change another field, e.g. Signature type. then save (press Update button).
Open again and change back the other field previously modified, and save again.
Fix:
Advanced rule can be edited.
Fixed Versions:
17.1.2
1599213-7 : Deleting a signature takes more time
Component: Application Security Manager
Symptoms:
Deleting a signature is substantially longer than adding a signature.
Conditions:
Deleting a signature on a device with many policies and multiple user-defined Signature Sets.
Impact:
Deleting a signature takes more time than expected.
Workaround:
None
Fix:
The time for deleting a signature will not be substantially longer than the time for adding a signature.
Fixed Versions:
17.1.2
1598945-1 : Updating the firmware for a FIPS protected internal HSM due to SDK or driver upgrade
Links to More Info: BT1598945
Component: Local Traffic Manager
Symptoms:
This release upgraded the FIPS HSM SDK and Firmware version to 2.09.07.02.
Conditions:
This applies to all BIG-IP FIPS platforms, except for BIG-IP 5250F, 7200F, 10200F, 11000F, and 11050F.
Impact:
Without manual firmware upgrade, FIPS HSM may have a not recommended firmware version, which may lead to unpredictable behavior.
Workaround:
None
Fixed Versions:
17.1.2
1598465-1 : Tmm core while modifying traffic selector
Component: TMOS
Symptoms:
Tmm core
Conditions:
Create the Interface mode configuration.
keep the selector's local/remote address as 0.0.0.0/0
on other side peer. keep Traffic selector's ip specific. */32
Initiate tunnel. It will cause traffic selector narrowing.
Modify the Traffic selector.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
No Workaround
Fix:
Added the checks to avoid crash
Fixed Versions:
17.1.2
1598421 : When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected
Component: Traffic Classification Engine
Symptoms:
When uri is added with / at the end and category in a feedlist then the uri is not categorized as expected.
If a feedlist is created as below
google.com,24626
google.com/subdomain1/,24631
Then when the BIG-IP system queries google.com/subdomain1/ it is being categorized as Internet_Portals(24626)
Conditions:
A feedlist has to be created similar to below case with multiple subdomains and different categories for uri with / at the end and no / at the end
google.com,24626
google.com/subdomain1/,24631
Impact:
When feedlist is defined similar to below case:
google.com,24626
google.com/subdomain1/,24631
then, URL Categorization based operations might get impacted
Workaround:
None
Fix:
With the fix, the URL Categorization in above case with work as expected.
Fixed Versions:
17.1.2
1598345-1 : [APM] Unable to access virtual IP when address-list configured
Links to More Info: BT1598345
Component: Access Policy Manager
Symptoms:
You may observe below error when accessing virtual server
===============
Access was denied by the access policy. This may be due to a failure to meet access policy requirements.
The session reference number: 8df760ba
Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration
Thank you for using BIG-IP.
===============
Conditions:
APM virtual server with address-lists configured
Impact:
Unable to use APM functionality
Fixed Versions:
17.1.2
1596897-3 : BIND9 upgrade from version 9.16 to 9.18
Component: Global Traffic Manager (DNS)
Symptoms:
BIND 9.16 reached its EOL in April 2024 and needs to be updated.
Conditions:
Usage of BIND 9.16 which has reached EoL.
Impact:
BIND 9.16 has reached EoL and does not receive security updates.
Workaround:
None
Fix:
Upgraded the BIND version from 9.16.48 to 9.18.27.
Fixed Versions:
17.1.2
1596637 : TLS1.3 with c3d and ocsp handshake failure
Component: Local Traffic Manager
Symptoms:
SSL handshakes fail, and TLS clients send 'Bad Record MAC' errors.
Conditions:
-- TLS1.3 connection configured with c3d and ocsp.
Impact:
-- A handshake failure occurs.
Workaround:
Disable ocsp or use TLS1.2.
Fix:
Handshake completes if using TLS1.3 with c3d and ocsp.
Fixed Versions:
17.1.2
1596445-4 : TMM crashes when firewall NAT policy uses automap and SIP/RTSP/FTP ALG.
Links to More Info: BT1596445
Component: Advanced Firewall Manager
Symptoms:
TMM crashes when firewall NAT policy uses SNAT automap and SIP/RTSP/FTP ALG.
Conditions:
-- FW NAT translation using source automap.
-- SIP/RTSP/FTP protocol profile applied.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.2
1593681-1 : Monitor validation improvements
Links to More Info: K000140061, BT1593681
1593621-1 : TMM core on IPSEC config load/sync stats★
Component: TMOS
Symptoms:
Crash observed after upgrade
Conditions:
Upgrade to 15.1.10 -> 17.1.1.3
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
Added the null check to avoid crash
Fixed Versions:
17.1.2
1593413-3 : CVE-2023-37369: Qt issue leads to Bufferoverflow
Component: Access Policy Manager
Symptoms:
CVE-2023-37369 is a vulnerability found in the QXmlStreamReader component of Qt. This issue could lead to a buffer overflow when QXmlStreamReader processes specifically crafted XML data, potentially causing the application to crash. The vulnerability affects multiple versions of Qt, including Qt 5.15
Conditions:
It can be exploited remotely with low attack complexity, requiring no privileges or user interaction. The impact mainly affects the availability of the application, as the buffer overflow can lead to a crash
Impact:
Potential application crash
Fix:
To mitigate this vulnerability, we have applied the Qt official patch available here. https://download.qt.io/archive/qt/5.15/CVE-2023-37369-qtbase-5.15.diff
Fixed Versions:
17.1.2
1593125-3 : Qt Component lead to infinite loop
Component: Access Policy Manager
Symptoms:
The CVE-2023-38197 is a vulnerability in the QXmlStreamReader component of Qt, which could lead to infinite loops. This issue affects several versions of Qt, particularly the qtbase module
Conditions:
A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-38197.
QT versions below 5.15.15 are affect because of this
Impact:
QXmlStreamReader can freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.
Fix:
To mitigate this vulnerability, we have applied the Qt official patch available here https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff, on top of the recent Qt code used by Mac EdgeClient.
Fixed Versions:
17.1.2
1591353-1 : urlcat categorization improvements
Component: Traffic Classification Engine
Symptoms:
Unexpected System Crashes or Restarts
Conditions:
The BIG-IP system has Policy Enforcement Manager (PEM) provisioned.
The URL categorization feature is licensed on the system.
One or more virtual servers use URL categorization through one of the following:
An iRule
A Centralized Policy Matching (CPM) rule.
A BIG-IP PEM policy.
One or more virtual servers process malformed URL categorization input.
Impact:
TMM restart and service disruption
Workaround:
None
Fix:
URL categorization behaves as expected.
Fixed Versions:
17.1.2
1589813-2 : Change in behaviour when setting value HTTP::payload to 0 in irule from v16 onwards★
Links to More Info: BT1589813
Component: Local Traffic Manager
Symptoms:
When HTTP_REQUEST_DATA {
set empty ""
HTTP::payload replace 0 $clen $empty
set request_length [HTTP::header "Content-Length"]
log local0. "request_length $request_length"
HTTP::release
}
$request_lenght throws non zero value since v16.0.0
Conditions:
V16.x/v17.x loaded version can observe $request_length throws non zero/garbage value.
(but observed $request_length as zero value in eg v15.1.10.4)
Impact:
$request_lenght throws non zero/garbage value.
Workaround:
None
Fixed Versions:
17.1.2
1589481 : In IDP-initiated flow, Relay state sent in SAML response is not considered by the SP and SP rather uses Relay state configured in its config
Links to More Info: BT1589481
Component: Access Policy Manager
Symptoms:
SP redirects to incorrect relay state
Conditions:
-- SP service configured with one Relay state value
-- SP connector of IDP config configured with a different Relay state value than that of SP config
Impact:
SAML SSO is not successful
Workaround:
Configure relay state value of both sp service and sp connector to be identical.
Fix:
Fixed an issue preventing SAML SSO from working.
Fixed Versions:
17.1.2
1589293-1 : Mcpd "IP::idle_timeout 0" warning generated in /var/log/ltm
Links to More Info: BT1589293
Component: TMOS
Symptoms:
When creating iRule with command "IP::idle_timeout 0" mcpd reports an error message similar to:
May 17 07:00:53 bigip.local warning mcpd[9215]: 01071859:4: Warning generated : /Common/test.irule:13: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"1077 19][IP::idle_timeout 0]
Conditions:
Whenever iRule includes the "IP::idle_timeout 0" statement
Impact:
mcpd displays unnecessary LTM logs with a warning message
Fixed Versions:
17.1.2
1589045-1 : When the ADMD process becomes unresponsive during the attack, TMM continues to mitigate bad traffic after the attack
Links to More Info: BT1589045
Component: Anomaly Detection Services
Symptoms:
TMM continues to mitigate bad traffic after an attack.
Conditions:
ADMD is stuck or overloaded for a long time.
Impact:
Traffic mitigation continues after the attack ends.
Workaround:
To restart ADMD, use the following command:
#bigstart restart admd
Fix:
Traffic mitigation stops after the attack ends.
Fixed Versions:
17.1.2
1588901-3 : Instrumentation for ID 1156149 can cause TMM to crash
Component: Service Provider
Symptoms:
A fix for ID 1156149 causes tmm to crash due to excessive logging.
Conditions:
Any EHF that has CL3665282 (a fix for ID 1156149) integrated.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
Fixed a tmm crash
Fixed Versions:
17.1.2
1588841-1 : SA Delete is not send to other end
Links to More Info: BT1588841
Component: TMOS
Symptoms:
If an IPsec tunnel is deleted, the remote peer will not know about the deletion and invalid Security Associations (SAs) will remain valid.
Conditions:
- Create IPsec interface mode tunnel.
- Establish tunnel.
- Change the configuration so that tunnel will be recreated.
- Check on remote peer. SAs is not deleted immediately.
Impact:
Multiple SAs will be present on remote peer for some time.
Workaround:
The old SAs can be manually deleted on the peer device.
Fix:
The BIG-IP will send a delete message to inform the remote peer about deleted SAs.
Fixed Versions:
17.1.2
1586765 : In r2k/4k platforms vlan tagged to multiple interfaces, packets forwarded to all interfaces irrespective of destination is reachable.
Component: Local Traffic Manager
Symptoms:
In r2k/4k platforms, when the same VLAN is assigned to multiple interfaces, traffic originating from a tenant is being transmitted over all VLAN-tagged interfaces, rather than just the interface where the destination is reachable.
Conditions:
When the same VLAN is assigned to multiple interfaces.
Impact:
Packets may be transmitted over incorrect interfaces to subsequent networking devices. In such a scenario, devices adjacent would need to handle the additional traffic.
Workaround:
None
Fixed Versions:
17.1.2
1584217-3 : Captcha prompt not presented
Links to More Info: BT1584217
Component: Application Security Manager
Symptoms:
The captcha prompt is not presented when the request size (headers and body) is large.
Conditions:
-- Enable brute force feature with captcha mitigation or use irule.
-- Trigger a captcha for a request that originally is more than 10KB.
-- Size of headers and body together is more than 10KB.
Impact:
No new captcha prompt after submitting an empty or incorrect answer.
Workaround:
None
Fix:
1. change parameter request_buffer_size to be more than the actual request size.
example: if request (headers + body) is in total is 11K then increase request_buffer_size to 12K.
(under Security ›› Options : Application Security : Advanced Configuration : System Variables ›› Edit System Variable).
2. increasing internally the buffer.
Fixed Versions:
17.1.2
1583201 : Input validation improvements
Component: TMOS
Symptoms:
A REST API endpoint may incorrectly parse certain parameters.
Conditions:
N/A
Impact:
Incorrect behavior
Workaround:
Restrict access to the management interface to trusted users.
Fix:
The REST API endpoint issue has been resolved.
Fixed Versions:
17.1.2
1582593-2 : F5OS tenant may not pass FastL4 accelerated traffic through VLAN group
Links to More Info: BT1582593
Component: TMOS
Symptoms:
When a connection of a virtual server where either the client- or server-side flow is connected via a VLAN Group is offloaded, the flow-cache entry will contain VLAN ID 0 for the corresponding flow(s). VLAN ID 0 is invalid and packets hitting the flow-cache entry are dropped by the hardware.
Conditions:
-- F5OS platform.
-- FastL4 virtual.
-- Either side of the flow is connected via a VLAN Group.
Impact:
Service degradation of the affected virtual server.
Workaround:
Disable PVA offload in the fastl4 profile.
Fix:
Flows connecting to a VLAN Group are excluded from hardware offload.
Fixed Versions:
17.1.2
1581533-2 : Existing SameSite attribute for cookie is not detected in response in case of no closing semi-colon after attribute's value
Component: Application Security Manager
Symptoms:
The system does not properly recognize the presence of the SameSite=Strict attribute when the attribute value is not followed by a semi-colon, leading to the unintended addition of another SameSite attribute.
Conditions:
Occurs when the SameSite=Strict attribute in the response header does not have a closing semi-colon.
Impact:
This behavior affects the integrity of the SameSite attribute in cookies
Workaround:
None
Fix:
SameSite attribute is correctly identified, regardless of the presence of a trailing semi-colon
Fixed Versions:
17.1.2
1581001-3 : Memory leak in ipsec code
Links to More Info: BT1581001
Component: TMOS
Symptoms:
There is a TMM memory leak in the IPsec code.
Conditions:
IPsec tunnels is configured.
Impact:
A TMM memory leak can eventually cause tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
Restart TMM.
Fix:
Memory does noy leak anymore.
Fixed Versions:
17.1.2
1580313-2 : The server_connected event related logs in policy attached to a FastL4 virtual server is not logged to the LTM log
Links to More Info: BT1580313
Component: Local Traffic Manager
Symptoms:
The server_connected event logs are not seen in LTM logs.
Conditions:
Connect to a backend server through FastL4 Virtual Server with server_connected event log in LTM policy.
Impact:
The server_connected event logs not seen in LTM logs.
Workaround:
None
Fix:
The server_connected event logs are now logged in LTM logs.
Fixed Versions:
17.1.2
1580229-2 : Tmm tunnel failed to respond to ISAKMP
Links to More Info: BT1580229
Component: TMOS
Symptoms:
While trying to negotiate the tunnel, multiple IPSEC SAs are created. This increases the tunnel count, but the tunnels are not in a working state.
Conditions:
-- Use wildcard ips for source/destination address in traffic selector.
-- Change the destination address to a specific address.
Impact:
IPSEC traffic is disrupted.
Workaround:
Keep responder's IKE peer as passive so that it can never be an initiator.
Fix:
The issue occurs because next hops are not refreshed in case of traffic narrowing. (changing of destination address from wildcard to specific)
Make explicit calls to refresh next hops in case of narrowing.
Fixed Versions:
17.1.2
1579553-1 : Signatures triggered for cookies with empty values after upgrade to 17.1.1.1★
Links to More Info: BT1579553
Component: Application Security Manager
Symptoms:
A "cc" execution attempt violation is triggered even though it doesn't have any value.
Conditions:
1. "cc" execution attempt signature enforced.
2. Cookie with some "cc" characters in its value followed by a cookie with empty value.
Impact:
Valid request getting blocked
Workaround:
Rearranging the cookies will not cause violation.
Fixed Versions:
17.1.2
1579213-1 : TMM instability when processing IPS pattern matches under load
Component: Protocol Inspection
Symptoms:
When processing many IPS patterns, the TMM may become unstable.
Conditions:
When an IPS profile is enabled on a virtual server.
Impact:
TMM restart and service disruption
Workaround:
N/A
Fix:
Instability no longer occurs.
Fixed Versions:
17.1.2
1577773-1 : Fix for ID1168157 does not work for some non-basic latin characters.
Links to More Info: BT1577773
Component: Application Security Manager
Symptoms:
Malformed JSON error occurs when few non-basic latin characters are in schema block after the fix for ID1168157.
Conditions:
Non basic Latin characters are found in the schema entry of OpenAPI file.
Fix for ID1168157 is included.
Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.
Fixed Versions:
17.1.2
1576113-3 : RFE: Add option to QOS mark egress BGP packets.
Component: TMOS
Symptoms:
This is an enhancement request to add an option to QOS mark egress BGP packets.
Conditions:
Added a new db variable TM.BGPEgressDscp controlling DSCP value of egress BGP packets
Impact:
No
Fix:
Added a new db variable TM.BGPEgressDscp controlling DSCP value of egress BGP packets. Default is 0 (zero). BGP session restart is required.
Following is an example:
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.bgpegressdscp
sys db tm.bgpegressdscp {
value "42"
}
Fixed Versions:
17.1.2
1576109-3 : RFE: Add option to QOS mark egress BFD packets.
Component: TMOS
Symptoms:
Currently existing tm.egressdscp db variable does not provide enough flexibility in configuring Quality of Service (QoS)
Conditions:
Configuring QoS
Impact:
No
Fix:
Added a new db variable TM.BFDEgressDscp controlling DSCP value of egress BFD packets Default is 0(zero)
Following is an example:
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db tm.bfdegressdscp
sys db tm.bfdegressdscp {}
Fixed Versions:
17.1.2
1575325 : SAML SP not sending Authnrequest and throwing an error "Failed to get authentication request from session variable 'session.samlcryptodata.CompressAuthnRQ' for SAML Agent: /Common/SP_access_policy_act_saml_auth_ag."
Component: Access Policy Manager
Symptoms:
-> BIG-IP as SAML SP not sending Authnrequest
Conditions:
- Enable sign Authentication "Sign Authentication Request" in "Local SP Services" config, export it, and import it as SP connector in BIG-IP as IDP.
- Access the BIG-IP virtual server acting as SAML SP
Impact:
- BIG-IP cannot be used as an SP
Fix:
Changed the returning failure, if session.samlcryptodata.CompressAuthnRQ is NULL
Fixed Versions:
17.1.2
1573629-2 : wr_urldbd cloud lookup is not optimal using a connection
Component: Traffic Classification Engine
Symptoms:
The wr_urldbd cloud lookup is currently utilizing only one connection and that connection is not being used efficiently.
Conditions:
wr_urldbd does use the connection not efficiently.
Impact:
wr_urldbd does use the connection not efficiently.
Workaround:
none
Fix:
The fix introduces 2 new parameters in /etc/wr_urldb/bcsdk.cfg
IpcPollMax=250
AsyncBatch=250
IpcPollMax defines the maximum messages retrieved from tmm in one poll.
AsyncBatch defines the maximum outstanding messages in flight. When reached, wr_urldbd will wait to receive the responses thereof.
Fixed Versions:
17.1.2
1572505-4 : BD crash with specific iRule
Links to More Info: BT1572505
Component: Application Security Manager
Symptoms:
BD crashes.
Conditions:
With certain iRule
Impact:
ASM traffic disrupted while bd restarts.
Workaround:
None
Fix:
BD does not crash
Fixed Versions:
17.1.2
1572069-1 : HA connection flaps when vwire config is plugged in into the tenant
Component: Local Traffic Manager
Symptoms:
HA connection flaps when vwire config is plugged in into the tenant causing icmp unreachable between HA ports.
Conditions:
1) Establish HA between two R5K or R10K devices
2) Check continuous ping towards the HA ports, it will be reachable.
3) Now plugin vwire config to the tenants
Impact:
HA gets disconnected and ping between HA ports is unreachable.
Workaround:
None
Fix:
HA connection remains stable after plugging in the Vwire config on the tenants.
Fixed Versions:
17.1.2
1567173-1 : Http2 virtual server removes header with empty value on the server side
Component: Local Traffic Manager
Symptoms:
If the HTTP2 request from a client has a header with an empty value, this header is removed while forwarding the request to the server.
Conditions:
HTTP2 request with HTTP2 profile attached.
Impact:
Empty headers are not forwarded, which could cause traffic disruption if the empty headers are expected or needed.
Workaround:
No workaround.
Fix:
Http2 request with empty header value will be forwarded on the server side.
Fixed Versions:
17.1.2
1566921-1 : Client connection gets reset after upgrade to 17.1.1★
Links to More Info: BT1566921
Component: Anomaly Detection Services
Symptoms:
Client connection gets reset
Conditions:
iRule attached to virtual server with AVR::disbale
Impact:
Connection reset, request does not pass.
Workaround:
Remove AVR::disable iRule
Fix:
Request gets passed without any connection reset.
Fixed Versions:
17.1.2
1566721-1 : The SIP MRF virtual servers with mirroring enabled can lead to a connflow leak on standby
Links to More Info: BT1566721
Component: Service Provider
Symptoms:
There is a connflow memory leak on standby.
Conditions:
SIP MRF virtual servers with mirroring enabled
Impact:
TMM memory use will increase on the standby device.
Workaround:
None
Fix:
No memory leak in connflow observed on standby.
Fixed Versions:
17.1.2
1561713-1 : BD total_max_mem is initialized with a low (default) value resulting in many issues with long request buffers and traffic failing
Component: Application Security Manager
Symptoms:
When BD starts it is assigned a very low value for total_max_mem
Conditions:
ASM provisioned
Impact:
This causes many connections to fail with ASM resetting them.
Workaround:
Monitor "var/log/ts/asm_start.log" for the "F5::ProcessHandler::start_bd,,bd exec line" and see the value for "total_umu_max_size".
If it is "768000" or there are other visible errors - restart asm on that device.
Fixed Versions:
17.1.2
1561697 : Applying mutliple policies causes apmd to use a lot of CPU causes failure in sessiondb related operations
Component: Access Policy Manager
Symptoms:
When you apply multiple access policies, and if there are macros in VPE that expand to lot of Access policy Agents, then creation and initialization of those agents with recursive macro expansion will take more time and also cause 50% to 60% CPU usage by APMD process.
Now in this case if LDAP server, especially with pool members configured may lead to 100% CPU usage for more than 2 to 5 min. This is due to clearing of LDAP cache.
As LDAP servers pool members use loopback interface and also session db operations are done on same interface, this may lead to failure in session db set/get operations which ultimately leads to failures in OAuth Scope validation and other operations.
Conditions:
1. Applying an access policy that is for one or more policies, with more agents (around 3000 for example).
2. LDAP servers are configured and User sends new LDAP auth and query requests to APM at same time.
3. Session db operations should fail to see any unexpected failures like oauth scope validation failure.
Impact:
OAuth scope validation fails due to high CPU usage by APMD and Access policy is evaluated as failure and Basic auth headers are send to backend.
Workaround:
None
Fix:
APMD should not use high CPU usage and Oauth Scope validation should not fail.
Fixed Versions:
17.1.2
1561537-3 : SSL sending duplicate certificates
Component: Local Traffic Manager
Symptoms:
Duplicate certificates sent during the SSL handshake.
Conditions:
The chain contains the public certificate and both are configured in the client-ssl profile.
Impact:
BIG-IP on clientside SSL sends duplicate certificates during handshake to the client
Workaround:
Remove the public server certificate from the chain.
Fixed Versions:
17.1.2
1560001-1 : Bd crash
Links to More Info: BT1560001
Component: Application Security Manager
Symptoms:
Bd crash on a rare scenario.
Conditions:
Issue occurs during particular timings.
Impact:
This issue led to crashes, traffic disruptions, and failover situations.
Workaround:
None.
Fixed Versions:
17.1.2
1559961-3 : PVA FastL4 accelerated flows might not honor configured keep-alive-interval.
Links to More Info: BT1559961
Component: Local Traffic Manager
Symptoms:
PVA FastL4 accelerated flows may not honor configured keep-alive-interval.
Conditions:
The keep-alive-interval option is configured on the FastL4 profile.
Impact:
Some connections may be prematurely terminated.
Fixed Versions:
17.1.2
1558993-1 : Safenet network HSM installation shows unnecessary additional infinite installation options.
Links to More Info: BT1558993
Component: Local Traffic Manager
Symptoms:
Installation of SafeNet is incomplete, as the additional installation options are shown in the prompt. Which affects the Nethsm SafeNet installation completion.
Conditions:
Install Safenet UC Client 10.4. in any BIG-IP version above 15.x
Impact:
Incomplete installation of SafeNet, affecting the ability to create SafeNet keys and certs.
Workaround:
None
Fix:
Removed the code that leads to prompting additional installation options.
Fixed Versions:
17.1.2
1558581-2 : Host authority sub component not parsed properly
Links to More Info: BT1558581
Component: Application Security Manager
Symptoms:
URLs lacking a scheme are incorrectly parsed as paths rather than server addresses.
Conditions:
This occurs when the server URL is configured without the scheme.
Impact:
Misconfiguration of URLs leads to false positive blocks. The host authority is parsed as a path.
Workaround:
This behavior can be corrected by adding scheme
openapi: 3.0.0
info:
title: Sample API
version: 1.0.0
servers:
- url: https://beta.application-management-test.eset.systems/
paths:
/sample_endpoint:
get:
summary: Create a new entry
description: Endpoint to create a new entry with name, age, and date of birth.
responses:
'200':
description: Success response
'400':
description: Invalid request payload
Fixed Versions:
17.1.2
1557205-1 : Alarm and Block flags are enabled for "GraphQL disallowed pattern in response" violation in blank policy template
Links to More Info: BT1557205
Component: Application Security Manager
Symptoms:
A policy created with a Blank Policy template has "GraphQL disallowed pattern in response" violation enabled
Conditions:
- ASM policy created with Blank Policy template
Impact:
- Unexpected violation in Blank Policy
Workaround:
None
Fixed Versions:
17.1.2
1555525-2 : WCCP traffic may have its source port changed
Links to More Info: BT1555525
Component: Local Traffic Manager
Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.
Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.
Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.
Workaround:
Cat >> /config/tmm_init.tcl << EOF
proxy BIGSELF {
listen 0.0.0.0%\${rtdom_any} 2048 netmask 0.0.0.0 {
proto \$ipproto(udp)
srcport strict
idle_timeout 30
transparent
no_translate
no_arp
l2forward
tap enable all
protect
}
profile _bigself
}
EOF
bigstart restart tmm
Fixed Versions:
17.1.2
1555461-1 : TCP filter is not setting packet priority on keep-alive tx packets
Links to More Info: BT1555461
Component: Local Traffic Manager
Symptoms:
When running traffic with multi-bladed environments, some of the TCP MPI backplane packets are not marked with a packet priority.
Conditions:
Any multi-bladed environment.
Impact:
TCP keepalive packets are not prioritized in the driver
Workaround:
None
Fix:
When running traffic with multi bladed environments it was observed that some of the TCP MPI backplane packets were not being marked with a packet priority. The driver was not prioritizing them accordingly.
Fixed Versions:
17.1.2
1555021-1 : Mysql error after roll forward upgrade when uploading base version's csv over upgraded version.★
Component: Application Security Manager
Symptoms:
Mysql error when loading 16.1.4 ucs over 16.1.5 system can be seen in asm log.
Conditions:
Loading of 16.1.4 ucs on itself - does not cause to any error and loading of 16.1.5 ucs on itself - does not cause to any error. Only loading of 16.1.4 ucs over 16.1.5 system - causes to above mysql error.
Impact:
A Foreign key constraint fails DCC.HSL_DATA_PROFILES.
Workaround:
None.
Fix:
No errors when loading 16.1.4 ucs over 16.1.5 system.
Fixed Versions:
17.1.2
1554029-3 : HTML::disable not taking effect in HTTP_REQUEST event
Links to More Info: BT1554029
Component: Local Traffic Manager
Symptoms:
A HTML::disable inside an HTTP_REQUEST event will not take effect.
It does work for HTTP_RESPONSE.
Conditions:
When an HTML::disable is inside an HTTP_REQUEST.
Impact:
HTML::disable does not take effect
Workaround:
If possible. have the HTML::disable in the HTTP_RESPONSE.
Fixed Versions:
17.1.2
1553989-1 : A BD crash on a specific scenario
Links to More Info: BT1553989
Component: Application Security Manager
Symptoms:
A BD crash, failover.
Conditions:
Specific requests under specific conditions.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.2
1553761-3 : Incorrect packet statistics counting upon connection reject/closure.
Links to More Info: BT1553761
Component: Local Traffic Manager
Symptoms:
In rare circumstances, connection statistics might be inaccurate on the BIG-IP system.
Conditions:
Some of these conditions will make the problem more likely to happen:
- Flow abruptly torn down.
- iRule with drop command.
- iRule with reject command.
Impact:
Incorrect packet statistics are reported.
Fixed Versions:
17.1.2
1553533-3 : Negative frame number might result in bd crash.
Links to More Info: BT1553533
Component: Application Security Manager
Symptoms:
Modifying ASM cookies like cookie prefix, suffix base and revision base might cause bd to crash.
Conditions:
See K54501322: Modifying ASM cookie names at https://my.f5.com/manage/s/article/K54501322
Change the ASM Cookie prefix name, revision base and suffix base as per the above article.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
While parsing frame numbers, need to do a check for handling negative frame numbers as well.
Fixed Versions:
17.1.2
1552685-1 : Issues are observed with APM Portal Access on Chrome browser version 122 or later
Links to More Info: K000138771, BT1552685
Component: Access Policy Manager
Symptoms:
Web application using APM Portal Access stops working after upgrading to Chrome browser version 122 or later or a similar MS Edge browser version.
Conditions:
-- Chrome browser version 122 or later or a similar MS Edge browser version
-- APM Portal Access
Impact:
Applications will not work through Portal Access.
Workaround:
An iRule/iFile workaround is available. Refer to K000138771: APM Portal Access stops working after upgrading Chrome to version 122 (https://my.f5.com/manage/s/article/K000138771)
Fix:
APM portal access will work with Chrome browser version 122 or later or a similar MS Edge browser version.
Fixed Versions:
17.1.2, 16.1.5
1552441-1 : Error message for bot-signature update failure.
Component: Application Security Manager
Symptoms:
Currently there is no specific error message when bot-signature installation fail due to TMM memory pressure. In the event of the failure, user needs to plan restarting TMM as it may lead further issues.
Conditions:
Bot-signature update performed under TMM memory pressure.
Impact:
No clear error for the update failure, and subsequent unexpected system state.
Workaround:
Look for a message "notice MCP message handling failed" in the LTM log.
Fix:
A clear and specific error message is introduced.
Fixed Versions:
17.1.2
1550685-1 : Usage of Brainpool curves might lead to instability in the TMM
Component: Local Traffic Manager
Symptoms:
Under certain conditions, SSL Profiles with Brainpool curves enabled may cause instability in the TMM.
Conditions:
-- Brainpool curves are configured in the SSL profile.
-- Traffic is processed using Brainpool curves.
Impact:
Traffic disruption due to TMM instability.
Workaround:
Avoid using Brainpool curves in SSL profile.
Fix:
Usage of Brainpool curves no longer cause instability in the TMM
Fixed Versions:
17.1.2
1538285-1 : BIG-IP splits the PUBLISH message when an MQTT profile is applied
Component: Local Traffic Manager
Symptoms:
When the PUBLISH message is sent from a client, the BIG-IP system splits the message and forwards it in two packets down the chain.
Conditions:
Basic Virtual Server with MQTT profile applied.
Impact:
MQTT messages can be difficult to read due to fragmentation and poor reorganization by some applications.
Workaround:
None
Fix:
Reunite split messages and forward them without fragmentation.
Behavior Change:
A fix for the bug introduced behavior change, resulting in sending out an MQTT message header with payload (when it is expected) on the server side.
1) This fix works for _any_ MQTT message with a payload.
2) It would delay the egress of the message header until the first chunk of a payload is ready to egress (when a payload is expected for the message).
3) When no payload is expected, the message is immediately egressing.
Fixed Versions:
17.1.2
1538241-1 : HTTP may not forward POST with large headers and parking HTTP_REQUEST_RELEASE iRule
Links to More Info: BT1538241
Component: Local Traffic Manager
Symptoms:
The request is not immediately forwarded to the server. It may be forwarded if the server closes the connection.
Conditions:
Under certain scenarios, the HTTP virtual server with the below iRule attached may not forward HTTP POST requests with large headers:
HTTP_REQUEST_RELEASE {
HTTP::header replace Authorization [string repeat x 4096]
after 1
}
Impact:
HTTP POST request is not forwarded to the server side within 60 seconds, resulting in connection issues.
Workaround:
A possible workaround is to move the processing from HTTP_REQUEST_RELEASE to HTTP_REQUEST_SEND.
Note: However, this workaround can be highly dependent on what actions are performed in the iRules involved.
Fixed Versions:
17.1.2
1538185-2 : Broadcast destination MAC may get offloaded
Links to More Info: BT1538185
Component: TMOS
Symptoms:
Even when the server-side nexthop MAC address is a broadcast address, the flow is L4 offloaded.
Conditions:
- rSeries/VELOS.
- This can happen due to ID881041.
- Packet with broadcast destination MAC is received from a directly connected host to a fastL4 virtual, that has L4 offload enabled.
Impact:
Possibly broadcast storm.
Workaround:
- Disable L4 offload.
- iRule trickery.
Fix:
Flows are not offloaded with broadcast destination MAC.
Fixed Versions:
17.1.2
1538173-1 : Bados TLS fingerprints works incorrectly with chrome's new versions
Links to More Info: BT1538173
Component: Anomaly Detection Services
Symptoms:
The requests from the same Chrome browser but from different connections can have different TLS fingerprints
Conditions:
Behavioral L7 DOS is configured, BAD actors behavior detection configured with "Use TLS patterns as part of host identification" option.
Some good clients or attackers use new versions of Chrome
Impact:
The same user will be identified and examined as a different users
Workaround:
Don't use "TLS patterns as part of host identification" option"
Fix:
The requests from the same Chrome browser have different TLS fingerprints
Fixed Versions:
17.1.2, 16.1.5
1526589-1 : Hostname changes to localhost.localdomain on rebooting other slots
Links to More Info: BT1526589
Component: TMOS
Symptoms:
If the hostname of the tenant is modified and a slot is rebooted, the hostname might revert to the default hostname of localhost.localdomain.
Conditions:
1. Multi-slot F5OS BIG-IP tenant
2. The hostname is changed to something other than the default of localhost.localdomain
3. A single tenant slot or f5os blade is restarted before all slots are restarted.
Impact:
The hostname will be changed on all slots to localhost.localdomain if other slots are restarted.
Workaround:
After the hostname is changed to something other than the default, restart all slots with clsh reboot.
Fixed Versions:
17.1.2
1518977 : TMM crashes during startup when there is delay in SEP initialization in main thread
Links to More Info: BT1518977
Component: Local Traffic Manager
Symptoms:
TMM crashes while trying to read DOS stats from local array.
Conditions:
This can occur while tmm is starting up.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
TMM restarts immediately after the crash. Since this is a timing related issue, tmm may start normally.
Fix:
Fixed code avoid accessing DOS internal array if there is delay in initialization.
Fixed Versions:
17.1.2
1517469-1 : Database monitor daemon process memory and CPU consumption increases over time
Links to More Info: BT1517469
Component: Local Traffic Manager
Symptoms:
When monitoring pool members using the LTM or GTM mssql (Microsoft SQL Server) monitor, memory and CPU consumption by the database monitor daemon (DBDaemon) process may increase over time.
The increase in memory consumption by the DBDaemon process may be gradual and relatively steady over a long period of time, until memory consumption nears an RSS size of approximately 150MB. At that point, CPU consumption may start increasing rapidly. These increases may continue until the DBDaemon process restarts, restoring normal memory and CPU consumption until the cycle begins again.
Conditions:
This issue may occur when using the mssql (Microsoft SQL Server) monitor to monitor LTM or GTM pools/members. BIG-IP versions affected by this issue use the MS SQL JDBC (Java DataBase Connectivity) driver v6.4.0 to enable the DBDaemon process to connect to Microsoft SQL Server databases. This issue is not observed with other database types, which use different vendor-specific JDBC drivers, or with more current versions of the MS SQL JDBC driver.
The time required for memory and CPU consumption to reach critical levels depends on the number of pool members being monitored, the probe interval for the configured mssql monitors, and whether the mssql monitors are configured to perform a database query (checking the results against a configured recv string) or to make a simple TCP connection with no query (send & recv strings) configured.
In one example, a configuration with 600 monitored pool members with a mix of monitors with and without queries and an probe interval of 10 seconds was observed to reach critical memory and CPU consumption levels and restart to recover after approximately 24 hours of continuous operation.
To view the memory and CPU usage for the DBDaemon process as recorded over time in tmstats tables, use the following commands.
-- To obtain the Process ID (PID) of the DBDaemon process, observe the numeric first element of the output of the following command:
"ps ax | grep -v grep | grep DB_monitor"
-- To view memory and cpu usage for the DBDaemon process, use the PID obtained from the above command in the following command:
"tmctl -D /shared/tmstat/snapshots/blade0/ -s time,cpu_usage_5mins,rss,vsize,pid proc_pid_stat pid=pid_from_above_command"
The output of the above command will display statistics at one-hour intervals for the preceding 24 hours, then statistics at 24-hour intervals for prior days.
The "cpu_usage_5mins" and "rss" columns display, respectively, the CPU and resident memory usage for the specified DBDaemon process. Gradual increases in "rss" to a critical upper limit near 150MB, and sharp increases in CPU usage as this critical upper memory limit is reached, are indications that this problem is occurring.
Impact:
As more objects remain in memory in the DBDaemon process, database monitor query operations may complete more slowly, which may cause pool members to be marked Down incorrectly.
As memory and CPU consumption reach critical levels, more pool members may be marked Down.
While the DBDaemon process restarts, all pool members monitored by database monitors (mssql, mysql, oracle, postgresql) may be marked Down until the restart is complete and normal operation resumes
Workaround:
To prevent memory and CPU consumption from reaching critical levels, you can manually restart the DBDaemon process at a time of your choosing (e.g., during a scheduled maintenance window).
Fixed Versions:
17.1.2
1514669 : Traffic disruption when mac masquerade is used and tmm on one blade goes offline.
Component: TMOS
Symptoms:
Traffic disruption when mac masquerade is used and tmm on one blade goes offline.
Conditions:
- A clustered platform
- mac masquerade is used
- tmm on one blade is stopped
Impact:
The corresponding mac masquerade fdb entry is deleted and traffic may be disrupted before the tmm comes back online.
Workaround:
None
Fix:
Fixed traffic disruption when mac masquerade is used and tmm on one blade goes offline.
Fixed Versions:
17.1.2
1507913-6 : CVE-2023-50868: Preparing an NSEC3 closest encloser proof can exhaust CPU resources
Links to More Info: K000139084, BT1507913
1507569-4 : KeyTrap: Extreme CPU consumption in DNSSEC validator
Links to More Info: K000139092, BT1507569
1506049-4 : Parsing large DNS messages may cause excessive CPU load
Links to More Info: K000138990, BT1506049
1506009-2 : Oauth core
Links to More Info: BT1506009
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth configured with opaque token generation
-- A configuration sync occurs
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Identified and addressed the db proxy connection pointer validation in case of rollback when db query fails.
Fixed Versions:
17.1.2, 16.1.5
1506005-3 : TMM core occurs due to OAuth invalid number of keys or credential block size
Links to More Info: BT1506005
Component: Access Policy Manager
Symptoms:
TMM crashes during a configuration sync while passing OAuth traffic.
Conditions:
-- OAuth is configured.
-- A configuration sync occurs.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Modified the terminating condition based on the credential block length with the number of keys.
Fixed Versions:
17.1.2, 16.1.5
1505789 : VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"★
Links to More Info: K000138683, BT1505789
Component: Access Policy Manager
Symptoms:
When the user is upgraded to edge client version 7.2.4.6, they may fail to connect to the VPN server.
Conditions:
1. If LTM VS/NATed device is present before APM VPN enabled virtual server or any cases where client receives the VPN server IP different in the IP header and pre/config message.
2. BIG-IP versions v17.1.1.1 or v16.1.4.2 or v15.1.10.3 used along with edge client version 7.2.4.6.
Impact:
The user fails to connect to the VPN.
Workaround:
See the Recommended Actions at K000138683: Users cannot connect to BIG-IP APM virtual servers with BIG-IP Edge Client 7246, available at https://my.f5.com/manage/s/article/K000138683
Fix:
The user should be able to connect to the VPN even after the upgrade.
Fixed Versions:
17.1.2, 16.1.5
1505669 : Excessive broadcast traffic might cause backplane F5CDP packets to to dropped
Links to More Info: BT1505669
Component: Local Traffic Manager
Symptoms:
Excessive broadcast traffic can cause backplane F5CDP packets to be dropped by the FPGA metering. This issue affects the stability of the backplane and the overall health of the clustering system. When CDP packets are dropped, critical network topology and device information may not be communicated effectively, leading to potential disruptions and degraded performance in the cluster.
Conditions:
If Excessive broadcast traffic the backplane might become unstable.
Impact:
Chassis backplane and clustering issues.
Workaround:
None
Fix:
Upgrade BIG-IP with fix that includes F5CDP packet backplane fix.
Fixed Versions:
17.1.1.2
1505649-1 : SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length
Component: Local Traffic Manager
Symptoms:
When the SNI string is longer than 32 characters, the SSL handshake switches to the full handshake when session resumption is attempted.
Conditions:
- SSL resumption should be enabled in the client's SSL profile of their BIG-IP.
- SNI string should be more than 32 characters in length of the SSL client Hello packet received from the user.
Impact:
SSL resumption would fail if the SNI string is more than 32 characters in length.
Workaround:
using strings lesser than 32 characters for SNI
Fixed Versions:
17.1.2
1505413-1 : Error in Wrapper for Array.slice Method When F5_window_link is Undefined
Links to More Info: BT1505413
Component: Access Policy Manager
Symptoms:
When Modern Rewrite Mode is used, an error occurs while processing traffic:
cache-fm-Modern.js:481 Uncaught TypeError: Cannot read properties of undefined (reading 'Array')
Conditions:
Modern Rewrite Mode is used
Impact:
Application does not function properly
Workaround:
Use the below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
iFile - Contact F5 support for iFile
Fix:
Application is working fine now
Fixed Versions:
17.1.2, 16.1.5
1505305-3 : CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack
Component: TMOS
Symptoms:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default, it is allowed to call any static method of any Java class in the classpath resulting in code execution
Conditions:
NA
Impact:
to process untrusted input may be vulnerable to a remote code execution attack
Workaround:
No work around
Fix:
Patch has been applied by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called.
Fixed Versions:
17.1.2
1498361-1 : Custom HTTP::respond does not fire as part of custom connect-error-message in HTTP explicit proxy profile.
Links to More Info: BT1498361
Component: Local Traffic Manager
Symptoms:
HTTP::respond does not fire when custom error message is configured in http explicit proxy config.
Conditions:
1. In http explicit proxy config, configure custom error message using 'HTTP::respond'.
2. Setup virtual server with backend server which sends a reset when connected. It can also be another BIG-IP with iRule.
3. From a client, try to access the backend server.
4. Server sends a reset.
Impact:
The custom error message configured in the explicit proxy config is not relayed back to client and the actual response from backend server is repeated.
Workaround:
None
Fix:
The custom error message configured in the explicit proxy is repeated.
Fixed Versions:
17.1.2
1497989-3 : Community list might get truncated
Links to More Info: BT1497989
Component: TMOS
Symptoms:
When using route-map to delete communities, the resulting community list might not be correct.
Conditions:
Deleting community statements from the community list using route-map.
Impact:
When using route-map to delete communities the resulting community list might not be correct.
Workaround:
None
Fixed Versions:
17.1.2
1497861-1 : DNS query fails with low EDNS0 buffer size
Links to More Info: BT1497861
Component: Global Traffic Manager (DNS)
Symptoms:
DNS query with EDNS0 buffer size below 30 bytes fails with error message "Failure to query dns-express db (Discarded)".
Conditions:
DNS query sent with EDNS0 buffer size below 30 bytes.
Impact:
No response received for DNS queries with EDNS0 buffer size below 30 bytes.
Workaround:
None
Fix:
UDP payloads with sizes less than 512 bytes will be considered as 512 bytes.
Fixed Versions:
17.1.2
1497369-3 : HTTP::respond will not always be executed when rate limit on all pool members is reached.
Component: Local Traffic Manager
Symptoms:
HTTP::respond will not always be executed when the rate limit on all pool member is reached.
Conditions:
When the rate limit is reached on all pool members, LB_FAILED does not get called. If any HTTP::respond is in that rule to generate a redirect, it will not be invoked.
Impact:
LB_FAILED not executed when all pool member rate limit have been reached.
Workaround:
If only a 302 redirect is what is needed, then configure a fallback-host in the ltm-profile. The iRule event is triggered when a fallback host exists.
If a 301 redirect is needed, then there are no workaround.
Fixed Versions:
17.1.2
1496841-1 : CRLDP Lookup fails for lower update-interval value
Links to More Info: BT1496841
Component: Access Policy Manager
Symptoms:
When BIG-IP is configured with CRLDP authentication and the 'update-interval' is set to as low as '5 seconds' CRLDP lookup fails for few requests.
Conditions:
'update-interval' value is set to as low as '5 seconds'
Impact:
BIG-IP fails to perform CRLDP Lookup for every 'update-interval' seconds.
Workaround:
Setting the 'update-interval' to '0' or days ( in seconds ) could resolve this issue.
Fixed Versions:
17.1.2
1496701-3 : PEM CPPE reporting buffer overflow resulting in core
Links to More Info: BT1496701
Component: Policy Enforcement Manager
Symptoms:
PEM writes into buffer without checking size hence resulting unknown behavior or core.
TMM starts coring and rebooting.
Conditions:
1) PEM policy with action reporting is configured.
2) Reporting ->hsl-> session-reporting-fields has large number of fields.
Impact:
TMM core, hence service disruption.
Fix:
Check the bounds before each write
Fixed Versions:
17.1.2, 16.1.5
1496457-1 : TMM crash under certain traffic patterns when an HTTP/2 profile is applied.
Component: Local Traffic Manager
Symptoms:
A TMM crash.
Conditions:
An LTM virtual server with an HTTP/2 profile attached.
Impact:
A TMM crash.
Workaround:
Set up HA pairs when configuring your BIG-IP device.
Fix:
The issue no longer occurs.
Fixed Versions:
17.1.2, 16.1.5
1496313-3 : Use of XLAT:: iRule command can lead to the TMM crash
Component: Carrier-Grade NAT
Symptoms:
The XLAT:: iRule command family can under certain circumstances lead to the TMM crash
Conditions:
XLAT:: iRule commands at play
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not use XLAT:: iRule commands
Fix:
TMM does not crash anymore
Fixed Versions:
17.1.2
1496205-1 : Static CNAME pool members may get deleted when corresponding WideIPs are deleted
Links to More Info: BT1496205
Component: Global Traffic Manager (DNS)
Symptoms:
A static CNAME pool member is deleted.
Conditions:
A corresponding wideip with the same name is deleted, if that wideip was created after the static cname pool member was created.
Impact:
Static CNAME pool member is incorrectly deleted.
Workaround:
Create the wideip first.
Fixed Versions:
17.1.2
1495217-2 : TMUI hardening
Links to More Info: K000138636, BT1495217
1494833-1 : A single signature does not match when exceeding 65535 states
Links to More Info: K000138898, BT1494833
Component: Application Security Manager
Symptoms:
One of the attack signatures is not matched.
Conditions:
When all signatures are enabled and custom ones are created.
Impact:
The attack signature is passed instead of getting blocked.
Workaround:
NA
Fix:
All the signatures will be detected and respective violations will be raised.
Fixed Versions:
17.1.1.3, 16.1.4.3, 15.1.10.4
1494293-5 : BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Links to More Info: BT1494293
Component: Local Traffic Manager
Symptoms:
BIG-IP might fail to forward server-side traffic after a routing disruption occurs.
Conditions:
- CMP forwarding occurs (traffic on ingress is handled by a different TMM on egress).
- Routing disruption happens.
- Flow collision with existing connection happens.
- connection.vlankeyed is enabled (default)
Impact:
Server-side traffic is silently dropped.
Workaround:
Clear the existing connection from the connection table according to K53851362
Fixed Versions:
17.1.2, 16.1.5
1494217 : Server response does not pass through after replacing the profile.
Links to More Info: BT1494217
Component: Local Traffic Manager
Symptoms:
When a virtual server with a profile of an idle-timeout set to "immediate" is replaced with another profile with an idle-timeout set to a non-zero value, the server response traffic is not passed to the client.
Conditions:
-- Virtual server with tcp/udp profile.
-- the idle-timeout parameter is set to immediate.
-- The fastL4 profile is replaced with another fastL4 profile
-- the idle-timeout parameter is set to a non-zero value
Impact:
Clients do not receive responses from the server.
Workaround:
None
Fixed Versions:
17.1.2
1493933-1 : DNS lookups should be protected by a specific lock
Links to More Info: BT1493933
Component: Application Security Manager
Symptoms:
The Getaddrinfo function is being used by two files, leading to a bd crash.
Conditions:
Cores where two of the stack traces were doing DNS lookups simultaneously.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
Thread safety achieved.
Fixed Versions:
17.1.2
1492681 : Running tcpdump on a busy system may cause traffic drop.
Links to More Info: BT1492681
Component: TMOS
Symptoms:
Traffic throughput can be degraded.
Conditions:
The tcpdump application is executed on high throughput systems.
Impact:
Moderate to severe throughput drop is observed.
Workaround:
As a general recommendation, use tcpdump filters described in K411 or K2289 while capturing the packets on moderately busy systems.
However, on very busy systems, filters alone may not be enough. In this case, there is No workaround.
Fix:
Added a new db key 'tmm.tcpdump.pkt.ratelimit'. The default value of this db key is '0'. Also, this is the same behavior with the previous fix.
When the value is set to the default value (0), the TMM doesn’t do any rate limiting on the traffic that is sent to the tcpdump application.
When the value is set to any other value x, then the TMM applies rate limit of the value x and sends x packets/sec on an average to tcpdump application during capture cycle.
For example, if the db variable is set to 200, then each TMM sends an average of 200 pkts/sec to tcpdump application during the life cycle of tcpdump application.
Fixed Versions:
17.1.1.2
1492361-1 : TMUI Security Hardening
Links to More Info: K000138894, BT1492361
1491481-1 : Server changes to support QT upgrade of Mac Clients
Links to More Info: BT1491481
Component: Access Policy Manager
Symptoms:
The old client build was failing due to a pending QT upgrade, the client requires server changes to support.
Conditions:
QTv5.5 and MAC OS(11.1)
Impact:
Cannot establish VPN connection with new clients.
Workaround:
None
Fix:
Server changes to support QT upgrade of clients.
Fixed Versions:
17.1.2, 16.1.5
1490833-2 : OAuth agent gets misconfigured when adding a new Scope/Claim in VPE
Links to More Info: BT1490833
Component: Access Policy Manager
Symptoms:
OAuth agents gets misconfigured when adding a new scope/claim in the visual policy editor (VPE)
Conditions:
- There are at least 10 scopes/claims attached to the OAuth agent.
- Adding a new scope/claim to the OAuth agent
Impact:
OAuth agent gets misconfigured
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1490765-3 : Request body can be unordered by bot-defense
Links to More Info: BT1490765
Component: Application Security Manager
Symptoms:
Certain request body, such as request body from a trusted bot, can be unordered after bot-defense applied its enforcement.
Conditions:
- bot-defense profile is in use
- bot-defense performs rDNS lookup for the request
- this manifests once in every five minutes
Impact:
Service or application that receives the unordered request body might not understand the request content and can fail.
Workaround:
Use iRule that disables bot-defense for the specific request, for example
- Check UA, URI, and other
- Disable bot-defense
Fixed Versions:
17.1.2, 16.1.5
1489657-1 : HTTP/2 MRF incorrectly end stream for 100 Continue
Links to More Info: BT1489657
Component: Local Traffic Manager
Symptoms:
HTTP2 client resets the stream by PROTOCOL ERROR on seeing END_STREAM flag set in 100 CONTINUE header frame.
Conditions:
HTTP/2 MRF enabled
HTTP/2 on the server side.
HTTP POST with body length > 0
The HTTP request has the "Expect: 100-continue" header
The server responds 100 Continue
And versions that have BugID-1220629 fixed
Impact:
The request would not be processed due to PROTOCOL_ERROR.
Fix:
Special handling for 1xx headers
Fixed Versions:
17.1.2, 16.1.5
1482769-3 : JSON schema failing after upgrade to 15.1.10.2★
Links to More Info: BT1482769
Component: Application Security Manager
Symptoms:
A violation occurs with "JSON data does not comply with JSON schema"
Issue is caused as a regression of ID 1295009 and 1305157
Conditions:
This occurs when using a JSON profile
Impact:
Requests are getting blocked with violation "JSON data does not comply with JSON schema".
Workaround:
None
Fix:
JSON schema validation does not fail with the specific regex.
Fixed Versions:
17.1.2
1481929 : Possible TMM crash on a race of BADOS and DOSL7 mitigations
Links to More Info: BT1481929
Component: Anomaly Detection Services
Symptoms:
TMM crash
Conditions:
Configured BADOS with DOSL7/Bot protection.
The attack is handled by BADOS and DOSL7 blocks as well.
Impact:
TMM crash
Fix:
No TMM crash
Fixed Versions:
17.1.2
1475041-1 : Token is getting deleted in 10 mins instead of 20 minutes.
Links to More Info: BT1475041
Component: TMOS
Symptoms:
- Tokens in var/run/pamcache are getting deleted before the expected time.
- csync is creating the issue by deleting token from /run/pamcache before the expiry period of token.
- restjavad/mcpd is working fine, as expected.
Conditions:
- VIPRION device must be used.
- token must be created under /var/run/pamcache
- after token creation, check every 10 minutes if the token is available or not.
Impact:
- Token is getting deleted in 10 minutes instead of 20 minutes.
Workaround:
N/A
Fixed Versions:
17.1.2
1474749-3 : ASM policy IP Address Exceptions list entry shows incorrect route_domain
Component: Application Security Manager
Symptoms:
While creating an ASM policy's IP Address Exceptions list entry with a non-default route domain (not "0"), it is unexpectedly stored with the default route domain "0".
Conditions:
- ASM policy created under partition with route domain other than "0".
Impact:
IP Address Exceptions list may not work as expected for partitions with route domain other than "0".
Workaround:
None
Fixed Versions:
17.1.2
1473701-1 : Oauth Discovery task is struck at "SAVE_AND_APPLY" state
Links to More Info: BT1473701
Component: Access Policy Manager
Symptoms:
Initial symptoms could be one of the following:
- Auto JWT discovery task stops or stalls and no reason is provided
- OIDC discovery task stops discovering
- Auto update of JWK fails
- OAuth token does not renew
- Oauth Discovery stuck at "SAVE_AND_APPLY"
- OAuth Provider Discovery Task does not work anymore
Other indications:
-> Stale JWK keys will be present in the config and Authentication fails with the following error in /var/log/apm:"OAuth Scope: failed for jwt-provider-list '/Common/VPN_JWT', error: None of the configured JWK keys match the received JWT token, JWT Header:
"
->restcurl -X GET tm/access/oidc/discover/ outputs the OIDC discovery task status and status will be in "SAVEANDAPPLY"
Conditions:
- jwk keys discovered from the openid well known url should be different from the existing JWK keys in the config
- And mcp should fail while applying the config. We can identify that if the /var/log/restjavad does not show the " Applying access policies" log after the "Updating mcp jwt and jwk objects for provide" log
Impact:
- Config will contain stale JWK keys
Workaround:
- Restart restjavad so that the discovery task starts again
Fix:
- Moved the apply access policy operation into a child thread so that the parent thread does not block itself until it receives a response from the mcp.
- Earlier the OIDC thread would be blocked until it got a successful response from the mcp for "apply access policy" and if it did receive a response, it would be blocked and would stop permanently without rescheduling itself.
- Now, even if the apply access policy fails in the current discovery cycle, the OIDC discovery worker will not be blocked and will be rescheduled for the next interval and the apply access policy will be reattempted as part of the next discovery cycle.
Fixed Versions:
17.1.2, 16.1.5
1473589 : SAML SP fails with error 'Response/assertion is not signed' on receiving the assertion★
Links to More Info: BT1473589
Component: Access Policy Manager
Symptoms:
SP shows access denied page
In SP APM logs you see the error "Response/assertion is not signed"
SAML Agent: /Common/basestar_sp_policy_act_saml_auth_ag failed to parse assertion, error: $fmt
Conditions:
-- Upgrade to 17.1.0
-- Configure BIG-IP as SP with "Want Signed Assertion" and "Want Encrypted Assertion" enabled in the SP service config
-- Response from the IDP is received without a signature element
Impact:
Unable to access SP
Workaround:
-- If using BIG-IP as IdP enable 'Response must be signed' in the spconnector config
-- If using other IdPs ensure to send an assertion Response with a signature XML element.
Fix:
Changed error handling to match older BIG-IP version behavior.
Fixed Versions:
17.1.2
1472817 : Blade disconnects from BIG-IP clusters during high traffic flow.
Links to More Info: BT1472817
Component: Local Traffic Manager
Symptoms:
When the traffic is high, an overloaded blade can disconnect from the BIG-IP cluster due to dropped internal heartbeat packets.
Conditions:
Issue can be triggered when there is high and sustained traffic loads.
Impact:
Blades can disconnect from the BIG-IP cluster.
Workaround:
Decrease the traffic level until the blade rejoins the cluster.
Fix:
Priority of CDP packets are increased, so that they use high priority queues and are protected against being dropped when the front panel traffic load is high. Also optimized the algorithm that determines cross-blade disaggregation state to improve recovery when a blade drops out and rejoins a cluster.
Fixed Versions:
17.1.1.2
1472685-3 : Add support for 4 new Webroot Categories
Links to More Info: BT1472685
Component: Traffic Classification Engine
Symptoms:
URL's getting categorised as Uncategorized.
Conditions:
Query any of the URL that fall under new category
Impact:
URL does not get categorised as expected and gets classified as "Uncategorized"
Fix:
Added support for 4 new categories.
Fixed Versions:
17.1.2, 16.1.5
1472609-1 : [APM]Some user roles unable view Access config GUI, getting 403 error
Links to More Info: BT1472609
Component: Access Policy Manager
Symptoms:
Some user roles (except admin, manager, resource manager, and App Editor users) get 403 forbidden when opening Access config in GUI.
Conditions:
- BIG-IP versions 16.1.4.1 (or later), 15.1.10.2 (or later), and 17.1.0.3 (or later).
- User roles except for admin, manager, resource manager, and App Editor users.
Impact:
Unable to view APM UI.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1470329-1 : PEM: Multiple layers of callback cookies need input validation in order to prevent crashes.
Links to More Info: BT1470329
Component: Policy Enforcement Manager
Symptoms:
TMM core and restart because of PEM.
Conditions:
1)PEM session attribute lookup via spmdb_session_attr_session_lookup_cb
2) The callback function in the cookie is null.
Impact:
TMM restarts. Service disruption.
Fix:
Fix: adding null check for callback function.
Fixed Versions:
17.1.2, 16.1.5
1469897-4 : Memory leak is observed in IMI when it is invoked via icall script
Links to More Info: BT1469897
Component: TMOS
Symptoms:
IMI(part of ZebOS routing) might leak memory when executed via iCall script
Conditions:
iCall script invoking IMI, for example listing dynamic routing configuration.
Impact:
Memory leak leading to a process crash.
Fixed Versions:
17.1.2
1469889-1 : URI should not raise violation when the SSRF violation is turned off
Component: Application Security Manager
Symptoms:
SSRF violation should not be raised when the URI parameter is enabled and SSRF learning and blocking settings are disabled.
Conditions:
Disable SSRF learning and blocking settings
Impact:
URI is raising a violation when the SSRF violation is turned off
Workaround:
NA
Fix:
Should not raise SSRF violation
Fixed Versions:
17.1.2
1469337-2 : iRule cycle count statistics may be incorrect
Links to More Info: BT1469337
Component: Local Traffic Manager
Symptoms:
The iRule CPU cycle information for long-running LTM iRules might be misreported.
Conditions:
An iRule runs for a long time. The length of time depends on the processor, but typically for more than a second.
Impact:
The CPU cycle information reported for an iRule event could be misreported.
Workaround:
None
Fix:
An issue with iRule CPU cycle statistics has been corrected.
Fixed Versions:
17.1.2
1468809-1 : Attack signature "Staged Since" timestamp is not accurate
Links to More Info: BT1468809
Component: Application Security Manager
Symptoms:
Attack signature "Staged Since" timestamp is not accurate
Conditions:
Signature is set to staging
Impact:
The "Staging: Since" timestamp is inaccurate.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1468769-1 : Signature Compile error for bot-signature emitted in asm control plane
Component: Application Security Manager
Symptoms:
After creating an user-defined bot-signature with a certain way, there will be an error emitted in asm control plane.
ASM subsystem error (asm_config_server.pl,F5::NegativeSignatures::Collection::Compiler::get_compiled_collection): Failed to compile rule "__SOME_RULE_HERE__" for signature id 3187068479 -- skipping
Conditions:
Create an user-defined bot-signature with a semi-colon and a space
Impact:
The rule may not be identified as expected.
Workaround:
None
Fixed Versions:
17.1.2
1468589-1 : TypeError: Cannot convert a Symbol value to a string in CSSStyleDeclaration Object Getter and Setter Functions
Links to More Info: BT1468589
Component: Access Policy Manager
Symptoms:
APM is unable to read or modify the CSS properties to dynamically change the style of the element
Conditions:
Modern Rewrite Mode is enabled
Impact:
Unable to read or modify the CSS properties to dynamically change the style of the element
Workaround:
Use the below iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
Request the iFile with the fix via an escalation
Fixed Versions:
17.1.2, 16.1.5
1466325-1 : Live Update installation window does not disappear when an installation error occurs
Links to More Info: BT1466325
Component: Application Security Manager
Symptoms:
If a Live Update fails to install, attempting to re-install may result in a loading window that does not disappear.
Conditions:
-- Any type of Live Update (e.g. Bot Signatures) encounters an error
-- Attempt to re-install the file(System ›› Software Management : Live Update page)
Impact:
The live update window does not close and it is not possible to determine if the live update was successful.
Workaround:
Reload the page.
Fix:
GUI is not getting stuck
Fixed Versions:
17.1.2
1466293-1 : SIP MRF over TCP might cause excessive memory buffering
Component: Service Provider
Symptoms:
SIP MRF over TCP might cause excessive memory buffering.
Conditions:
Certain traffic patterns might flood the BIG-IP over TCP from the server side and cause excessive memory buffering.
Impact:
The system can undergo core
Fix:
Excessive memory buffering is eliminated when certain traffic pattern occurs.
Fixed Versions:
17.1.2, 16.1.5
1466289-4 : SIP MRF might leave orphaned connections
Component: Service Provider
Symptoms:
Under certain traffic patterns, SIP MRF may leave orphaned connections.
Conditions:
A system with SIP MRF enabled.
Impact:
It leads to excessive memory buffering.
Fix:
Connections are no longer orphaned.
Fixed Versions:
17.1.2, 16.1.5
1462885-3 : LTM should send ICMP port unreachable upon unsuccessful port selection.
Links to More Info: BT1462885
Component: Local Traffic Manager
Symptoms:
In some cases ICMP port unreachable is not sent back to the client when the BIG-IP system is unable to obtain an available port for a connection.
Conditions:
Flow collision happens, BIG-IP is unable to obtain an available port for connection.
Impact:
LTM drops traffic and does not send an ICMP error to the client.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1462797-4 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection when an HTTP/2 request is sent
Links to More Info: BT1462797
Component: Application Security Manager
Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled using an iRule. This occurs while sending an HTTP/2 request to the virtual server.
Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule
- HTTP/2 request is sent to virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1462409-1 : PVA dedicated mode in F5OS tenants needs eviction disabled
Links to More Info: BT1462409
Component: TMOS
Symptoms:
PVA dedicated mode will not work in F5OS tenants until pva flow eviction is disabled.
Conditions:
Low latency license, dedicated mode enabled in the fastl4 profile.
Impact:
PVA connections may not all be accelerated. They will not be using the neuron engine.
Workaround:
tmsh modify ltm profile fastl4 myfastl4 pva-flow-evict disabled
Fixed Versions:
17.1.2
1462393-2 : Quota is not getting updated from the PEM side
Links to More Info: BT1462393
Component: Policy Enforcement Manager
Symptoms:
The quota is not updated when PEM receives the CCR-U message from the OCS.
Conditions:
Once the quota is exhausted,
1. OCS initiates a Re-Auth Request (RAR) to PEM
2. PEM responds with RAA
3. PEM then sends CCRu to OCS to request more quota
4. OCS responds with a CCA for additional quota for the rating group
5. Subscriber Session record did not change with new Granted Units.
Impact:
The quota is not updating from the PEM side.
Fix:
Quota is updating from the PEM side
Fixed Versions:
17.1.2, 16.1.5
1461597-3 : IPS IM upgrade is taking more time
Links to More Info: BT1461597
Component: Protocol Inspection
Symptoms:
It takes more time than usual for the upgrade of the protocol inspection updates IM Package.
Conditions:
During IM Upgrade:
1) Go to security -> Protocol Inspection -> Inspection Updates -> Download Package -> From file -> choose file -> Download.
2) select the IM and click on install
3) select the IM and click on deploy
Impact:
It takes more time to upgrade to the latest IM package. This is due to a larger than normal number of signature updates.
Workaround:
None
Fix:
Setting the default action to don't inspect for new signatures in the default profiles.
Fixed Versions:
17.1.2, 16.1.5
1455953-3 : The iRule "string first" command might fail to find the search string
Links to More Info: BT1455953
Component: Local Traffic Manager
Symptoms:
String first fails to find the search string or returns an incorrect location.
Conditions:
The "string first" command is being used in an iRule.
The string being searched contains binary or Unicode data.
A non-zero start index is provided.
For example:
set needle "needle"
set haystack "my\u2022data\xc2with needle"
set location [string first $needle $haystack 1]
This will result in the location being set to "-1".
Additionally,
set location [string first $needle $haystack 2]
will set the location to the incorrect location.
Impact:
Unexpected iRule behavior with some inputs.
Workaround:
None
Fix:
An issue with the iRule "string first" command providing incorrect results has been addressed.
Fixed Versions:
17.1.2
1455677-1 : ACCESS Policy hardening
Component: Access Policy Manager
Symptoms:
Under certain traffic patterns, ACCESS policy may crash
Conditions:
ACCESS policy evaluation is enabled
Impact:
A TMM core.
Workaround:
None
Fix:
The core is resolved.
Fixed Versions:
17.1.2, 16.1.5
1449709-1 : Possible TMM core under certain Client-SSL profile configurations
Links to More Info: K000138912, BT1449709
1447389 : Dag context may not match the current cluster state
Links to More Info: BT1447389
Component: TMOS
Symptoms:
When the cluster state changes during synchronization of dag context in a HA pair, dag context may not match the current cluster state.
This is a rare-occurance problem and happens
only during frequent updates of the cluster state.
Conditions:
- HA pair is configured, the system role is the next-active
- The cluster state changes during the synchronization of the dag state.
Impact:
- one blade is not present in the dag context
Workaround:
Restart TMM
Fix:
Fixed an error that leads to a dag context not matching the current cluster state.
Fixed Versions:
17.1.1.2
1441433-1 : BIG-IP may not remove the topmost via header from a SIP response before forwarding to server
Links to More Info: BT1441433
Component: Service Provider
Symptoms:
If extension2 contains % (percent), some clients will convert it and this causes the BIG-IP to forward it as is instead of removing it.
Conditions:
-- Virtual server with a SIP profile
-- A header arrives (extension2) which contains a special character. This can occur if a client converts %2a to *, for example.
Impact:
Extension2 ends up being forwarded by BIG-IP
SIP server getting extra field (extension2) does not recognize it.
Workaround:
None
Fixed Versions:
17.1.2
1436221-3 : Modify b.root-servers.net IPv4 address to 170.247.170.2 and IPv6 address to 2801:1b8:10::b
Component: Global Traffic Manager (DNS)
Symptoms:
USC/ISI, which operates b.root-servers.net, renumbered the IPv4 and IPv6 addresses on November 27, 2023. The current IPv4 address is 170.247.170.2, and the current IPv6 address is 2801:1b8:10::b. USC/ISI continues to support the root service over the current IPv4 and IPv6 addresses until November 27, 2024,(one year). This enables a stable transition while new root hints files are distributed in software and operating system packages.
Conditions:
Several profiles include the b.root-servers.net
Impact:
As USC/ISI supports the current IPv4 and IPv6 addresses for a minimum of one year (November 27, 2024), there is minimal impact. A single timeout for pending TLD queries can occur when accessing an old IP address using round-robin. Normally, the hint's TTL which is more than a month can cause a timeout when the old IP stops responding.
Workaround:
None
Fix:
The IPv4 and IPv6 address for b.root-servers.net has been renumbered to 170.247.170.2 and 2801:1b8:10::b
Fixed Versions:
17.1.2
1429897-2 : NShield netHSM : Creating new nShield key does not commit this key to an external RFS with nShield 12.60
Links to More Info: BT1429897
Component: Local Traffic Manager
Symptoms:
With nShield software v12.60 when creating a new nShield key on BIG-IP which is a client of an external RFS the new key is not automatically uploaded to RFS.
It works fine with nShield software v12.40 and new keys are committed to RFS without 'rfs-sync -c'.
If we generate a new HSM key with fipskey.nethsm (a wrapper for /opt/nfast/bin/generatekey) the key is committed to RFS.
Conditions:
--> Configure BIG-IP with an external HSM. Use nShield software v12.60.x.
--> Create a new nethsm key using TMSH or WebUI.
Impact:
Upgrading to higher versions of BIG-IP software will cause issues due to the usage of nshield v12.60 in them.
Workaround:
Use 'rfs-sync -c' after creating a new key.
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1429717 : APM as oAuth AS intermittently returning HTTP/1.1 400 Bad Request
Links to More Info: BT1429717
Component: Access Policy Manager
Symptoms:
BIG-IP configured as oAuth AS on a VIPRION environment intermittently, the oAuth token request (POST /f5-oauth2/v1/token) fails with 400 Bad Request.
Following is an example APM logs error:
"Error Code (invalid_request) Error Description (Invalid parameter (auth_code).)"
Conditions:
BIG-IP configured as oAuth AS.
Impact:
Authentication failed, unable to reach back-end resources.
Workaround:
None
Fixed Versions:
17.1.2
1429149-1 : VELOS tenant, TMM remains not ready and fails to fully come-up on secondary slots★
Links to More Info: K000138191, BT1429149
Component: TMOS
Symptoms:
- TMM does not fully come up on secondary slots leaving all but one slot non-operational.
Following is an example:
[root@rd1:/S1-green-P::Active:Standalone] config # tmsh show sys cluster
-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address <IP address/subnet>
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 1
Primary Selection Time 12/08/23 12:16:33
---------------------------------------------------------------------------------------------------------
| Sys::Cluster Members
| ID Address Alt-Address Availability State Licensed HA Clustered Reason
---------------------------------------------------------------------------------------------------------
| 1 :: :: available enabled true active running Run
| 2 :: :: unavailable enabled false active running TMM not ready
2. The following messages will be seen on secondary slots /var/log/tmm logs file:
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
notice SEP: Can't find SEP mapping for slot:2 port:0mac:02:01:23:45:02:00
3. On tenant run:
guishell -c "select name,module_id,physport from interface"
If physport for 1/0.1 is showing 0, it's another indication of the bug.
Note: This issue can also occur on a single-bladed tenant, but there are no "Can't find SEP mapping" errors in tmm log, and "show sys cluster" does not show any problem on a single-bladed tenants. The guishell command is the only clear symptom that can be observed.
Other symptoms of this issue include:
- /var/log/ltm contains 'inet port exhaustion' logs for non-floating SelfIP addresses.
- The HA channel is disconnected.
- The failover channel over the HA VLAN does not work.
- Health checks are down or flapping.
- A BIG-IP tenant was working fine, but after a reboot, it stopped working.
- A BIG-IP tenant was broken, so you restart it, and now the tenant works, but a different tenant is now broken.
- You can ping some things but not other things.
This issue may not be triggered immediately after the upgrade.
Although it is encountered more rarely, this issue could also be triggered on rSeries devices.
Conditions:
BIG-IP tenant running v17.1.1 running on VELOS.
Impact:
TMM does not fully start on secondary slots, leaving those slots as part of the cluster and unable to process traffic.
Workaround:
None
Fixed Versions:
17.1.1.2
1410989-1 : DNSX returns a malformed UDP DNS response when the answer count is nonzero but there is no answer section.
Links to More Info: BT1410989
Component: Global Traffic Manager (DNS)
Symptoms:
The BIG-IP system returns a malformed UDP DNS response.
Conditions:
When provided buf_size is able to fit the answer section but not able to fit authority and additional sections.
Impact:
Malformed UDP DNS response.
Workaround:
Use TCP DNS query.
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1410953-1 : Keymgmtd coring or restarting in loop when we have an empty crl file inside crl_file_cache_d path.
Links to More Info: BT1410953
Component: TMOS
Symptoms:
Keymgmtd is coring and restarting in a loop.
Conditions:
Create an empty file in the crl_file_cache_d path and try restarting the keymgmtd.
Impact:
Key management-related operations will fail.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1410509 : A F5 CDP timeout for a single blade may override the DAG context for the whole system
Links to More Info: BT1410509
Component: TMOS
Symptoms:
A timeout in the F5 Cluster Discovery Protocol for a single blade may override the DAG context for the entire system.
Conditions:
A timeout in the F5 Cluster Discovery Protocol for a single blade.
Impact:
Traffic is routed to a single blade, as seen in `tmctl -d blade tmm/sdaglib_hash_table`.
Workaround:
Restart any TMM.
Fix:
Fixed a possibility for a single blade timeout to override the DAG context for the whole system.
Fixed Versions:
17.1.1.2
1410457-5 : OpenSSL vulnerability CVE-2023-5678
Links to More Info: K000138242
1409537-1 : The chmand fails to fully start on multi-slot F5OS tenants when the cluster members have addresses or alternate addresses
Links to More Info: BT1409537
Component: TMOS
Symptoms:
The chassis manager daemon (chmand) is wedged and does not fully start causing MCPD and cluster to never start.
Conditions:
This issue is seen when IPv6 alternate addresses to the cluster members are added and rebooted to a slot.
Impact:
The slot does not come online and stays inoperative.
Workaround:
None
Fix:
Using the copy of a variable for a bad iterator has fixed the issue.
Fixed Versions:
17.1.1.2
1409453-1 : [APM][NA]Read Access Denied for 'Manger role' when accessing Network Settings in Network Access config
Links to More Info: BT1409453
Component: Access Policy Manager
Symptoms:
On GUI: 'General database error retrieving information.'
In /var/log/ltm: Read Access Denied: user (es-manager) type (network acces address space include)
Conditions:
-- Non-admin user
-- Network Access configured on APM
Impact:
Non-admin users cannot access Network Access settings.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1408381-2 : BADOS signals might no sync on HA setups
Links to More Info: BT1408381
Component: Anomaly Detection Services
Symptoms:
BADOS signals might no sync on HA setups.
Conditions:
When using High Availability setups with BADOS enabled.
Impact:
Standby machine is not synched in some scenarios.
Workaround:
Manual sync with the script that calls rsync.
Fix:
The state file always stays in sync.
Fixed Versions:
17.1.2, 16.1.5
1408269-2 : Add action and status to monitor_instance table
Component: Local Traffic Manager
Symptoms:
In a few instances, the status of LTM nodes and/or pool members monitored by the bigd daemon may not be correctly or completely communicated to the mcpd daemon. The mcpd daemon then tells the rest of the BIG-IP about the status of monitored objects.
Currently, there is no clear mechanism for detecting when bigd and mcpd are out of sync for the observed status of LTM nodes and/or pool members monitored by LTM health monitors.
Conditions:
This issue may occur when LTM nodes and/or pool members are monitored by LTM health monitors.
Impact:
Without a clear indication that bigd and mcpd are out of sync for the observed status of monitored LTM nodes and/or pool members, it is not known when corrective action needs to be taken to re-synchronize the LTM node and/or pool member status between bigd and mcpd.
Workaround:
When it is thought that bigd and mcpd are not in sync with the status of monitored LTM nodes and/or pool members, the following actions can be taken to force a re-synchronization of the monitored object status. This causes mcpd to monitor the state of the monitored objects correctly.
-- Restart the bigd using the command:
"bigstart restart bigd"
-- Remove the health monitor from the affected pool, pool member or node, then re-add the health monitor to the affected pool, pool member or node.
Fix:
The tmstat table for bigd, monitor_instance, now includes action and status which reflects the last action taken on the node and the status.
Fixed Versions:
17.1.2
1407997-1 : Enforcer crash due to the ASM parameter configuration
Links to More Info: BT1407997
Component: Application Security Manager
Symptoms:
An ASM policy that is configured with a parameter that has a "Parameter Value Type" value set to "Ignore value" may cause BD CPU cores to reach 90-100% of their capacity, resulting in a bd core.
Conditions:
The "Parameter Value Type" value is set to "Ignore value" in the ASM policy. The same parameter has to be included in the incoming request.
Impact:
Long request processing time that may cause the enforcer to crash. Traffic disrupted while bd restarts.
Workaround:
Set the "Parameter Value Type" value to "Auto detect" or any other value.
Fix:
The enforcement time is similar to other "Parameter Value Type" options.
Fixed Versions:
17.1.2
1407973-1 : [APM][SAML] Assertion is not occurring when the Binding is set to POST in clientless mode
Links to More Info: BT1407973
Component: Access Policy Manager
Symptoms:
Identified during internal testing, the assertion does not occur in any use case when BIG-IP is configured as a SAML SP with POST binding. Refer to the bug ID 1318397.
debug tmm5[12791]: 014d0501:7: ::6ac890bf:[saml_sp_crypto_get_header:1269] Error: ERR_FAIL
err tmm5[12791]: 014d0002:3: Failed to read header 'APD_SamlCryptoAction' err 12
err tmm5[12791]: 014d0002:3: SSOv2 plugin error(-1) in sso/saml_sp.h:632
Conditions:
This issue occurs under the following conditions:
1. Have a BIG-IP with a basic SAML POST BINDING Setup.
2. "Sign Authentication Request" is enabled.
3. Add the iRule to act as "clientless mode".
iRule :
when HTTP_REQUEST {
# Add the "clientless mode" header to the incoming request
HTTP::header insert "clientless-mode" "3"
}
4. Access the SAML SP virtual server to see the error in the SAML IDP BIG-IP.
Impact:
The SP did not receive the assertion from the IDP, which affects the SAML authentication flow and prevents access to the resources.
Workaround:
None
Fix:
Proper validation has been added for SAML requests as POST in clientless mode during xbuf validation, after the earlier changes made in bug ID 1318397.
Fixed Versions:
17.1.2
1402421-2 : Virtual Servers haviing adfs proxy configuration might have all traffic blocked
Links to More Info: BT1402421
Component: Access Policy Manager
Symptoms:
All requests for ADFS proxy will be blocked and will not be allowed.
Conditions:
/var/log/apm should show a line similar to below in a normal scenario
Nov 30 09:10:38 guest1.pslab.local debug adfs_proxy[9282]: 01aeffff:7: (null)::00000000: C: TMEVT_TIMER
TMEVT_TIMER should occur once every minute
These lines will be missing in the non-working case.
Impact:
Traffic to virtual servers having ADFS Proxy configuration will be disrupted.
Workaround:
- Restart adfs_proxy
- bigstart restart adfs_proxy
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1400497 : Nlad unstable after upgrade★
Component: Access Policy Manager
Symptoms:
End users are unable to use Outlook when they are not inside the corporate network.
If tmm debug logging is enabled, you might see the following in /var/log/tmm
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 0
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 0
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 1
debug eca[13346]: 01620012:7: Retrieved 0 bytes of random number from tmm 3
Conditions:
APM access profile with NTLM authentication enabled.
Impact:
Nlad unstable due to ECA random number fetch causing NTLM authentication failures.
Workaround:
None
Fixed Versions:
17.1.2
1400317-1 : TMM crash when using internal datagroup
Links to More Info: BT1400317
Component: Local Traffic Manager
Symptoms:
When an internal data group matches a local traffic policy, tmm crashes.
Conditions:
Local data group involved. External data groups are fine.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Use an external data group if possible
Fix:
Both internal and external data group works
Fixed Versions:
17.1.2, 16.1.5
1400257 : Citrix Autodetect fails when STA is configured in Storefront
Component: Access Policy Manager
Symptoms:
When the user configures Citrix integration mode and configures STA servers configured on both Storefront and APM access policy, Auto-discovery of the Citrix Workspace app will fail. Users can still continue with the already installed option.
Conditions:
The issue is seen when Citrix Integration mode is configured and STA resolution enabled. Also, users access APM using a Browser client.
Impact:
The user needs to click multiple times to download the ica file and load the desktop.
Workaround:
None
Fix:
Citrix workspace auto discovery should work.
Fixed Versions:
17.1.2
1400161-1 : Enhance HTTP2 receive-window to maximum
Links to More Info: BT1400161
Component: Local Traffic Manager
Symptoms:
While uploading a 100 MB file, the client repeatedly runs out of the window and the processing of a window update is relatively slow and builds up to quite an overhead.
Conditions:
Virtual server with HTTP2 profile.
Impact:
The transfer time of HTTP2 is increased as compared to HTTP/1.1.
Workaround:
None
Fix:
Increased HTTP2 receive-window maximum value to 1024.
Fixed Versions:
17.1.2
1399861-2 : SIP message parser should have warning logs for drops
Component: Service Provider
Symptoms:
The BIG-IP SIP parser logs all messages at the notice log level.
Conditions:
SIP message parser logging
Impact:
Admin cannot easily be notified of incompatibility issues unless log messages are set to notice which can get very noisy.
Workaround:
None
Fix:
SIP message parser now logs messages at warning level to /var/log/ltm.
Fixed Versions:
17.1.2
1399741-2 : [REST][APM]command 'restcurl /tm/access/session/kill-sessions' output on APM is empty
Links to More Info: BT1399741
Component: TMOS
Symptoms:
Active APM Sessions are not returned when running the kill-sessions command.
Conditions:
'restcurl /tm/access/session/kill-sessions' is run.
Impact:
Active access sessions are not the same on BIG-IP and BIG-IQ since BIG-IQ uses this API (/tm/access/session/kill-sessions).
Workaround:
None
Fixed Versions:
17.1.2
1399645-1 : iRule event BOTDEFENSE_ACTION validation failing a subroutine call
Links to More Info: BT1399645
Component: Local Traffic Manager
Symptoms:
When the BIG-IP system tries to save an iRule that calls a procedure from the BOTDEFENSE_ACTION event, an error occurs.
Conditions:
-- Configure an iRule with event BOTDEFENSE_ACTION.
-- The event calls a procedure.
Impact:
A TCL error is thrown: Rule checker ::tclCheck::checkScript did not complete: can't read "BIGIP::ltmEventCategoryHierarchy(BOTDEFENSE)": no such element in array.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1399289-2 : "XML data does not comply with schema or WSDL document" violations after upgrade to 16.1.4.1
Links to More Info: BT1399289
Component: Application Security Manager
Symptoms:
If the "Attribute" in a schema file has an upper case letter, then schema validation fails.
This does not apply to "Element", which tries to match exact case.
Conditions:
Create a Case insensitive ASM policy. Create an XML Schema profile which has an "Attribute" Tag with at least one upper-case letter in the Attribute name.
Impact:
Requests fail with Violation, even though the Schema file has a specific attribute.
Workaround:
Have the "Attribute" tag name with all lower case letters, then the request does not gets blocked.
Fixed Versions:
17.1.2, 16.1.5
1399241 : QUIC occasionally erroneously sends connection close with QPACK decoder stream error
Links to More Info: BT1399241
Component: Local Traffic Manager
Symptoms:
QUIC connections are occasionally closed with "QPACK decoder stream error" (error code 514).
Conditions:
The QPACK decoder stream of a QUIC connection receives part of a request in a packet or receives an ack or cancel for a stream that has already been closed.
Impact:
A connection close with "QPACK decoder stream error" is sent and the QUIC connection is closed. Web browsers might also conclude that the BIG-IP's QUIC implementation is not interoperable and stop initiating HTTP/3 connections.
Fix:
Fixed QPACK handling when receiving part of a request in a packet or receiving an ack or cancel for a stream that has already been closed.
Fixed Versions:
17.1.2, 16.1.5
1399193-3 : SIP parser not parsing response when ;; in the to: or from:
Links to More Info: BT1399193
Component: Service Provider
Symptoms:
Messages are not forwarded
Conditions:
When a sip message contains ;; in the to or from, for example:
t: <sip:+18005551212@10.10.24.2;user=phone>;;tag=70c1a1e1
Impact:
Message is not forwarded
Workaround:
None
Fixed Versions:
17.1.2
1398925-1 : Virtual Server status change log message fails to report actual status
Links to More Info: BT1398925
Component: Local Traffic Manager
Symptoms:
-- SNMP_TRAP log message reports the virtual server status as available but does not report that it has been disabled by parent due to its default pool.
-- Then, when a pool member is enabled, the virtual server status will be available again, but there is no log message indicating this change.
Conditions:
-- Disable all pool members in a pool and watch the virtual server status log messages
Impact:
Virtual server status cannot be identified and tracked via log messages.
Workaround:
None
Fixed Versions:
17.1.2
1398809-3 : TMM can not process traffic on Cisco ENIC
Links to More Info: BT1398809
Component: TMOS
Symptoms:
- TMM cannot process traffic
- Within '/var/log/tmm', there is the following log line
rte_enic_pmd: Rq 0 Scatter rx mode not being used
- 'tmctl -d blade tmm/xnet/dpdk/stats' stat table shows a large (several 10000) for 'mbuf_inuse' and 'frag_inuse', and 'mbuf_alloc_fail' is an extremely large count (in the scale of millions) and continuously increasing
Conditions:
- TMM is using Xnet-DPDK drivers
- BIG-IP is connected to a Cisco ENIC card
In addition to the above, one or both of the following
a) Only 1 RX queue available
b) MTU <= 1920
By default, TMM will set MTU to 1500 for ENIC.
Impact:
Traffic disrupted as TMM is not able to receive nor send packets.
Workaround:
Both of following must be done:
1) Configure ENIC to have 2 or more RX queues available
2) Create a file '/config/tmm_init.tcl' containing the following line:
ndal mtu 9000 1137:0043
Fix:
Set TMM to default to MTU 9000 for ENIC
Fixed Versions:
17.1.2
1398229-2 : Enabling support for SSH-RSA in Non FIPS mode
Links to More Info: BT1398229
Component: TMOS
Symptoms:
Ssh-rsa is disabled in FIPS and non-FIPS mode, as SSH-RSA is a less secure algorithm.
Conditions:
Attempt to use SSH-RSA algorithm
Impact:
Unable to use SSH-RSA algorithm
Fix:
Added support for SSH-RSA in Non-FIPS mode.
It is still disabled in FIPS mode.
Fixed Versions:
17.1.2, 16.1.5
1395281-1 : UDP payloads not ending with CRLF are being treated as BAD messages.
Links to More Info: BT1395281
Component: Service Provider
Symptoms:
The UDP SIP payloads that did not end with CRLF are being treated as BAD messages.
Conditions:
The UDP SIP payload did not end with CRLF.
Impact:
The UDP SIP message will be treated as a BAD message if the payload does not end with CRLF.
Workaround:
None
Fix:
Made SIPP parser changes to accept and process UDP SIP messages that do not end with CRLF.
Fixed Versions:
17.1.2, 16.1.5
1395081 : Remote users are unable to generate authentication tokens
Links to More Info: K000137514, BT1395081
Component: TMOS
Symptoms:
On a BIG-IP version with the fix for ID1147633, remote users are unable to generate authentication tokens. This also results in following pages in the GUI being broken for users:
- Device Management >> Overview
- Local Traffic >> Network Map
Conditions:
-- BIG-IP version with the fix for ID1147633
-- Remote user authentication (such as TACACS, RADIUS, Active Directory, and other)
Impact:
Some parts of the GUI may not load for remote users.
Generating an authentication token for a remote user would result in an error message similar to the following:
{
"code": 400,
"message": "token creation failed; target user [<id>] does not exist in the system",
"referer": "https://<IP>/tmui/tmui/devmgmt/overview/app/index.html?ver=0.0.6.17.1.1",
"restOperationId": <ID>,
"kind": ":resterrorresponse"
}
Workaround:
None
Fix:
The GUI pages are loading successfully for remote users.
Fixed Versions:
17.1.1.1, 16.1.5
1394601-3 : PEM AVR onbox reporting stall
Links to More Info: BT1394601
Component: Policy Enforcement Manager
Symptoms:
When using PEM AVR onbox reporting, the per-subscriber reporting will stop working after a set of time.
Conditions:
- PEM AVR reporting.
Impact:
No per-subscriber reporting is available.
Workaround:
Restart tmm to get it working again.
Fix:
PEM AVR reporting continues to function.
Fixed Versions:
17.1.2, 16.1.5
1394049-1 : Login page with URL longer than 128 bytes assigned to brute force causing ASM to restart loop
Component: Application Security Manager
Symptoms:
A login page that is configured with a URL longer than 128 bytes while being assigned to a brute force profile, might cause ASM to be stuck in a restart loop.
Conditions:
Login page URL longer than 128 that is assigned to a brute force profile
Impact:
ASM might be stuck in a restart loop.
Workaround:
Delete the login page and the brute force profile
Fix:
No ASM restart looping
Fixed Versions:
17.1.2
1393761-1 : ArcSight sends a series of '000000000' values in the remote log in case of Attack Signature Detected.
Links to More Info: BT1393761
Component: Application Security Manager
Symptoms:
Series of 0's seen in Arcsight remote logs, in place of the Attack signature ID and Name.
Conditions:
Remote logging profile with ArcSight as logging format.
Impact:
Attack signature ID and Name is not seen in remote logs.
Workaround:
Use Splunk format instead.
Fix:
Padding with 0's will not happen.
Fixed Versions:
17.1.2
1391525-5 : Timestamp Cookies and ePVA acceleration are incompatible on VELOS and rSeries platforms
Links to More Info: BT1391525
Component: Advanced Firewall Manager
Symptoms:
VELOS and rSeries platforms don't support Timestamp Cookies when ePVA acceleration is enabled.
When Timestamps Cookies and ePVA acceleration are enabled, the BIG-IP Tenant sends TCP segments to the clients with the wrong TSecr value (part of the TCP Timestamps option).
Some clients drop these segments because they don't match any of the Timpestamps TSval values of the segments they previously sent to the BIG-IP Tenant.
Conditions:
- VELOS or rSeries platform running a BIG-IP Tenant
- A Virtual Server with a fastl4 profile with PVA acceleration enabled and tcp-timestamp-mode set to 'preserve'
- Timestamp Cookies enabled (this is an AFM feature):
security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie enabled }}
Impact:
The BIG-IP Tenant sends TCP segments with a wrong TCP TSecr value to the clients when Timestamp Cookies are enabled and ePVA acceleration is used.
Some clients drop these packets and eventually the TCP connection times out.
Some clients may issue a TCP reset.
Workaround:
- Disable TS cookies:
"tmsh modify security dos device-config dos-device-config dos-device-vector { tcp-ack-ts { tscookie disabled }}"
OR
- Disable PVA acceleration in the fastl4 profile:
"tmsh modify ltm profile fastl4 <profile_name> pva-acceleration none"
Fixed Versions:
17.1.2
1391357-4 : Bypassing Tunnels in ServerIP attack: ServerIP attack, combined with DNS spoofing, that can leak traffic to an arbitrary IP address
Links to More Info: K000136909, BT1391357
1391161-1 : sipmsg_parse_sdp crashes when SIP receives certain traffic pattern.
Component: Service Provider
Symptoms:
When the SIP message body has a certain traffic pattern, the sipmsg_parse_sdp crashes.
Conditions:
A pattern that can cause sipmsg_parse_sdp to crash.
Impact:
The system may core.
Fix:
Sipmsg_parse_sdp does not crash when SIP receives the traffic pattern that caused the core previously.
Fixed Versions:
17.1.2, 16.1.5
1389401-1 : Peer unit incorrectly shows the pool status as unknown after merging the configuration
Links to More Info: BT1389401
Component: TMOS
Symptoms:
The peer unit incorrectly shows the state of pool members as "checking" after merging the configuration from the terminal.
Note that these are the same symptoms as ID1095217.
Conditions:
This is encountered on BIG-IP releases or Engineering Hotfixes with the fix for ID1297257, if two or more configurations are specified for an already configured pool on the peer device when using the command "tmsh load sys config merge from-terminal".
Following is an example:
Existing pool:
ltm pool http_pool {
members {
member1:http {
address <IP address>
monitor http
}
}
}
tmsh load sys config merge from-terminal:
ltm pool http_pool {
members none
}
ltm pool http_pool {
members replace-all-with {
member1:http {
address <IP address>
monitor http
}
}
}
This may also occur with a similar configuration using the "merge from-file" operation instead of "merge from-terminal".
These symptoms, matching ID1095217, occur in the presence of the fix for ID1297257, which removes the original, incorrect fix for ID1095217.
Impact:
Pool members are marked with a state of "Checking".
Workaround:
Define all object properties at once (in a single configuration block) instead of multiple times (in multiple configuration blocks) when merging the configuration from the terminal.
Fix:
Specifying the configuration for an LTM pool object multiple times when issuing the "tmsh load sys config merge from-terminal" command no longer causes LTM pool members to remain marked with a state of "Checking", without resulting in the symptoms of ID1297257.
Fixed Versions:
17.1.2
1389225-1 : For certain iRules, TCP::close does not close the TCP connection
Links to More Info: BT1389225
Component: Local Traffic Manager
Symptoms:
When an iRule generates a TCP::close before a server-side connection is established, the BIG-IP system does not close the connection.
Conditions:
Example 1
With this iRule, if there are 2 pipelined http requests, the close will not happen after the first request
Sample iRule:
proc redirect {loc} {
HTTP::redirect $loc
TCP::close
}
when HTTP_REQUEST priority 1 {
call redirect https://[getfield [HTTP::host] ":" 1][HTTP::uri]
}
Example 2:
In this second example of iRule where there are no pools involved (say redirects or error message return 404 not found...) when no servers are connected to. In such case, the close will not happen.
ltm rule tcp_it {
when CLIENT_ACCEPTED {
TCP::collect 1
}
when CLIENT_DATA {
table or other commands for example
TCP::respond "reply" (or 404 not found...)
TCP::release
TCP::close
}
when CLIENT_CLOSED {
log local0. "Client closed"
}
when SERVER_CONNECTED {
log local0. "Server here"
}
}
When such rule involves no servers to be connected - hence "Server here" not displayed - the close will never happen.
Impact:
TCP connection lingers in TMM until expiration.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1389049-3 : Frequent instances of provisioning-pending count spiking on various PEM devices
Links to More Info: BT1389049
Component: Policy Enforcement Manager
Symptoms:
PEM intermittently fails to provision subscribers and a large number of subscriber sessions go into the provisioning-pending state.
Conditions:
-- PEM is enabled
-- BIG-IP is configured to create subscriber dynamically and receive subscriber policy from PCRF
-- BIG-IP receives a large number of subscriber login/logout requests in a short period.
Impact:
New subscribers provisioning fails. Subscribers remain in the provision-pending state.
Workaround:
None
Fix:
With fix, new subscriber provisioning and old subscriber deletion is successful.
Fixed Versions:
17.1.2, 16.1.5
1389033-1 : In an iRule SSL::sessionid returns an empty value★
Links to More Info: K000137430, BT1389033
Component: Local Traffic Manager
Symptoms:
The irule SSL::sessionid command used returns an empty value after an upgrade to v15.1.9.1, when used with a TLS1.3 session.
While SSL::sessionid in v15.1.8.2 returns the value specified in the ClientHello for a TLSv1.3 session, upgrading to v15.1.9.1 results in empty values returned when calling SSL::sessionid.
Conditions:
1. Use SSL::sessionid in an iRule
2. Use an affected BIG-IP version
3. Client establishes a TLS1.3 connection
Impact:
SSL::sessionid returns an empty value, which could result in unintended behavior for applications that use that iRule command.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1388985-1 : The daemon dwbld uses 100% CPU when max port value configured in TMC port list
Links to More Info: BT1388985
Component: Advanced Firewall Manager
Symptoms:
When Traffic Matching Criteria (TMC) port list range is configured that includes maximum port value of 65535, counter is incremented till 65535 and wraps back to 0, as the variable used to store the counter is uint16_t.
Conditions:
- AFM license enabled.
- Daemon dwbld enabled
- Any TMC port list configured with maximum port value of 65535
Impact:
The daemon dwbld consumes 100% CPU impacting system performance.
Workaround:
Avoid configuring maximum port value of 65535 in TMC port list range.
Fix:
The counter is changed to uint32_t to avoid rollover when maximum port value is included in port list range.
Fixed Versions:
17.1.2, 16.1.5
1388621-1 : Database monitor with no password marks pool member down
Links to More Info: BT1388621
Component: Local Traffic Manager
Symptoms:
If an LTM or GTM database monitor is configured with a username to log in to the database, but without a password, pool members monitored by that monitor will be marked Down.
When this issue occurs, an error message similar to the following (for a postgresql monitor in this example) will appear in the DBDaemon log file (/var/log/DBDaemon-*.log):
[MonitorWorker-###] - incomplete parameters: m_connectStr:'jdbc:postgresql://###.###.###.###:##/postgres' m_user:'*********' m_password:'null' max_use:'#' m_inst_id:'******'
The "incomplete parameters" and "m_password:'null'" items are the relevant parts of this error message.
Conditions:
This may occur under the following conditions:
-- LTM or GTM pool members are configured to use a database monitor, such as:
-- mssql
-- mysql
-- oracle
-- postgresql
-- The monitor is configured with a username, but no password
-- And this configuration is otherwise valid: The username is a configured in the target database with no password, and no password is required by the database for authentication of that user.
-- The version of BIG-IP, or BIG-IP Engineering Hotfix,
which includes a fix for Bug ID1025089.
Impact:
Pool members monitored by a database monitor, the configured will be marked Down.
Workaround:
Following is workaround for this issue:
-- Configure the database user with a password, and require password authentication for the user
-- Configure the database monitor with the correct password for the configured username
Fix:
Database monitors with usernames configured without a password (which matches the configuration of that user in the database itself) will report correct health status of monitored pool members.
Fixed Versions:
17.1.2, 16.1.5
1388341-1 : tmm crash upon context reference that was already released (HUDEVT_SHUTDOWN)
Links to More Info: BT1388341
Component: Anomaly Detection Services
Symptoms:
While requests are delayed in TMM due to various reasons, their virtual server and BADOS profile might be deleted.
This may lead to a TMM crash.
Conditions:
-- BIG-IP System, passing traffic.
-- The virtual server has objects attached, such as complex iRules or BADOS, which cause the requests to take more time to get through the tmm.
-- A connection is dropped while the request is still being handled.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
If possible, avoid using objects that cause requests to be delayed, such as iRules and behavioral DoS.
Fix:
TMM does not crash when a connection is dropped while a request is still in the progress.
Fixed Versions:
17.1.2, 16.1.5
1388273-1 : Bd Crash or Performance Degradation in Specific Scenarios
Links to More Info: BT1388273
Component: Application Security Manager
Symptoms:
A potential Bd crash may occur under specific request and policy conditions, accompanied by possible performance degradation.
Conditions:
Specific policy condition and requests.
Impact:
A bd crash, failover or in other cases performance degradation for specific requests.
Workaround:
None
Fix:
A crash issue was fixes.
Fixed Versions:
17.1.2
1384509-4 : The ePVA syncookie protection stays activated in hardware
Links to More Info: BT1384509
Component: Advanced Firewall Manager
Symptoms:
Hardware syncookie protection might be activated without TMM reflecting such state. Only the following log will be shown when this happens (even though hardware protection is activated):
warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443
Normally two following messages should be visible:
warning tmm5[24301]: 01010038:4: Syncookie counter 53 exceeded vip threshold 52 for virtual = 1.1.1.1:443
notice tmm5[24301]: 01010240:5: Syncookie HW mode activated, server name = /Common/test server IP = 1.1.1.1:443, HSB modId = 5
There exist exceptions to this rule. If unsure, please open a support case.
Conditions:
Hardware syncookie protection activated on a TCP/fastL4 profile.
Undisclosed traffic pattern hits virtual server.
Impact:
Hardware syncookie protection stays activated without TMM reflecting the state.
Hardware syncookie protection stays activated until traffic subsides and hardware deativates protection.
Some connections might not be opened properly.
Workaround:
None
Fixed Versions:
17.1.2
1382365-1 : XML policy import fails due to corrupted user-defined Signature Set definition
Links to More Info: BT1382365
Component: Application Security Manager
Symptoms:
Importing an XML policy exported from 17.1.x fails due to a corrupted user-defined Signature Set definition.
Conditions:
A user-defined Signature Set is created in a version prior to 17.1.0, the configuration is upgraded to 17.1.0 (or later), and the policy is exported as XML.
Impact:
XML policy import fails.
Workaround:
Edit the XML policy file to remove the corrupted user-defined Signature Set definition.
Fix:
XML policy containing user-defined Signature Set can be imported successfully.
Fixed Versions:
17.1.2
1382329-2 : Handling 'active' attribute in introspection response
Links to More Info: BT1382329
Component: Access Policy Manager
Symptoms:
When Google is configured as an authorization server it does not include an 'active' attribute in response to the token validation endpoint. OAuth Scope fails without any error message.
Conditions:
BIG-IP configured as OAuth Client + Resource Server and Google as Authorisation server.
Impact:
BIG-IP Administrator will not be able to figure out why OAuth Scope fails by looking at the debug logs.
Workaround:
None
Fix:
Log an error message describing the absence of an 'active' attribute.
Fixed Versions:
17.1.2, 16.1.5
1382141-5 : Query string gets stripped when bot defense redirects request via Location header, with versions that have the fix for ID890169★
Links to More Info: BT1382141
Component: Application Security Manager
Symptoms:
The query parameter is missing in the Location header, after upgrading to BIG-IP to the versions that have the fix for ID890169, with a redirect challenge.
This can cause 307 redirect requests from the BIG-IP system.
Conditions:
The bot profile is attached to the virtual server.
Impact:
Dropping query string results in an unrecognized resource request to the server.
Workaround:
None
Fixed Versions:
17.1.2
1381689 : SAML SP does not properly sign the SAML Auth Request sent to SAML IdP when http-redirect with detached signature
Links to More Info: BT1381689
Component: Access Policy Manager
Symptoms:
The SAML Auth Request signature is invalid.
Conditions:
-- SAML sp configured with signed authn request
-- SSO binding is set to http-redirect
-- want-detached-signature is set to true
Impact:
SAML Auth req not signed properly which breaks the saml flow and impacts accessing the resources
Workaround:
None
Fix:
Properly fetching the compressed Authn Req along with signature from tmm and sending to apmd and storing in respective session vairiables;
Fixed Versions:
17.1.2
1381565-1 : ADMD stability improvements when configured with TLS signatures
Component: Anomaly Detection Services
Symptoms:
- ADMD restart
- High CPU utilization of ADMD
- TMM restart
Conditions:
BADOS configured with TLS signatures
Impact:
- High CPU utilization
- Traffic loss
Workaround:
None
Fix:
- No ADMD restarts.
- ADMD consumes reasonable CPU resources
- No TMM restarts
Fixed Versions:
17.1.2, 16.1.5
1381357-1 : CVE-2023-46748: Configuration utility authenticated SQL injection vulnerability
Links to More Info: K000137365, BT1381357
1381065-2 : Custom Request implementation modifies the Request object's prototype, resulting in the lack of the 'signal' property.
Links to More Info: BT1381065
Component: Access Policy Manager
Symptoms:
Cache-fm-Modern.js:405 TypeError: Failed to execute 'fetch' on 'Window': Failed to read the 'signal' property from 'RequestInit': Failed to convert value to 'AbortSignal'.
Conditions:
When going through Portal Access Modern Rewrite mode
Impact:
Fetch request fails and throws an error
Workaround:
Mitigate the issue with below iFile iRule:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
if {
[HTTP::path] ends_with "cache-fm-Modern.js"
} {
HTTP::respond 200 content [ifile get ModernCachefm]
}
}
For iFile - Escalate a case explaining to open an SR requesting for such iFile
Fix:
NA
Fixed Versions:
17.1.2, 16.1.5
1378405-1 : The sub-violation of HTTP compliance "Unescaped space in URL" is wrongly listed in TMUI
Links to More Info: BT1378405
Component: Application Security Manager
Symptoms:
The sub-violation of HTTP compliance "Unescaped space in URL"
is wrongly listed in TMUI. The sub-violation is not supported and not functioning.
Conditions:
- No specific condition, an error with GUI.
Impact:
Non-supported or not-functioning sub-violation is displayed in TMUI.
Workaround:
Ignore the sub-violation listed in TMUI.
Fixed Versions:
17.1.2
1378329-1 : Secure internal communication between Tomcat and Apache
Links to More Info: K000137353
Component: TMOS
Symptoms:
For more details see: https://my.f5.com/manage/s/article/K000137353
Conditions:
For more details see: https://my.f5.com/manage/s/article/K000137353
Impact:
For more details see: https://my.f5.com/manage/s/article/K000137353
Workaround:
Note: This fix is related to CVE-2023-46747. However, systems with only the fix for ID1240121 are also not affected by CVE-2023-46747
For more details see: https://my.f5.com/manage/s/article/K000137353
Fix:
Communication between Tomcat and Apache is secured.
Fixed Versions:
17.1.1.4, 16.1.5, 15.1.10.5
1377421-1 : APMD processing of MCP messages is inefficient
Links to More Info: BT1377421
Component: Access Policy Manager
Symptoms:
When user configures large number of Access Policies and APMD is restarted, it takes extended period of time to complete configuration.
Also, CPU usage is high during this period of time.
Conditions:
- User configures hundreds of Access policies.
- APMD is restarted.
Impact:
APMD and MCPD show high CPU utilization for an extended period of time.
Workaround:
None
Fix:
APMD and MCPD use a reasonable amount of CPU and complete processing in an acceptable amount of time.
Fixed Versions:
17.1.2
1369673-1 : OCSP unable to staple certificate chain
Links to More Info: BT1369673
Component: Local Traffic Manager
Symptoms:
When a server returns a certificate chain that involves an archived Let's Encrypt certificate, the OCSP is unable to staple the full chain.
Conditions:
An OCSP is configured on the serverside profile, and the client tries to connect to a server that returns certificate chain using an archived Let's Encrypt certificate.
Impact:
The OCSP is unable to staple the certificate chain. If the stapling is required by the client, the connection will be broken.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1366593-3 : HTTPS monitors can fail when multiple bigd processes use the same netHSM
Links to More Info: BT1366593
Component: Local Traffic Manager
Symptoms:
Monitors going down accompanied by netHSM FIPS errors in /var/log/ltm.
Following is an example error:
01960005:3: netHSM: Shared memory error [Failed to fetch result].
Conditions:
HTTPS monitors having server_ssl profile that is storing a key in netHSM.
Impact:
Intermittently seeing HTTPS monitors fail for brief periods, causing some pool members to briefly be marked down.
Workaround:
Configure bigd to run in single process mode by running the following commands:
tmsh modify sys db bigd.numprocs value 1
bigstart restart bigd
Fixed Versions:
17.1.2, 16.1.5
1366445-1 : [CORS] "Replace with" and "Remove header" CORS functionalities does not work
Links to More Info: BT1366445
Component: Application Security Manager
Symptoms:
"Replace with" and "Remove header" CORS functionalities do not work
Conditions:
-- Allow CORS Enabled
"Replace headers" Or "Remove headers" enabled with Header 'AAA'
-- Disallowed header 'AAA' in request sent
Impact:
The request is blocked with "VIOL_CROSS_ORIGIN_REQUEST" violation
Workaround:
None
Fix:
The request passes with no violations.
Fixed Versions:
17.1.2, 16.1.5
1366401-2 : [APM]"F5RST: HTTP internal error" occurring after BIG-IP initiated client-ssl renegotiation
Links to More Info: BT1366401
Component: Access Policy Manager
Symptoms:
You may see observe below logs in /var/log/apm
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_server_init, Line: 5382
<date> <hostname> err tmm3[29020]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 4075
Conditions:
ASM is configured along with APM on the same virtual server.
Impact:
Connections failing with [F5RST: HTTP internal error (bad state transition)]
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1366229-1 : Leaked Credentials Action unexpectedly modified after XML-format policy export and re-import
Links to More Info: BT1366229
Component: Application Security Manager
Symptoms:
"Leaked Credentials Detection" action unexpectedly modified after XML-format policy export and re-import.
Conditions:
Create a /login.php and set the Leaked Credentials Action to "Alarm and Leaked Credential Page"/"Alarm and HoneyPot Page". Export and reimport the policy in XML format.
Impact:
"Leaked Credentials Action" is modified to default "Alarm and Blocking Page" after reimporting policy.
Workaround:
Policy can be exported and reimported in Binary format. Issue is not seen with Binary format.
Fix:
Fixed an issue with Leaked Credentials Detection.
Fixed Versions:
17.1.2, 16.1.5
1366217-1 : The TLS 1.3 SSL handshake fails with "Decryption error" when using dynamic CRL validator
Links to More Info: BT1366217
Component: Local Traffic Manager
Symptoms:
The SSL handshakes using TLS 1.3 protocol fails with decryption errors when using dynamic CRL validator in SSL profiles on BIG-IP.
Conditions:
1. Create SSL profile with dynamic CRL validator enabled.
2. Create Virtual server and attach the above SSL profile.
3. Connect to VIP using TLS 1.3 protocol.
Impact:
Unable to use CRLDP to authenticate client certificates when using TLS 1.3 protocol.
Workaround:
Use static CRL or OCSP on SSL profiles to validate client entities.
Fix:
This issue has been fixed by pausing the decryption of the application data until certificate status response is received from CRL validator in the case of TLS 1.3 handshakes.
Fixed Versions:
17.1.2, 16.1.5
1366153-1 : "Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions★
Links to More Info: BT1366153
Component: Application Security Manager
Symptoms:
"Illegal repeated header violation" is added with blocking enabled, after upgrading to v16+ from earlier versions.
Conditions:
Upgrading from pre-v16 to post-v16.
Impact:
False positives after upgrading.
Workaround:
After upgrading, review violation reports and disable "Illegal repeated header violation" as needed.
Fix:
Learn/Alarm/Blocking of "Illegal repeated header violation" are set all disabled after upgrading from versions where the violation did not exist.
Fixed Versions:
17.1.2
1366025-1 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106, BT1366025
1365701-4 : Core when flow with looped nexthop is torn down
Links to More Info: BT1365701
Component: Local Traffic Manager
Symptoms:
TMM crashes with "no trailing data (looped flow)" OOPS.
Conditions:
Have to tear down the connflow without tearing down the stream while a connection is pending.
Impact:
Abnormal TMM behavior.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2
1365629-3 : FPS signature and engine update fail to access sys db key proxy.password
Component: Application Security Manager
Symptoms:
FPS signature and engine update via proxy with password authentication fails
Conditions:
FPS signature and engine update via proxy that requires password authentication
Impact:
Automatic updates of FPS signatures and engine do not work when an HTTP proxy is configured.
Workaround:
Manually upload the file
Fixed Versions:
17.1.2
1361169-1 : Connections may persist after processing HTTP/2 requests
Links to More Info: K000133467, BT1361169
1360965-1 : Bd memory leak
Links to More Info: BT1360965
Component: Application Security Manager
Symptoms:
The bd memory increases.
Conditions:
-- ASM enabled
-- A feature that requires DNS lookup, such as SSRF, is turned on.
Impact:
Memory increases, performance impact.
Workaround:
Remove the auto-detect from the wildcard parameter.
Fixed Versions:
17.1.2
1360917-5 : TMUI hardening
Links to More Info: K000138520, BT1360917
1360757-3 : The OWASP compliance score generation failing with error 501 "Invalid Path"
Links to More Info: BT1360757
Component: TMOS
Symptoms:
The Compliance Rate is stuck at "Calculating policy score" and the network analyzer displays, the response code for the "/mgmt/tm/asm/owasp/generate-score" request receives an error 501 response code "Invalid Path".
Conditions:
Following are the conditions where the issue is observed:
- 24 CPU cores
- Use an Eval license "F5-BIG-LTM-VE-24-V18-LIC" with "WF, High Performance VE, 4 vCPUs"
- Provisioned with ASM and FPS only, without LTM
Impact:
Unable to get the OWASP score calculated (for policies) for Security >> Compliance >> OWASP Compliance view
Workaround:
None
Fix:
Delayed the designated worker by sometime to ensure the essential configuration is loaded into the iControlREST application. That will avoid early initialisation prior to the respective configuration to complete its loading activity.
Fixed Versions:
17.1.2, 16.1.5
1360129-3 : Tcpdump filter by dosl7d_attack_monitor has no netmask
Links to More Info: BT1360129
Component: Application Security Manager
Symptoms:
Tcpdump filter by dosl7d_attack_monitor has no netmask that can result no packet captured during an attack, if the virtual server destination is a network address instead of a /32 host address.
Conditions:
Virtual server destination is a network address
e.g : x.x.x.0/24
Impact:
Dosl7d_attack_monitor fails to capture packets of attack that causes users not being able to analyze capture data of the observed attack later.
Workaround:
None
Fixed Versions:
17.1.2
1359281-1 : Attack signature is not detected when the value does not have '='
Links to More Info: BT1359281
Component: Application Security Manager
Symptoms:
Attack signature is not detected by BIG-IP for non RFC-compliant Cookie.
Conditions:
Cookie is not RFC compliant
Impact:
Attack signature is not detected by BIG-IP.
Workaround:
None
Fix:
Attack signature is detected.
Fixed Versions:
17.1.2, 16.1.5
1359245-2 : Apmd cored when processing oauth token response when response code is not "200" and "ContentType" header "text/html
Links to More Info: BT1359245
Component: Access Policy Manager
Symptoms:
Apmd cores when processing non 200 http response for a get oauth token request when the response contains "ContentType" header as "text/html" and HTTP data as HTML
Conditions:
-- OAuth client is configured on BIG-IP and it requests a token
-- HTTP response is received with a response code other than 200 OK and "Content-type" header text/html with HTML content
Impact:
Apmd crashes. Access traffic disrupted while apmd restarts.
Workaround:
None
Fix:
Fixed an apmd core related to processing HTTP response during an OAuth session.
Fixed Versions:
17.1.2, 16.1.5
1355377 : Subroutine gating criteria utilizing TCL may cause TMM to restart
Links to More Info: BT1355377
Component: Access Policy Manager
Symptoms:
APM per-request policies with subroutines using gating criteria which executes TCL script may cause TMM to restart on multi-TMM instances.
Conditions:
- More than one TMM.
- APM pre-request policy.
- Subroutine gating criteria containing TCL script.
Impact:
TMM may restart, resulting in a traffic outage.
Workaround:
None
Fix:
APM per-request policies with subroutines using gating criteria executing TCL script now executes correctly.
Fixed Versions:
17.1.2, 16.1.5
1355149-4 : The icrd_child might block signals to child processes
Links to More Info: BT1355149
Component: TMOS
Symptoms:
When icrd_child is abruptly killed with SIGKILL signal, the underlying tmsh call is not killed respectively which is leaving the traces of the file descriptors to /var/system/tmp directory files. Thus causing /var partition disk out of use.
Conditions:
When the transitive call to tmsh command through icrd_child is invoked by restjavad module, and it ended as a fatal error or took more than the configured timeout value, restjavad issues SIGKILL command to icrd_child to force-kill the process. But, it is not killing the child processes (tmsh) initiated from icrd_child process.
Impact:
The /var partition disk is out of use.
Workaround:
Use the following command:
[killall -9 tmsh] to kill all the stale tmsh processes and clean up the files in [/var/system/tmp] directory
Fixed Versions:
17.1.2, 16.1.5
1355117 : TMM core due to extensive memory usage★
Links to More Info: K000137374, BT1355117
Component: Access Policy Manager
Symptoms:
User observes TMM core due to extensive memory usage.
Conditions:
- Using BIG-IP 15.1.10
- When APM is used and users login and logoff multiple times.
- Each logoff may lead to some memory leak.
Impact:
User observes TMM core and fail over will occur.
Workaround:
None
Fix:
TMM does not core due to successive logoffs.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10.3
1354977-1 : TMM validating resolver performance dramatically decreases
Links to More Info: BT1354977
Component: Global Traffic Manager (DNS)
Symptoms:
The following are observed:
- High TMM CPU usage
- Performance degraded
- The following TMSH command gets unresponsive
# tmsh show ltm dns cache records rrset cache [DNS validating cache profile name] count-only
Conditions:
- Using Validating cache resolver
- NSEC signing enabled
Impact:
Performance is degraded.
Workaround:
None
Fixed Versions:
17.1.2
1354673 : Failure to read assertion after upgrade★
Links to More Info: BT1354673
Component: Access Policy Manager
Symptoms:
After upgrading to 17.1.x, BIG-IP APMD fails to read the crypto data set by the TMM after receiving a SAML assertion.
Conditions:
BIG-IP system with SAML authentication configured
Impact:
APMD fails to reads into local cache for a crypto variable and finds the variable to be 'empty'. The BIG-IP administrator will fail to achieve a successful SAML authentication.
Related IDs:
ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html
ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html
ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html
Workaround:
None
Fixed Versions:
17.1.2
1354345-2 : Including RelayState while validating SLO Response Signature
Links to More Info: BT1354345
Component: Access Policy Manager
Symptoms:
The parameter 'RelayState' parameter received in SLO Response from IDP is not included in the signature validation when BIG-IP is used as SP.
Conditions:
BIG-IP as SP does not include 'RelayState' while validating the signature of SLO Response.
Impact:
BIG-IP fails in validating the Signature of SLO Response.
Workaround:
None
Fixed Versions:
17.1.2
1354309-4 : IKEv1 over IPv6 does not work on VE
Links to More Info: BT1354309
Component: TMOS
Symptoms:
IKEv1 tunnels over IPv6 does not work on Virtual Edition. BIG-IP responds with UDP port unreachable for incoming Phase 1 packets.
Conditions:
Following conditions must be met:
- IKEv1
- IPv6 peer addresses
- Virtual Edition
Impact:
Unable to establish IPsec tunnel.
Workaround:
None
Fixed Versions:
17.1.2
1354253-1 : HTTP Request smuggling with redirect iRule
Links to More Info: K000137322, BT1354253
Component: Local Traffic Manager
Symptoms:
See: https://my.f5.com/manage/s/article/K000137322
Conditions:
See: https://my.f5.com/manage/s/article/K000137322
Impact:
See: https://my.f5.com/manage/s/article/K000137322
Workaround:
See: https://my.f5.com/manage/s/article/K000137322
Fix:
See: https://my.f5.com/manage/s/article/K000137322
Behavior Change:
HTTP Parser of HTTP message header (for requests and responses) performs additional checks on value for Content-Length header, allowing values, matching BNF definition in RFC2616 (only digits), not causing integer overflow, allowed in multiple instances both in comma-separated lists and multiple Content-Length headers. An additional check introduced for Transfer-Encoding header to allow only RFC-compliant combinations for this header.
Fixed Versions:
17.1.1.1, 16.1.4.2, 15.1.10.3
1354145-3 : Max session timeout countdown timer on webtop is reset when refreshing the Modern Webtop
Links to More Info: BT1354145
Component: Access Policy Manager
Symptoms:
Maximum session timeout countdown timer on webtop is reset when refreshing the Modern Webtop
Conditions:
Using Modern Webtop
Impact:
Not displaying the correct timeout value left on refreshing
Workaround:
None
Fix:
Max session timeout countdown timer reflects correct value when APM Modern webtop is refreshed.
Fixed Versions:
17.1.2
1354009 : Secure erase of BIG-IP tenant
Component: TMOS
Symptoms:
FIPS requires that a capability exist for secure erase of sensitive security parameters from within the FIPS module.
Conditions:
FIPS mode and the need for secure erase.
Impact:
N/A
Workaround:
None
Fix:
A method for secure erase is provided per FIPS requirements.
Fixed Versions:
17.1.2
1353957-1 : The message "Error getting auth token from login provider" is displayed in the GUI★
Links to More Info: K000137505, BT1353957
Component: TMOS
Symptoms:
When you access GUI pages that use REST API token-based authentication, the pages fail to load with the message "Error getting auth token from login provider".
You may also observe a red banner with the message: "The iApp LX sub-system is currently unresponsive."
For example, accessing the policies list from the following location:
iApps ›› Application Services : Applications LX Security ›› Application Security : Security Policies : Policies List
Conditions:
If the auth-pam-idle-timeout is other than 1200
list sys httpd auth-pam-idle-timeout
sys httpd {
auth-pam-idle-timeout 1200
}
Impact:
GUI pages that use REST API token-based authentication will not load.
Workaround:
Use the following tmsh commands:
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
tmsh restart sys service httpd
wait for 2 minutes
Delete cookies from /var/run/pamcache
rm -f /var/run/pamcache/*
Users authenticated in the TMUI will log out automatically. After logging back in, TMUI pages should load properly.
for VIPRION
tmsh modify sys httpd auth-pam-idle-timeout 1200
tmsh save sys config
clsh tmsh restart sys service httpd
wait for 2 minutes
Edit csyncd settigs prevent old cookies sync from other blade.
clsh "cp /etc/csyncd.conf /etc/csyncd.conf.$(date +%Y%m%d_%H%M%S)"
clsh "sed -i '/run\/pamcache/,+2s/^/#/' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Delete cookies from /var/run/pamcache
clsh rm -f /var/run/pamcache/*
Revert csyncd settigs.
clsh "sed -i '/run\/pamcache/,+2s/^#//' /etc/csyncd.conf"
clsh "bigstart restart csyncd"
Note: Modifying the auth-pam-idle-timeout value will sync between devices in a sync-failover device group, but the workaround steps above must be performed on each device individually.
Fix:
Restjavad layer modified to accommodate idle timeout values other than 1200
Fixed Versions:
17.1.1.2, 16.1.5
1353565-3 : Certain extreme SSL traffic patterns may impact throughput
Component: Local Traffic Manager
Symptoms:
When high concurrent SSL traffic is sent to BIGIP, it causes peak high CPU usage. When CPU is busy, cryptographic functions are queued and deferred in a large amount which causes the system to unable to process traffic.
Conditions:
BIGIP system is under high CPU load due to a large number of concurrent SSL connections.
Impact:
SSL traffic performance may be impacted negatively.
Workaround:
The issue can be mitigated by putting an upper limit on the number of active SSL handshakes to a virtual server and/or entire BIGIP system. More information is available here - https://my.f5.com/manage/s/article/K83167850
Fix:
The TMM has better stability under extreme loads.
Fixed Versions:
17.1.2
1353021 : Memory Leak in TMM due to SAML SSO after upgrading★
Links to More Info: BT1353021
Component: Access Policy Manager
Symptoms:
When BIG-IP Administrator configures the BIG-IP as SP and enables "Sign Authentication Request", a potential increase in TMM memory is observed compared to memory consumption prior to the upgrade.
Conditions:
- Configuring the BIG-IP as SP and enabling "Sign Authentication Request"
Impact:
Memory leaks in SAML SSO code while signing authentication request. Over a period, TMM core will be triggered. Traffic disrupted while tmm restarts.
Related IDs:
ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html
ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html
ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html
Workaround:
None
Fixed Versions:
17.1.2
1352945-2 : Rewrite plugin memory leak
Links to More Info: BT1352945
Component: Access Policy Manager
Symptoms:
Rewrite plugin memory usage is significantly higher.
Conditions:
Using the rewrite plugin
Impact:
Out-of-memory crashes on systems with low amounts of memory.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1352801-1 : Unnessecary DNS lookups invoked by the bot defense process
Links to More Info: BT1352801
Component: Application Security Manager
Symptoms:
DNS lookups happen by advanced WAF without any relevant feature turned on.
Conditions:
- Parameter data type is set to auto-detect (auto-detect will detect URI automatically)
- A request contains a URI
Impact:
Performance impact, unnecessary DNS lookups.
Workaround:
Change the default wildcard parameter (or other relevant parameters) from auto-detect to other options (usually alpha-numeric).
Fixed Versions:
17.1.2
1351493-2 : Invalid JSON node type while support-introspection enabled
Links to More Info: BT1351493
Component: Access Policy Manager
Symptoms:
As per RFC 7519, the expected value “exp” in the JWT token is a numerical value. JSON itself does not have a native type for integers, so all numerical values are represented as either numbers (without quotes) or strings (with quotes). In our case, we throw an exception if it is not a number to consider the string value. We also have an additional check to ensure it is a valid type.
Conditions:
The issue occurs only when support-introspection is enabled.
Impact:
Support-introspection cannot be enabled.
Workaround:
Disable support-introspection.
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1351049-2 : Platform recv queue is getting filled with requests from TMM.
Links to More Info: BT1351049
Component: TMOS
Symptoms:
Receive queue counters are unusually high:
# netstat -nalp | egrep -w "Proto|5678"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5678 0.0.0.0:* LISTEN 13828/platform_agen
tcp 1866270 0 127.0.0.1:5678 127.1.1.44:43695 ESTABLISHED 13828/platform_agen
tcp 1972914 0 127.0.0.1:5678 127.1.1.27:13478 ESTABLISHED 13828/platform_agen
tcp 1866830 0 127.0.0.1:5678 127.1.1.38:33709 ESTABLISHED 13828/platform_agen
...
Conditions:
-- AFM license is enabled
-- Device DOS vector is configured to mitigate DDOS traffic.
Impact:
There can be two impact of this issue :
1. Actual configuration of device dos vectors in FPGA might take longer.
2. DOS stats data might not be correct.
Workaround:
Issue is intermittent but restarting platform_agent may solve this issue.
Fix:
Fixed an issue related to platform agent fetching stats data from the api gateway.
Fixed Versions:
17.1.1.2
1350997-2 : Changes to support pre-logon when secondary logon service is disabled on windows edge client
Links to More Info: BT1350997
Component: Access Policy Manager
Symptoms:
Pre-logon used to fail when the secondary logon service was disabled in the Windows Edge Client.
Conditions:
1. Have secondary logon disabled in the Edge Client.
2. Use Edge Client on Windows.
Impact:
Cannot support pre-logon when secondary logon service is disabled in the Windows Edge Client.
Workaround:
None
Fix:
Changes to support pre-logon when secondary logon service is disabled in the Windows Edge Client.
Fixed Versions:
17.1.2, 16.1.5
1350921-1 : SOCKS profile may not immediately expire connections
Links to More Info: BT1350921
Component: Local Traffic Manager
Symptoms:
SOCKS profile does not immediately expire connections if client sends a TCP reset before server connected.
Conditions:
In some specific conditions where for example the client sends a TCP RST, the connection will stay on the client until the idle timeout expires.
Impact:
Lingering connections until idle timeout expire.
Fixed Versions:
17.1.2
1350717-2 : When the client IP address changes immediately after the authentication to the Configuration Utility, HTTPD could enforce the source IP check even if 'auth-pam-validate-ip' is set to 'off'
Links to More Info: BT1350717
Component: TMOS
Symptoms:
The sys httpd auth-pam-validate-ip setting is 'on' by default. This setting restricts each client session to a single source IP address: the session is terminated if the source IP of the client changes during the session.
If browsers connect to the Configuration Utility through a proxy, their source IP addresses might change during a session: in this case you might want to set auth-pam-validate-ip to 'off' to avoid session termination when mod_auth_pam detects a client IP change for one of the existing sessions tokens (see https://my.f5.com/manage/s/article/K13048).
When auth-pam-validate-ip is set to 'off', the setting does not work as expected if the client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
If the client IP address changes after a few HTTP requests and responses, instead of changing immediately after the user authentication, then the user is correctly allowed to continue their Configuration utility session.
Conditions:
- The "tmsh /sys httpd auth-pam-validate-ip" configuration setting is set to 'off'.
OR
- The same setting in the Configuration utility, the check box under "System > Preferences > Require A Consistent Inbound IP For the Entire Web Session", is cleared.
- The client IP address of the browser changes immediately after the HTTP POST that authenticates the user into the Configuration utility.
Impact:
A user trying to authenticate into the Configuration utility is redirected to the authentication page immediately after inserting their username and password, even if the username and password are accepted by the system.
Workaround:
If the users of the Configuration utility are behind a proxy that might change their IP address, use the same IP address for as long as possible (configure source address persistence on the proxy).
Fixed Versions:
17.1.2, 16.1.5
1350693-1 : Log publisher using replicated destination with unreliable destination servers may leak xfrags
Links to More Info: BT1350693
Component: TMOS
Symptoms:
Over time, xfrag usage increases and does not return to the previous level when traffic is stopped.
Conditions:
The issue occurs under the following conditions:
-- Log publisher with replicated destination.
-- Replicated destination with a pool of more than 1 member.
-- Pool members go up and down over time.
Impact:
F5 box encountered aggressive sweeper mode leading to loss of traffic.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1350273-1 : Kerberos SSO Failing for Cross Domain After Upgrade from 15.1.8.2 to 15.1.9.1★
Links to More Info: BT1350273
Component: Access Policy Manager
Symptoms:
401 Unauthorised received from backend server even if SSO succeeds.
Conditions:
-- Kerberos SSO configured on 15.1.9
Impact:
Users unable to do SSO or basic auth using credentials.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1350141-2 : Duplicate user-defined Signature Set based on Attack Type is created upon policy import during upgrade★
Links to More Info: BT1350141
Component: Application Security Manager
Symptoms:
After an upgrade, the user-defined sets attached to a policy are upgraded with the wrong empty value, instead of a NULL value, for sig_tag_val field.
Conditions:
Before upgrade, there is a policy which is using a user defined set based on a filter which is not sig_tag_op (so the sig_tag_val has a NULL value in the database)
Impact:
Importing the same policy into the upgraded system will create a duplicate set and the upgraded set will not be used.
Workaround:
You can repair the policy by navigating to “Security ›› Application Security : Policy Building : Learning and Blocking Settings”, clicking on “change”, and choosing the original created sets instead of the duplicated sets. Save, and then apply the policy. The duplicated sets can be deleted after that.
Fix:
After upgrade, the value for sig_tag_val is the correct NULL value.
Fixed Versions:
17.1.2, 16.1.5
1349797 : Websense database download fails
Links to More Info: BT1349797
Component: Access Policy Manager
Symptoms:
URLDB download fails and the following logs are found in /var/log/apm
err urldbmgrd[18211]: 01770072:3: 00000000: Download failed with return code -1 (other)
err urldbmgrd[18211]: 01770026:3: 00000000: Master db download failed with return code -1 (other)
err urldbmgrd[18211]: 01770002:3: 00000000: Download of Master DB failed, will retry.
Conditions:
Occurs whenever the SWG or URLDB license is present.
Impact:
URL database download fails, and categorization will fail eventually.
Workaround:
None
Fix:
Websense URL database download and categorization no longer fail when SWG or URLDB license is provided.
Fixed Versions:
17.1.1
1348841-2 : TMM cored with SIGSEGV when using dtls by disabling the unclean shutdown flag.
Links to More Info: BT1348841
Component: Local Traffic Manager
Symptoms:
TMM cores
Conditions:
- DTLS traffic through a Virtual Server with an ssl profile.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
BIG-IP now properly closes and frees memory for DTLS connections. This prevents the crash and further restarting of TMM.
Fixed Versions:
17.1.2, 16.1.5
1348425-1 : Header name or parameter name is configured with space.
Links to More Info: BT1348425
Component: Application Security Manager
Symptoms:
ASM may crash due to header/parameter configuration with space.
Conditions:
-- A header name or parameter name is configured with a space.
-- More than 37 custom headers and/or parameter header name (location header) is configured. One of the headers or parameter names has space.
Impact:
Traffic disrupted while bd restarts.
Workaround:
Do not configure header names or parameter names with a space.
Fix:
No crash after configuring header or parameter with space.
Fixed Versions:
17.1.2, 16.1.5
1348153-1 : Assigned IP Address session variable always as IPv6 Address
Links to More Info: BT1348153
Component: Access Policy Manager
Symptoms:
When a BIG-IP Administrator configures a Network Access resource with IPv4 and IPv6 support. In a RADIUS Authentication, we find the assigned address always to be an IPv6 address.
Conditions:
The session.assigned.clientip session variable is populated multiple times in the source code last being the IPv6 address.
Impact:
The BIG-IP Administrator will not be able to get an IPv4 session.assigned.clientip after the VPN connection.
Workaround:
Configure the Network Access resource with only IPv4.
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1347949-1 : High CPU for bd process under specific conditions★
Links to More Info: BT1347949
Component: Application Security Manager
Symptoms:
The bd process shows high CPU load. If you are upgrading, CPU utilization of bd is noticeably higher than it was in the previous version.
Conditions:
A policy has signature overrides for a specific header.
Impact:
High CPU utilization by bd.
Workaround:
Remove the header signature override. Consider disabling the header on the URL level or the policy level (instead of a specific header)
Fix:
The internal parameter enable_header_fastlru_cache controls the cache. It has to be set to 0 to disable the cache in case it reduces the performance.
Fixed Versions:
17.1.2
1347825-1 : Traffic group becomes active on more than one BIG-IP after a long uptime and long HA disconnection time
Links to More Info: BT1347825
Component: TMOS
Symptoms:
Traffic-groups become active/active after a long uptime interval and the HA connection is disconnected for longer than 30 seconds.
Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime.
For example:
-- For 4 traffic groups, the interval is ~621 days.
-- For 7 traffic groups, the interval is ~355 days.
-- For 15 traffic groups, the interval is ~165 days.
Conditions:
-- Two or more BIG-IP systems defined in a device group for sync/failover.
-- There is one or more traffic groups configured.
-- The BIG-IP systems have a long uptime.
-- The BIG-IP systems lose their HA connection for more than 30 seconds.
-- The issue is more likely to occur when the watchdog daemon sod uptime, normally the same as system uptime, is above (6.8 years / number of traffic groups ).
Impact:
Outage due to traffic-group members being active on both systems at the same time.
Workaround:
There is no workaround.
Either all the BIG-IP units need to be rebooted on a regular interval, or the BIG-IP units need to be rebooted before they are disconnected from each other for a long time.
Fixed Versions:
17.1.2
1347569-2 : TCL iRule not triggered due to handshake state exceeding trigger point
Links to More Info: BT1347569
Component: Local Traffic Manager
Symptoms:
- Inbound TLS traffic's SNI isn't proxied from client-side to server-side
- TLS handshakes might fail
Conditions:
Create an inbound SSL Orchestrator setup and attach the iRules.
Impact:
TLS handshakes might fail.
Workaround:
Add the iRule LB::detach before enabling the server-side SSL using iRule SSL::enable at CLIENTSSL_HANDSHAKE in iRule-gw_in_t.tcl iRule that is attached to the virtual server when the sslo-inbound is created.
Fix:
BIG-IP now performs handshakes properly and can anticipate the desired outcomes.
Fixed Versions:
17.1.2, 16.1.5
1346461-1 : Bd crash at some cases
Links to More Info: BT1346461
Component: Application Security Manager
Symptoms:
When bd uses an Openapi policy to handle a request, it may crash.
Conditions:
-- Openapi security policy;
-- Release contains fix of ID1190365.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
Crash fixed.
Fixed Versions:
17.1.2, 16.1.5
1345989-3 : "Rest framework is not available" being displayed when navigating to the "Device Management >> Overview" page
Links to More Info: BT1345989
Component: TMOS
Symptoms:
Com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space
Conditions:
Under HA pair setup, over the period of 6 months or more, the device-discovery-tasks accumulate, causing restjavad to fail repeatedly, once every 20 seconds, logging the message: "com.f5.rest.workers.storage.ThreadPoolStorageRequestProcessorjava.lang.OutOfMemoryError: Java heap space".
Impact:
REST Framework not being available, causing the "Device Management >> View" screen to show failure.
Workaround:
Run clear-rest-storage once a week and try increasing the restjavad.extramb BIGdb variable from 192 to 768.
Fix:
The REST Framework no longer becomes unavailable.
Fixed Versions:
17.1.2, 16.1.5
1342013-1 : [APM][SSO]TMM core in SAML use case.
Links to More Info: BT1342013
Component: Access Policy Manager
Symptoms:
TMM cores
Conditions:
SAML SSO configured in APM
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.2
1341849-2 : APM- tmm core SIGSEGV in saml artifact usage
Links to More Info: BT1341849
Component: Access Policy Manager
Symptoms:
This can occur while processing SAML traffic.
Conditions:
SAML configured with artifact usage in idp.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Fixed a tmm core related to SAML artifact usage.
Fixed Versions:
17.1.2, 16.1.5
1339201 : ICMP traffic fails to reach tenant after a couple of continuous reboots
Links to More Info: BT1339201
Component: Local Traffic Manager
Symptoms:
ICMP traffic or any other traffic fails to reach the deployed tenant; the dataplane is down.
The problem is a race condition between multiple tenants being deployed at the same time. All of these tenants use the same socket to send enable/disable messages. When all of the tenants are deployed at the same time and send their enable/disable messages, it causes a slowdown, which then causes a timeout and failure to attach TMM.
Conditions:
This issue occurs when a tenant is continuously rebooted.
Impact:
The deployed tenant fails to receive traffic; dataplane is inoperable.
Workaround:
Redeploy the tenant by going into ConfD CLI and entering provisioned/deployed commands.
Fix:
Redeploy the tenant by using ConfD CLI.
Fixed Versions:
17.1.1
1338993 : Failing to fetch the installed RPM, throwing an error Object contains no token child value
Links to More Info: BT1338993
Component: TMOS
Symptoms:
This issue is caused as generation of tokens for root user is restricted because root user is an internal user.
An error is displayed when trying to fetch the list of global installed RPM packages using below tmsh command which makes a REST call to fetch the list by passing an authenticated token to get the authorization:
tmsh list mgmt shared iapp global-installed-packages
Conditions:
This issue occurs when a few iApps are installed and used by customer from BIG-IP and while trying to read the information of the installed packages on BIG-IP using a tmsh command.
Impact:
Limits the generation of token for root user, which subsequently impacts fetching list of global installed RPMs on BIG-IP and also cannot validate whether installation of package is successful or not from tmsh end.
Workaround:
After the package is installed, to get the list of packages installed use the following REST call instead of the tmsh command:
restcurl /shared/iapp/package-management-tasks/12a8b01c-acba-45cb-a03e-644f15fbe8f7
{
Fix:
Unrestricted the token generation for a root user which will enable fetching the list of installed packages.
Fixed Versions:
17.1.1, 16.1.5
1338929-1 : Slow DNS response when the 'server-side access to disallowed host' violation is enabled
Component: Application Security Manager
Symptoms:
In some instances, DNS responses take longer than expected.
Conditions:
- A parameter of type URI is added
- 'Server-side access to disallowed host' violation is enabled
Impact:
Request processing may take longer than expected.
Workaround:
N/A
Fix:
Request processing is done as expected.
Fixed Versions:
17.1.2
1338837-1 : [APM][RADIUS] Support Framed-IPv6-Address in RADIUS Accounting STOP message
Links to More Info: BT1338837
Component: Access Policy Manager
Symptoms:
When the VPN tunnel is terminated, 'Radius Accounting-Request (STOP)' does not include AVP Framed-IP-Address when the Network Access resource is configured with IPv4 & IPv6.
Conditions:
This issue occurs under the following conditions:
-- Network Access resource is configured with both IPv4 and IPv6.
-- PPP IP address can be either static (obtained from RADIUS) or dynamic (obtained from the lease pool).
-- Using an Edge client or a browser.
-- VPN tunnel is terminated.
Impact:
APM sends a 'Radius Accounting-Request (STOP)' that does not include the AVP Framed-IP-Address.
Workaround:
Configure only IPv4 IP addresses for the Network Access resource.
Fix:
Include Framed IPv6 Address in RADIUS Acct STOP message when assigned clientip is IPv6.
Fixed Versions:
17.1.2, 16.1.5
1332769-1 : Wildcard order incorrect for JSON Policy Import
Links to More Info: BT1332769
Component: Application Security Manager
Symptoms:
When importing a JSON policy, the wildcard order is set incorrectly (in reverse).
Conditions:
Import JSON policy and inspect the wildcard order of the file types in the policy.
Impact:
The Wildcard order is incorrect.
Workaround:
None
Fix:
The order of the wildcard is correctly set in the policy. (excepting the pure wildcard "*" remains last).
Fixed Versions:
17.1.2, 16.1.5
1332401-1 : Errors after config sync with FIPS keys
Links to More Info: BT1332401
Component: TMOS
Symptoms:
Sync failing with unable to config sync FIPS key. An error similar to the following is displayed:
Sync error on bigip1.test.xyz: Load failed from /Common/bigip2.test.xyz 01070712:3: Caught configuration exception (0), unable to synchronize FIPS key (/Common/my_fips_private_key).
Conditions:
Config sync failed after replacing FIPS key (create / import / replace).
Impact:
Unable to configsync between units in an high availability (HA) group.
Workaround:
Please contact technical support.
Fixed Versions:
17.1.1
1330473-3 : Response_log_rate_limit is not applied
Links to More Info: BT1330473
Component: Application Security Manager
Symptoms:
Response_log_rate_limit is not applied in a certain scenario
Conditions:
Response logging is enabled
Impact:
Response_log_rate_limit is not applied to response logging in the certain scenario.
Workaround:
Disable response logging
Fixed Versions:
17.1.2, 16.1.5
1329893-2 : TMM cores with HTTP/2 and DoSL7 profiles enabled when iRule applied to disable DoS protection based on IP, when an HTTP/2 request is sent
Links to More Info: BT1329893
Component: Application Security Manager
Symptoms:
TMM crashes, when HTTP/2 and DoSL7 profiles are enabled on virtual server, and DoS protection is disabled based on IP using an iRule. This occurs while sending an HTTP/2 request to the above configured virtual server.
Conditions:
- HTTP/2 and DoSL7 profiles are enabled on virtual server
- DoSL7 disabled using iRule based on IP
- HTTP/2 request is sent to virtual server.
Impact:
TMM crashes, traffic disruption can occur.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1329477-1 : Auto-initialization does not work with certain MRF connection-mode
Links to More Info: BT1329477
Component: Service Provider
Symptoms:
When using certain connection-mode, no connections are initiated automatically to the peer server.
Conditions:
The following connection mode will not take auto-initialization into account: per-peer-alternate-tmm
Only these will:
per-peer
per-blade
per-tmm
Impact:
Auto-init not working
Workaround:
If possible, use other connection-mode for which auto-initialization is working.
Fixed Versions:
17.1.1, 16.1.5
1328433-1 : TMM cores while using VPN with ipv6 configured
Links to More Info: BT1328433
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
VPN configured for both ipv4 and ipv6.
Impact:
Traffic disrupts when TMM cores.
Fixed Versions:
17.1.2, 16.1.5
1326721-2 : Tmm crash in Google Cloud during a live migration
Links to More Info: BT1326721
Component: Local Traffic Manager
Symptoms:
When running in Google Cloud and a live migration occurs tmm may crash.
Conditions:
-- Google Cloud
-- ndal virtio driver
-- live migration
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Disable live migration in GCP.
Use the sock driver.
Related Bug IDs: 1319265, 1322937, 1326721
Fix:
Tmm no longer crashes
Fixed Versions:
17.1.2
1326501-1 : Configure DAG fold_bits to improve connection distribution
Links to More Info: BT1326501
Component: TMOS
Symptoms:
Some traffic patterns can cause traffic to be pinned to one CPU.
Conditions:
When there are very limited number of client and server IP addresses.
Impact:
Traffic is not loaded equally to all tmm's which causes tmm pinning. Frequent warning messages of connection limit reached observed though the Current Connections showed lesser value than the connection-limit configured for the virtual server.
Workaround:
None
Fix:
Configure DAG fold_bits to improve connection distribution
using sys db dag.hash.fold.bits.
Restart the services after modifying the sys db value.
Fixed Versions:
17.1.2, 16.1.5
1325981-1 : DNS outbound-msg-retry causes TMM crash or core, and changes to outbound-msg-retry do not take effect immediately
Links to More Info: BT1325981
Component: Global Traffic Manager (DNS)
Symptoms:
TMM crashes when attempting to perform DNS resolution with a DNS resolver or DNS cache, if the outbound-msg-retry configuration value is set to 0.
Additionally, modifications to the outbound-msg-retry value do not immediately take effect, and the DNS cache or resolver may continue to function with the previously-configured value.
Conditions:
A DNS cache or DNS net resolver with outbound-msg-retry set to 0.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Do not set the 'outbound-msg-retry' value for DNS caches and DNS resolvers to a value of 0.
If making configuration changes to the 'outbound-msg-retry' value, also change the "use-ipv4" or "use-ipv6" setting (i.e. toggle from "yes" to "no", and then back to "yes").
Fix:
The DNS cache and DNS resolver outbound-msg-retry setting is now restricted to being a positive integer (i.e. a value greater than 0).
Changes to the outbound-msg-retry setting now take effect immediately.
Fixed Versions:
17.1.1
1325681-3 : VLAN tscookies with fastl4 timestamp preserve and PVA acceleration cause connection problems.★
Links to More Info: K000136894, BT1325681
Component: Advanced Firewall Manager
Symptoms:
Some connections might be reset by the client or server when VLAN timestamp cookies are configured.
One symptom commonly reported is that the virtual server for the email service suddenly stops working after upgrading.
Conditions:
-- Flow accelerated in PVA.
-- VLAN timestamp cookies configured for one side of the connection.
-- Bigproto timestamp preserve option (default).
-- Client and server sending timestamps.
Impact:
Unexpected flow RSTs from client/server due to incorrect timestamp echo received from BIG-IP.
Workaround:
Either:
- Set fastL4 profile option 'tcp-pva-whento-offload' to 'establish'
OR
- Disable VLAN timestamp cookies.
OR:
- Disable tscookie inside tcp-ack-ts DoS vector.
OR
- Change fastL4 timestamp option to rewrite (this disables PVA acceleration).
Fixed Versions:
17.1.2
1325145-1 : SSRF DNS Lookup can cause memory leak
Links to More Info: BT1325145
Component: Application Security Manager
Symptoms:
Memory leak can occur when using SSRF DNS lookup.
Conditions:
1) SSRF violation is enabled
2) SSRF configuration is present for domain names with action Resolve
Impact:
Memory leak can occur leading to less memory available for handling traffic. Bd may crash or be oomkilled. Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.2
1324745-1 : An undisclosed TMUI endpoint may allow unexpected behavior
Links to More Info: K000135689, BT1324745
1324681-4 : Virtual-server might stop responding when traffic-matching-criteria is removed.
Links to More Info: BT1324681
Component: TMOS
Symptoms:
Due to a known issue virtual-server might stop responding to traffic when traffic-matching-criteria (TMC) is removed and ordinary address/port gets defined.
Conditions:
- Disabling traffic-matching-criteria on a virtual-server.
Impact:
Virtual-server stops responding to traffic.
Workaround:
TMM restart will fix this problem.
Fixed Versions:
17.1.1
1324197-1 : The action value in a profile which is in different partition cannot be changed from accept/reject/drop to Don't Inspect in UI
Links to More Info: BT1324197
Component: Protocol Inspection
Symptoms:
When trying to change the action value of signature/compliance in an IPS Profile from accept/reject/drop to Don't Inspect in UI, it is not changing. This happens when the IPS Profile is in different partition
Conditions:
1) Create a partition
System > Users > Partitions List > Create > give profile_name > update
2) Move to the new partition created at the top right corner of UI
3) Create IPS Profile
Security > Protocol Security > Inspection Profiles > Add > New > give Profile name > select the services > update action values of signatures and compliances to accept/reject/drop
4) Change the value from action accept/reject/drop to 'Don't Inspect' and commit the changes.
Impact:
Will not be able to change the action value from accept/reject/drop to Don't Inspect in UI when the IPS Profile is in different partition
Workaround:
For signature below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { /Common/<signature-name> }}}}
To update the action value of all signatures in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { signature delete { all }}}}
For compliance below command can be used in CLI
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { /Common/<complance-name> }}}}
To update the action value of all compliances in a service to Don't Inspect
modify security protocol-inspection profile /<partition-name>/<profile-name> { services modify { /Common/<service-name> { compliance delete { all }}}}
Fixed Versions:
17.1.2
1322973-1 : A particular sequence of HTTP packets may cause TMM to crash
Component: Local Traffic Manager
Symptoms:
Tmm crashes and restarts
Conditions:
A basic HTTP virtual server with RFC compliance enabled in the HTTP profile may crash the TMM process under rare conditions when handling certain client requests.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
N/A
Fix:
Tmm does not crash anymore.
Fixed Versions:
17.1.2, 16.1.5
1322937-3 : Tmm crash in Google Cloud during a live migration: Assertion `empty xfrag' failed.
Links to More Info: BT1322937
Component: Local Traffic Manager
Symptoms:
When the BIG-IP is involved in a live migration on Google Cloud, it may crash. There may be a log message in /var/log/tmm similar to the following
<13> Jul 19 05:45:53 bigip1 notice lib/c/xbuf.c:1431: xbuf_insert: Assertion `empty xfrag' failed.
Conditions:
Google Cloud VE
Live migration
The Virtio network driver
Impact:
Unexpected traffic disruption
Workaround:
Disable live migration
Related Bug IDs: 1319265, 1322937, 1326721
Fixed Versions:
17.1.2
1322701-4 : Vulnerability scanner reports BIG-IP is disclosing sensitive information
Component: TMOS
Symptoms:
Log in to BIG-IP GUI as an administrator role user, then log in to client2. There is no need to log in or access the login.jsp page, observe that the "previousUsername" variable is still populated with the administrator role user's name.
Conditions:
When the first user logged in as admin and logged off without closing the browser or tab.
Impact:
A malicious attacker may be able to enumerate the administrator role users in the BIG-IP and try logging in with known passwords, potentially taking over the BIG-IP.
Workaround:
None
Fix:
Encoded enter username by creating a Base64-encoded ASCII string from a binary string and made the attribute "prevun" hidden in tmui/login/index.jsp.
Fixed Versions:
17.1.2, 16.1.5
1322497-1 : GTM monitor recv string with special characters causes frequent iquery reconnects
Links to More Info: BT1322497
Component: Global Traffic Manager (DNS)
Symptoms:
Resources flap, frequent iquery reconnects occur.
Logs similar to this:
err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)
err gtmd[12952]: 011ae0fa:3: iqmgmt_receive: SSL error: SSL read (6)
err gtmd[12952]: 011ae0fa:3: During SSL shutdown: SSL error: SSL_ERROR_SYSCALL (5)
012b2004:4: XML parsing error not well-formed (invalid token) at line 3810
012b2004:4: XML parsing error not well-formed (invalid token) at line 7719
012b2004:4: XML parsing error not well-formed (invalid token) at line 16837
012b2004:4: XML parsing error not well-formed (invalid token) at line 298
Conditions:
GTM monitor recv string containing special characters like below:
recv "\{\x94status\x94:\x94UP\x94"
Impact:
--Monitor flaps.
--Frequent iquery reconnects.
Workaround:
No special characters in GTM recv string.
Fixed Versions:
17.1.2, 16.1.5
1322077 : BIG-IP can now support handshakes with 4 additional cipher suites: ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Links to More Info: BT1322077
Component: Local Traffic Manager
Symptoms:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Conditions:
A handshake with the following cipher suites is attempted:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Impact:
Handshakes fail if a client/server tries to negotiate a handshake with the following cipher suites:
ECDHE-ECDSA-AES128-CCM, ECDHE-ECDSA-AES128-CCM8, ECDHE-ECDSA-AES256-CCM, ECDHE-ECDSA-AES256-CCM8
Workaround:
None
Fixed Versions:
17.1.1
1322009 : UCS restore fails with ifile not found error
Links to More Info: BT1322009
Component: TMOS
Symptoms:
The loading configuration process failed.
Conditions:
This issue occurs when installing UCS without ifiles.
Impact:
The loading configuration process failed. UCS restore fails with ifile not found error.
Workaround:
Commenting the line `/bin/rm -rf /config/filestore/files_d/Common_d/ifile_d/*` in /usr/local/bin/install_ucs.pm resolves the issue.
Fix:
None
Fixed Versions:
17.1.1
1321713-1 : BIG-IP Rewrite Profile GUI and URI Validation is inconsistent
Links to More Info: K000135858, BT1321713
Component: Access Policy Manager
Symptoms:
The rewrite profile GUI and Validation is inconsistent.
New rewrite UI displays in the following navigation:
Rewrite Profile (Local Traffic --> Profiles --> Services --> Rewrite), and click on Create button.
Old rewrite UI displays in the following navigation:
Virtual Server (Local Traffic --> Virtual Servers --> Virtual Server List), and click on the Create button.
Conditions:
Create rewrite profile
Impact:
Creating Virtual servers will show old rewrite UI and URI Validations.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1321585 : Support AFM DOS TCP vectors behavior
Links to More Info: BT1321585
Component: Advanced Firewall Manager
Symptoms:
Certain AFM DOS TCP vectors are not supported.
Conditions:
-- AFM enabled
-- New TCP vectors are configured.
Impact:
AFM DOS TCP vectors cannot be configured and applied.
Workaround:
None.
Fix:
New TCP vectors supported.
Fixed Versions:
17.1.1
1321221 : Error when trying to make changes in IPS Profile 01070734:3: Configuration error: Invalid Devicegroup Reference.
Links to More Info: BT1321221
Component: Protocol Inspection
Symptoms:
You are unable to make changes in the IPS Profile when it is on a different partition and the device is in a sync-only device group.
Conditions:
1) Create a device group with two devices. (https://my.f5.com/manage/s/article/K63243467)
2) Create a new partition
System > Users > Partition List > Create > Add device group created in step 1 here in the partition
3) On the right corner in BIG-IP UI you can select the partition. Select the new partition created
3) Create a virtual server
Local Traffic > Virtual Servers > Virtual server List > create
4) Create a IPS Profile
Security > Protocol Inspection > Inspection Profiles > new > select the services you want to add to profile.
5) Add the profile to virtual server.
Local Traffic > Virtual Servers > Virtual server List > click on visual server you created > Security > Policies > Protocol Inspection Profile > enabled > select profile name
6) Now go to the profile and try to make changes to action value of any of the signatures or compliances which require IPS subscription.
Impact:
The changes related to action value cannot be made in the IPS Profile which is in a different partition on a device which is in sync-only device group.
Workaround:
None
Fix:
After fixing the issue, able to make changes in the IPS Profile and also sync the config between the sync-only device group.
Fixed Versions:
17.1.1
1321029-1 : BIG-IP tenant or VE fails to load the config files because the hypervisor supplied hostname is not a FQDN
Component: TMOS
Symptoms:
If a BIG-IP tenant (F5OS) or VE is shut down or rebooted during its initial start, it is possible the system will not become operational when it is started again.
Conditions:
VE or F5OS tenant. The mcpd is forced to load the config from the config files, as opposed to the binary database. The config files are missing.
Impact:
The tenant or VE will not become operational.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2
1320889-4 : Sock interface driver might fail to forward some packets.
Links to More Info: BT1320889
Component: TMOS
Symptoms:
Sock interface driver might drop packets that require reassembly/re-segmentation on one side of the connection. For example, when client-side is configured with tcp-nagle and the server-side sends a stream of multiple small packets.
This can increase latency on BIG-IP Virtual Edition on Azure when TSO/LRO is enabled.
Drops can be monitored by running the following command:
'tmctl -d blade tmm/ndal_tx_stats -w 300' column 'drop_rej_dd'.
Conditions:
-- sock driver. (See K10142141)
-- BIG-IP performing reassembly/re-segmentation on one side of the connection
Impact:
Some packets might never be forwarded by the BIG-IP system.
Workaround:
In some cases disabling Nagle Algorithm in TCP profile to avoid reassembly/re-segmentation might improve the performance.
Fixed Versions:
17.1.1, 16.1.5
1320773-1 : Virtual server name caused buffer overflow
Links to More Info: BT1320773
Component: Local Traffic Manager
Symptoms:
Virtual server name caused buffer overflow and TMM core occurs.
Conditions:
- Virtual server is renamed
Impact:
TMM cores, traffic disruption can occur.
Workaround:
None
Fixed Versions:
17.1.2
1320513 : Device DOS drop rate limits are not configured correctly on the FPGA.
Links to More Info: BT1320513
Component: Advanced Firewall Manager
Symptoms:
Drop limit in dos_stats tmstat table does not match with configured mitigation in device DoS.
Conditions:
-- VELOS or rSeries platform
-- AFM is enabled
-- Configuring device-level DoS mitigation.
Impact:
Stats might not be correct if mitigation value is high.
Workaround:
None
Fixed Versions:
17.1.1
1320389-3 : vCMP guest loses connectivity because of bad interface mapping
Links to More Info: BT1320389
Component: TMOS
Symptoms:
A vCMP guest is no longer able to receive traffic when packets arrive on a trunk interface from other slots.
Conditions:
-- A vCMP guest has a trunk interface with one interface on the same slot as the guest and another interface on another slot.
-- Another Guest on the same slot is provisioned with more cores, triggering a reboot of that slot
Impact:
Traffic disrupted to the vCMP guest
Workaround:
A reboot will resolve the issue.
Fixed Versions:
17.1.2, 16.1.5
1319365-1 : Policy with external data group may crash TMM or return nothing with search contains
Links to More Info: BT1319365
Component: Local Traffic Manager
Symptoms:
TMM may crash or return no result found when there is one when using contains external data group.
Conditions:
External data group sets first to "starts-with" and then switch to "contains" may crash the TMM. If on the other hand, TMM is started with search "contains" from the start, no results may be found by policy even though there might be a result.
The is because, the external policy is not populated at all or entirely before the search happens. The starts-with works as it is populating on demand and is the reason and will partially populate it as needed, but when a switch to
"contains" happens, it expects it to be entirely populated.
Impact:
TMM crashes or result not found when there should be a result.
Workaround:
A workaround is possible if starts-with could be used instead of "contains".
Fix:
Search with "contains" will make sure the policy with external data group is entirely populated, avoiding the crash and making a search result successful if there is a match.
Fixed Versions:
17.1.1, 16.1.5
1319265-5 : Tmm crash observed in GCP after a migration
Links to More Info: BT1319265
Component: Local Traffic Manager
Symptoms:
Tmm may crash in Google Cloud Platform (GCP) after a migration.
The following logs were observed in kern.log
emerg kernel: NMI watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [finish:5055]
warning kernel: [<ffffffffa01a21ff>] virtnet_send_command.constprop.34+0x10f/0x160 [virtio_net]
warning kernel: [<ffffffffa01a274f>] virtnet_set_queues+0x9f/0x100 [virtio_net]
warning kernel: [<ffffffffa01a38bd>] virtnet_probe+0x77d/0x858 [virtio_net]
warning kernel: [<ffffffffa002792f>] virtio_dev_probe+0x1cf/0x2d0 [virtio]
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff814551c8>] bus_probe_device+0x98/0xd0
warning kernel: [<ffffffff81452a6f>] device_add+0x4ff/0x7c0
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffffa0070370>] ? vp_finalize_features+0x40/0x40 [virtio_pci]
warning kernel: [<ffffffff81452d4a>] device_register+0x1a/0x20
warning kernel: [<ffffffffa00273c9>] register_virtio_device+0xb9/0x100 [virtio]
warning kernel: [<ffffffffa006f8b7>] virtio_pci_probe+0xb7/0x140 [virtio_pci]
warning kernel: [<ffffffff8137856a>] local_pci_probe+0x4a/0xb0
warning kernel: [<ffffffff81379ca9>] pci_device_probe+0x109/0x160
warning kernel: [<ffffffff81456165>] driver_probe_device+0xc5/0x460
warning kernel: [<ffffffff81456500>] ? driver_probe_device+0x460/0x460
warning kernel: [<ffffffff81456543>] __device_attach+0x43/0x50
warning kernel: [<ffffffff81453de5>] bus_for_each_drv+0x75/0xc0
warning kernel: [<ffffffff81455fa0>] device_attach+0x90/0xb0
warning kernel: [<ffffffff81454139>] bus_rescan_devices_helper+0x39/0x60
warning kernel: [<ffffffff81454542>] store_drivers_probe+0x32/0x70
warning kernel: [<ffffffff81453a69>] bus_attr_store+0x29/0x30
warning kernel: [<ffffffff81290d22>] sysfs_kf_write+0x42/0x50
warning kernel: [<ffffffff812902f3>] kernfs_fop_write+0xe3/0x160
warning kernel: [<ffffffff81207bf0>] vfs_write+0xc0/0x1f0
warning kernel: [<ffffffff81208a1f>] SyS_write+0x7f/0xf0
warning kernel: [<ffffffff816cf741>] system_call_fastpath+0x48/0x4d
Conditions:
-- Google Cloud Platform
-- Virtio driver
-- A GCP migration is performed
Impact:
Traffic disrupted while tmm restarts.
Workaround:
-- Use the sock driver. For more information see K10142141: Configuring the BIG-IP VE system to use the SOCK network driver :: https://support.f5.com/csp/article/K10142141
Related Bug IDs: 1319265, 1322937, 1326721
Fix:
Tmm no longer crashes
Fixed Versions:
17.1.2
1318749 : Memory Leakage while decoding Assertion Attributes
Links to More Info: BT1318749
Component: Access Policy Manager
Symptoms:
Memory leakage in a SAML SP Agent.
Conditions:
Dynamically created memory for variables, while decoding assertion attributes, are not freed.
Impact:
Apmd has high memory usage due to the memory leak.
Workaround:
None
Fix:
Free the dynamically created memory.
Fixed Versions:
17.1.1
1318397 : SAML Auth error "Failed to get authentication request from session variable 'session.samlcryptodata.Result'"★
Links to More Info: BT1318397
Component: Access Policy Manager
Symptoms:
The BIG-IP administrator fails to run a correctly configured SAML SP setup as TMM fails to sign the Authentication Request.
This can be triggered on an upgrade from versions earlier than 17.0 to version 17.0 or 17.1.
Conditions:
-- APM is configured for clientless mode
-- The SAML profile has Redirect Binding enabled
-- "Sign Authentication Request" is enabled
Impact:
SAML SP authentication fails while signing the Authentication Request.
Workaround:
None
Fixed Versions:
17.1.2
1318297-1 : Failure configuring GraphQL Schema File with Query type
Component: Application Security Manager
Symptoms:
Upload GraphQL Schema File with Query type fails with the following error: "Idl failed. GraphQL schema parsing failed, 'name' "
Conditions:
GraphQL schema files are configured and contain a query type in the schema.
Impact:
Unable to configure a GraphQL profile with Query type.
Workaround:
None.
Fix:
GraphQL schema files with Query types are now successfully processed.
Fixed Versions:
17.1.2
1318285 : Leakage point in storing assertion attributes-string in tmm
Links to More Info: BT1318285
Component: Access Policy Manager
Symptoms:
Apmd crashes.
Conditions:
This can occur while passing SAML traffic.
Impact:
Apmd cores. Access traffic disrupted while apmd restarts.
Workaround:
None
Fix:
Fixed a crash in apmd.
Fixed Versions:
17.1.1
1317873-1 : illegal parameter data type' is detected on 'auto detect
Links to More Info: BT1317873
Component: Application Security Manager
Symptoms:
Misinterpreting Other parameter data types as URI type
Conditions:
-- Configure a policy that contains a parameter with Parameter Value Type = Auto detect and disable the staging.
-- Set Illegal parameter data type in Learning and Blocking Settings to block
Impact:
The request is blocked along with other parameter data types
Workaround:
Modify the DEFAULT_ecard_regexp_uri through asm internal variables /usr/share/ts/bin/add_del_internal, execute the following command
/usr/share/ts/bin/add_del_internal add DEFAULT_ecard_regexp_uri '^\\w+:\\/\\/([^\\s@]+@)?([^\\s^\\/]+)(:\\d+)?(\\/[^\\s]*)?'
Don't forget to restart ASM to apply changes:
bigstart restart asm
Fixed Versions:
17.1.2
1317773-4 : CGNAT / AFM NAT: "Clients Using Max Port Blocks" counter might be inaccurate
Links to More Info: BT1317773
Component: Carrier-Grade NAT
Symptoms:
When using CGNAT or AFM NAT in PBA mode (Port Block Allocation) the value of "Clients Using Max Port Blocks" might be wrong, not reflecting the actual number of total clients who have reached the max port blocks allocated to them.
The value of "Clients Using Max Port Blocks" can be seen in the output of the command "tmsh show ltm lsn" along with other statistics.
Conditions:
- BIG-IP running two or more TMM threads
- BIG-IP provisioned with CGNAT or AFM NAT
- LSN pool using PBA (Port Block Allocation) configured
Impact:
The value of "Clients Using Max Port Blocks" is increased when clients reach the max port blocks allocated to them but is not decreased when the clients don't have any more port blocks allocated.
As such, it keeps increasing over time.
Workaround:
None
Fixed Versions:
17.1.2
1317705-1 : TMM may restart on certain DNS traffic
Links to More Info: K000139037, BT1317705
1316529-4 : Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails with hidden DOS
Links to More Info: BT1316529
Component: Application Security Manager
Symptoms:
Upgrade from BIG-IP version 14.0.0 to 17.1.0 fails. The machine stays offline.
Conditions:
This issue occurs when the hidden DOS profile exists.
Impact:
The machine stays offline and the update fails.
Workaround:
Change the error response page body from default to custom.
Fix:
Allow DOS hidden profile captcha default to be updated.
Fixed Versions:
17.1.1, 16.1.5
1316277-3 : Large CRL files may only be partially uploaded
Links to More Info: K000137796, BT1316277
Component: TMOS
Symptoms:
When updating a large CRL file in BIG-IP using tmsh, the file may only be partially read due to internal memory allocation failure.
Please note that the size of the CRL file causing this issue varies across hardware types, network bandwidth and usage, and system resources.
Conditions:
1. Using tmsh, a large CRL file is updated to an existing CRL.
2. This large CRL file is attached to multiple profiles.
3. The system is under heavy load
Impact:
When a large CRL file is attached to a profile, an update may indicate success when only a partial upload has occurred. Connections to VIP with this profile may have unexpected results, such as a certificate not being blocked as expected.
Workaround:
A large CRL file can be divided into smaller chunks and loaded into multiple profiles.
Fix:
If an error occurs during CRL upload or update, the profiles containing this partial CRL file will be invalidated and further connections to the VIP will be terminated. An error will be logged to /var/log/ltm whenever a CRL file read operation fails due to memory allocation.
The log received will look like:
01260028:2: Profile <profile name> - cannot load <CRL file location> CRL file error: unable to load large CRL file - try chunking it to multiple files.
Fixed Versions:
17.1.1, 16.1.4.2, 15.1.10.3
1315193-3 : TMM Crash in certain condition when processing IPSec traffic
Links to More Info: K000138728, BT1315193
1314545-1 : Restricting VwireObject and VwireNtiObject SHM and it's poll for non required platforms
Links to More Info: BT1314545
Component: TMOS
Symptoms:
Unwanted entries are logged on VE vCMP platforms.
Conditions:
VE vCMP Platfoms.
Impact:
Too many entries are logged with unwanted SHM.
Workaround:
None
Fix:
Restricted VwireObject and VwireNtiObject SHM poll for non required platforms.
Fixed Versions:
17.1.1
1314301-1 : TMM instability when DB variables avr.IncludeServerInURI or avr.CollectOnlyHostnameFromURI are enabled
Links to More Info: K000137334, BT1314301
1313369-5 : Significant performance drop observed for DNS cache validating resolver for responses with indeterminate and insecure validation status
Links to More Info: BT1313369
Component: Global Traffic Manager (DNS)
Symptoms:
Performance drop observed when changing DNS cache resolver to validating resolver for responses with indeterminate and insecure validation status.
To know more about the validation status, check RFC 4035 (section 4.3).
Conditions:
- Create a DNS cache validating resolver.
- Ensure the responses are with Indeterminate and Insecure validation status.
- Observe the performance as compared to responses with secured validation status.
Impact:
Performance of validating resolver will be less than expected.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1312105-3 : The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented
Links to More Info: BT1312105
Component: Local Traffic Manager
Symptoms:
The tmm/ehash_stat inuse field for listener name hash is incremented but not decremented.
Conditions:
When a virtual server is added or removed or changed.
Impact:
Cosmetic issue
Workaround:
None
Fix:
The stat is now decremented properly
Fixed Versions:
17.1.2, 16.1.5
1312057-3 : bd instability when using many remote loggers with Arcsight format
Component: Application Security Manager
Symptoms:
When using multiple arcsight remote loggers for an ASM policy, certain requests may cause bd to restart and leave a core file.
Conditions:
ASM policy is attached to VS.
Multiple remote storage loggers, using arcsight format are attached to vs.
Certain traffic patterns.
Impact:
bd will restart and leave a core file.
Workaround:
None.
Fix:
bd processes traffic as expected.
Fixed Versions:
17.1.1, 16.1.4
1311561-2 : Unable to add Geo regions with spaces into blacklist, Error: invalid on shun entry adding
Links to More Info: BT1311561
Component: Advanced Firewall Manager
Symptoms:
Unable to add Geo regions with spaces into blacklist categories.
Ex: New South Wales, West Bengal.
However, we are able to add regions without spaces
Ex:Delhi.
Conditions:
Provision AFM license and try to add any geo regions having spaces into blacklist category.
Impact:
Cannot mitigate traffic from the above particular Geo regions.
Workaround:
No Workaround
Fix:
After the code fix, we are able to add the above regions and mitigate traffic.
Fixed Versions:
17.1.1, 16.1.5
1311253-1 : Set-Cookie header has no value (cookie-string) in server-side, due to asm.strip_asm_cookies
Links to More Info: BT1311253
Component: Application Security Manager
Symptoms:
Set-Cookie header has no value (cookie-string) in server-side.
Conditions:
- asm.strip_asm_cookies is enabled.
- Cookie header from client has TS cookie(s) that are the only cookie.
Impact:
Cookie header without value (cookie-string) is sent to server-side
Workaround:
Use an iRule to delete Cookie header in the server-side.
Fixed Versions:
17.1.2, 16.1.5
1311169-1 : DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned
Links to More Info: BT1311169
Component: Global Traffic Manager (DNS)
Symptoms:
DNS response is not signed for DNSSEC zone for DNSSEC request.
Conditions:
1. A DNSSEC zone exists.
2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0.
3. A query hits that wideIP and does not get a pool member selected.
Impact:
DNS response is not signed.
Workaround:
SOA Negative Caching TTL set to a number larger than 0.
Fixed Versions:
17.1.1, 16.1.5
1311125-1 : DDM Receive Power value reported in ltm log is ten times too high
Links to More Info: BT1311125
Component: TMOS
Symptoms:
The BCM56xxd process reports erroneous Receive Power value for an interface when Digital Diagnostics Monitoring (DDM) is enabled. The reporting within /var/log/ltm is erroneous by shifting a decimal point and is off by a factor of 10:
2023-06-14T17:10:35.282+00:00 bigip1 err bcm56xxd[11534]: 012c0017:3: DDM interface:2.2 receive power too high warning. Receive power:7.7933 mWatts
The "show /net interface-ddm" output for this interface displays a different value:
Digital Diagnostic Monitoring Interface:2.2
Laser Transmit and Receive Power Value
Receive Power1 0.7904mW -1.02dBm
Conditions:
DDM is enabled with the "ddm.bcm56xxd.enable" db variable:
sys db ddm.bcm56xxd.enable {
value "enable"
}
Impact:
Incorrect Receive Power value is recorded in warning logs.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1308673-1 : ASM::unblock iRule is ignored for violation rating block reason
Links to More Info: BT1308673
Component: Application Security Manager
Symptoms:
Violation Rating is checked again on the response, where ASM::unblock irule has no effect, causing the request to be blocked (at response side).
Conditions:
-- WAF Policy is attached to the virtual server.
-- ASM::unblock iRule is attached to the virtual server.
-- Violation Rating violation is set to "block".
-- A request reaches high violation rating threshold.
Impact:
Request is blocked (on the response side), even though ASM::unblock took place.
Workaround:
None.
Fix:
Ignore violation rating in response if all scores were given from request.
Fixed Versions:
17.1.2
1308269-2 : OpenSSL vulnerability CVE-2022-4304
Links to More Info: K000132943, BT1308269
1308113-2 : Dot at the end of an URL is ignored
Links to More Info: BT1308113
Component: Application Security Manager
Symptoms:
Request with a signature ending with a dot (.) character does not raise a violation.
Conditions:
- Enable all signatures
- A request occurs that contains a signature and ends with a dot.
Impact:
No signature is detected
Workaround:
None
Fix:
All signatures ending with a dot are raised when its signature is On.
Fixed Versions:
17.1.2
1307697-2 : IPI not working on a new device - 401 invalid device error from BrightCloud
Links to More Info: BT1307697
Component: Advanced Firewall Manager
Symptoms:
IPI update is failing with below error:
iprepd|ERR|Jun 09 15:52:59.261|9847|getipfile failed with status code: 401: Unauthorized: Invalid or missing credentials OEM, Device, or UID
iprepd|ERR|Jun 09 15:52:59.261|9847|Error code 1029: InvalidUserCredentials
iprepd|ERR|Jun 09 15:52:59.261|9847|Server message: Invalid Device (f5#ipintelligence-c130 from 202.187.110.1)
Conditions:
Only IPI update will stop working.
Impact:
IPI stop working.
Workaround:
No workaround
Fix:
IPI license will work for all platforms.
Fixed Versions:
17.1.1, 15.1.10
1307605-3 : AFM does not detect NXdomain attack (for DNS express)
Component: Advanced Firewall Manager
Symptoms:
AFM does not account for NXDOMAIN query when DNS express is in use.
At the device level, NXDOMAIN stats are incorrect.
Conditions:
-- DNS express is enabled
-- NXDOMAIN DoS vector detection is enabled
Impact:
NXDOMAIN attack is not detected.
Workaround:
None
Fix:
Supported NXDOMAIN DOS Vector with DNSX (DNS Express)
Fixed Versions:
17.1.2
1307517-3 : Allow SIP reply with missing FROM
Links to More Info: BT1307517
Component: Service Provider
Symptoms:
SIP Reply with a missing FROM in the header is dropped.
Conditions:
- SIP header not compliant with RFC requirement that a FROM must be present.
Impact:
SIP reply drop impacts the client not getting a response.
Workaround:
None
Fix:
Set allow-unknown-methods to be enabled in the SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.1.1, 16.1.5
1307453-1 : BD daemon may consume excessive resource and crash
Links to More Info: K000137270, BT1307453
1307449-1 : ASM remote logging with non-default route domain is broken
Component: Application Security Manager
Symptoms:
Starting v17.1 ASM remote logging with non-default route domain does not work anymore.
The bd.log reports errors like this one:
---
BD_MISC|ERR |Jun 06 08:39:35.615|21037|LoggingAccount.cpp:4323|getaddrinfo error: unknown name or service
---
Conditions:
-- ASM provisioned
-- ASM remote logging with non-default route domain configured
Impact:
Remote logging with non-default route domain does not work anymore.
Workaround:
Use ASM remote logging with default route domain
Fixed Versions:
17.1.2
1306249-2 : Hourly spike in the CPU usage causing delay in TLS connections★
Links to More Info: BT1306249
Component: Local Traffic Manager
Symptoms:
1. An hourly spike in CPU usage occurs.
2. TMM Idle enforcer gets activated.
3. Users may complain of slow connections once per hour, or timeouts may occur briefly once per hour.
Conditions:
This issue occurs when the Clientssl profile is assigned to a virtual server and passing traffic. This happens during the normal operation while running an affected software version.
Impact:
TMM CPU Usage goes high for about one second, which may cause a delay in traffic handling, and the Idle Enforcer gets activated briefly.
Workaround:
When a workaround fix is applied via an EHF, a DB key is needed to be disabled for the fix to take effect.
tmm.ssl.useffdhe
It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.
When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.
When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.
To enable the fix post-EHF installation, you should run
$ tmsh modify sys db tmm.ssl.useffdhe value false
Fix:
A new db variable is introduced in the fix - tmm.ssl.useffdhe
It enables or disables the timely generation of FFDHE key pairs and the default value is set to true.
When the db variable is true (enabled), BIG-IP will generate FFDHE key pairs periodically as usual.
When the db variable is false (disabled), BIG-IP will disable the periodic generation of FFDHE key pairs of size >= 2048 bits. If ClientHello sends only DH groups during handshake to a virtual server, and BIG-IP is configured with tmm.ssl.useffdhe = false, then BIG-IP can still provide the FFDHE key pair for the handshake through the DH key pair available in the cache if any, or offload the request to software crypto.
Fixed Versions:
17.1.2, 16.1.5
1305929 : Tmm crash with QUIC connections
Links to More Info: BT1305929
Component: Local Traffic Manager
Symptoms:
Tmm crashes while processing QUIC connections.
Conditions:
Abnormal disconnect of QUIC connection.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1
1305897 : A platform error can cause DAG context to be out of sync with the tenant
Links to More Info: BT1305897
Component: TMOS
Symptoms:
A platform error can cause the DAG context to be out of sync with the tenant.
Conditions:
- Writing DAG state
Impact:
Performance and connectivity are limited.
Workaround:
Restart the tenant.
Fix:
A platform error can no longer cause dag context to be out of sync with the tenant
Fixed Versions:
17.1.1
1305697-4 : TMM may crash after performing a full sync, when in-tmm monitors are configured and ssl-profile is changed
Links to More Info: BT1305697
Component: Local Traffic Manager
Symptoms:
TMM may crash after performing a full sync
Conditions:
- In-tmm monitors are configured (bigd.tmm = enable)
- Full sync is performed
- Monitors are using a custom ssl profile
- The ssl profile was changed as part of the full sync.
Impact:
Traffic disrupted on the BIG-IP that recieved the config sync while tmm restarts.
Workaround:
Disable in-tmm monitors, and avoid performing a full sync after modifying in-tmm ssl monitors.
Fixed Versions:
17.1.1, 16.1.5
1305361-1 : Flows that are terminated by an ILX streaming plugin may not expire immediately
Links to More Info: BT1305361
Component: Local Traffic Manager
Symptoms:
Flows that are terminated from a plugin may not shutdown/expire properly until expiry timeout which leads to bloating of the flow table
Conditions:
-- ILX streaming plugin configured
-- Connection close initiated from the plugin (flow.client.end)
Impact:
Flows will stay in the table till expiry and may bloat up the flow table
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1305125 : Ssh to localhost not working with ssh-rsa
Links to More Info: BT1305125
Component: TMOS
Symptoms:
The password prompt is not displayed when trying ssh to localhost.
Conditions:
1. Create test_user,
# tmsh create auth user test_user password abcde shell bash session-limit -1 partition-access replace-all-with { all-partitions { role admin } }
# tmsh save sys config
2. Try login localhost using test_user,
config # ssh test_user@localhost
config # --->!!!!! no password prompt shown up
Impact:
SSH to localhost will not work.
Workaround:
Ssh-rsa key was deprecated on 17.1.0,1 and need to replace/copy ECDSA key to ssh_known_hosts.
Replacing the RSA key in ssh_known_hosts with the ECDSA key.
sed -ie '/^localhost/s//#&/' /config/ssh/ssh_known_hosts; echo "locahost,localhost.localdomain $(cat /config/ssh/ssh_host_ecdsa_key.pub)" >> /config/ssh/ssh_known_hosts
Fixed Versions:
17.1.1, 16.1.5
1304957-8 : BIG-IP Edge Client for macOS vulnerability CVE-2023-5450
Links to More Info: K000135040, BT1304957
1304297-1 : A certain client sequence via MRF passthrough may cause TMM to core
Component: Service Provider
Symptoms:
If the client sends certain traffic through a SIP ALG VIP with passthrough enabled, MRF cores the TMM.
Conditions:
Client needs to send certain traffic pattern.
Impact:
TMM core
Fix:
MRF doesn't core TMM when certain traffic is played through a SIP ALG VIP with passthrough enabled
Fixed Versions:
17.1.2, 16.1.5
1304289-1 : Pool member monitored by both GTM and LTM monitors may be erroneously marked Down
Links to More Info: BT1304289
Component: Local Traffic Manager
Symptoms:
A GTM or LTM pool member may occasionally be marked Down in error if it is being monitored by the same type of monitor with the same name as another LTM or GTM pool member with the same address and port.
Conditions:
This may occur if all of the following conditions are true:
-- A pool member for one module (GTM or LTM) has the same address and port as a pool member for a different module (LTM or GTM).
-- Both pool members are monitored by a monitor of one of the following types:
-- Microsoft SQL
-- MySQL
-- Oracle
-- PostgreSQL
-- lDAP
-- Radius
-- Radius-Accounting
-- Scripted
-- SIP
-- WAP
-- Both pool members are monitored by monitors of the same type (from the list above).
-- Both monitors have the same name (exact match).
Impact:
A GTM or LTM pool member may occasionally be marked Down in error.
Workaround:
To work around this issue, assign different names to GTM versus LTM health monitors of the same time (from the list of types above) that are used to monitor pool members for different modules with the same address and port values.
Fixed Versions:
17.1.1, 16.1.5
1304189-4 : Duplicate SYNs to a mirrored FastL4 virtual may result in connection failures
Links to More Info: BT1304189
Component: Local Traffic Manager
Symptoms:
If a duplicate SYN arrives on a connection before the SYN/ACK is processed and the connection is pushed into PVA, then when it is later evicted from PVA it may stop passing traffic and be reset with the RST cause "Handshake Timeout".
Conditions:
- PVA enabled
- Mirroring enabled
- Duplicate SYNs on the network
Impact:
Connection will stop passing traffic and resets when they are evicted from PVA.
Workaround:
Perform one of the following as a workaround:
- Disable PVA
- Disable mirroring
- Modify sys db tm.fastl4_ack_mirror value to Disable
- Modify sys db tm.fastl4_mirroring_taciturn value to Enable.
Fixed Versions:
17.1.1, 16.1.5
1303185-6 : Large numbers of URLs in url-db can cause TMM to restart
Links to More Info: BT1303185
Component: SSL Orchestrator
Symptoms:
TMM continuously restarts during startup.
Conditions:
This was seen when the url-db had about 64K glob URLs. Most of the globs were of the form "*foo*".
Impact:
TMM is unusable.
Workaround:
Large numbers of globs that start with the below should be OK:
".*://"
".*://.*\\."
Note that there should be no other special glob characters, so ".*://www.example.com" would be OK but ".*://www.example.com*" might not be.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302869-1 : AFM is not accounting Nxdomain attack for TCP query
Links to More Info: BT1302869
Component: Advanced Firewall Manager
Symptoms:
AFM is not accounting NXDOMAIN query with tcp.
At the device level, NXDOMAIN stats are incorrect.
Conditions:
-- DNS cache is activated
-- An NXDOMAIN DoS vector occurs
Impact:
NXDOMAIN flood attack is not detected.
Workaround:
None
Fix:
AFM is now accounting Nxdomain attack for TCP query
Fixed Versions:
17.1.2, 16.1.5
1302825-2 : Allow configuration of the number of times the CNAME chase is performed
Links to More Info: BT1302825
Component: Global Traffic Manager (DNS)
Symptoms:
The client receives a SERVFAIL when the CNAME queried to the BIG-IP DNS resolver takes more than the limit configured in the DNS Cache. The limit is set as 11 for BIG-IP v17.1.0 and later. It is fixed as 8 for earlier releases.
Conditions:
A BIG-IP DNS is configured as a resolver (as a cache or a net resolver). The domain of which CNAME resolution is asked requires chasing more times than what is pre-configured in the DNS Cache.
Impact:
The clients cannot resolve DNS names if the count of the CNAME chases goes beyond the limit configured in the DNS cache.
Workaround:
The providers whose CNAME is queried can be asked to keep chains shorter than the pre-configured limits (the limits vary between different versions of BIG-IP).
Fixed Versions:
17.1.1, 16.1.5
1302689-2 : ASM requests to rechunk payload
Links to More Info: BT1302689
Component: Application Security Manager
Symptoms:
ASM requests TMM to rechunk payload in following scenarios:
- Content-Length header was not found on response headers.
- Response with headers only.
Conditions:
Content-Length header is missing from the HTTP response.
Impact:
Transfer-Encoding: chunked header is added to the response.
Workaround:
None
Fix:
On "Fixed" versions, create an internal ASM parameter as "is_disable_rechunk" below and restart ASM service, which would then stop tagging "Transfer Encoding: Chunked" in the Response header.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302677-2 : Memory leak in PEM when Policy is queried via TCL
Links to More Info: BT1302677
Component: Policy Enforcement Manager
Symptoms:
Memory leak of struct size ummem_alloc_112.
Conditions:
[PEM::session config policy get [IP::client_addr]]
If above configuration is present in irule/format script
and subscriber has ipv6 address.
Impact:
Memory leak of struct size ummem_alloc_112.
TMM may go out of memory, may restart and cause service disruption.
Workaround:
Avoid getting policy via tcl command for IPv6 subscriber.
Remove below configuration:
[PEM::session config policy get [IP::client_addr]]
Fix:
Code fixed to avoid memory leak.
cb_cookie object was not getting freed sometimes. Made sure its freed in all the required cases.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1302077-1 : Virtual address statistics being counted for different virtual address after changing the destination address of a virtual server
Links to More Info: BT1302077
Component: Local Traffic Manager
Symptoms:
After modifying the destination address of a virtual server to a new address, the virtual address statistics for subsequent traffic are still being tracked in the original virtual address.
Conditions:
-- Create the virtual server with a destination address
-- Change the destination address of a virtual server to new address
Impact:
Incorrect statistics will fail to reflect actual virtual address load.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1301853 : Misleading error logs in SAML flow
Links to More Info: BT1301853
Component: Access Policy Manager
Symptoms:
In a successful SAML Authentication, some unrelated and misleading errors are logged. For example, although there is no Artifact involved, you may see the below message:
Failed to retrieve SAMLArtifact_b64 for SAML Agent:
Conditions:
Universal conditional statements written to handle different use cases of SAML authentication such as POST or ARTIFACT bindings unintentionally prints few error logs.
Impact:
Errors logs are misleading.
Workaround:
None
Fix:
All the errors logs can be converted to debug logs.
Fixed Versions:
17.1.2
1301529 : Update FIPS-required Service Indicators
Links to More Info: BT1301529
Component: TMOS
Symptoms:
FIPS requires that service indicators be displayed for approved services. SHA-512 is not supported as approved and thus must not show a service indicator.
Conditions:
FIPS mode and use of SHA-512.
Impact:
Incorrect display of service indicator.
Fix:
Removed service indicator for SHA-512.
Fixed Versions:
17.1.1
1301197-1 : Bot Profile screen does not load and display large number of pools/members
Links to More Info: BT1301197
Component: Application Security Manager
Symptoms:
Bot Defense profile menu fails to display (it appears trying to load but it does not load).
Conditions:
Large number of pools, for example 2500 pools, and members configured on the box.
Impact:
Bot Profile screen cannot be loaded.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1300925-4 : Shared memory race may cause TMM to core
Links to More Info: BT1300925
Component: Local Traffic Manager
Symptoms:
TMM may core while managing shared memory segments.
Conditions:
Issue is observed during TMM startup.
Impact:
Rare shared memory related TMM cores.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1300909-1 : Violation details for "HTTP protocol compliance failed" violation are not available if the Block flag is only enabled
Component: Application Security Manager
Symptoms:
Violation details are missing in the event log under the "HTTP protocol compliance failed" violation.
Conditions:
When the "HTTP protocol compliance failed" violation is triggered.
Impact:
Incomplete information is displayed for the violation "HTTP protocol compliance failed".
Workaround:
None
Fix:
Violation details are now available under "HTTP protocol compliance failed" violation in the event log.
Fixed Versions:
17.1.2
1300645-1 : Wrong violation attribute is reported on a request.
Component: Application Security Manager
Symptoms:
The request violation is reported as learn/alarm/blocked while the system is configured to learn.
Conditions:
Specific request and violation
Impact:
User confusion
Workaround:
None
Fixed Versions:
17.1.2
1298545 : TMM crashes during SAML negotiations with APM configured as SAML SP.
Links to More Info: BT1298545
Component: Access Policy Manager
Symptoms:
TMM crashes while passing SAML traffic.
Conditions:
SAML is configured as a SP and performing negotiations.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
Fixed an issue with proper checks and increased robustness in SAML SP key decryption.
Fixed Versions:
17.1.1
1298161-1 : Ts_cookie_add_attrs is not effective with cookies that have non-root path or domain attribute
Links to More Info: BT1298161
Component: Application Security Manager
Symptoms:
Add_cookie_attributes bd internal is not effective with TS cookie if the server cookie has non-root path attribute or domain attribute.
Conditions:
The server cookie has non-root path or domain attribute.
Impact:
An internal parameter configuration is not working in a specific condition which can create some issues.
Workaround:
Https://community.f5.com/t5/technical-articles/irule-to-set-samesite-for-compatible-clients-and-remove-it-for/ta-p/278650
Fixed Versions:
17.1.2, 16.1.5
1298029-4 : DB_monitor may end the wrong processes
Links to More Info: BT1298029
Component: Local Traffic Manager
Symptoms:
If there are a lot of LTM or GTM database monitors in use, then the DB_monitor process may, in extremely rare circumstances, inadvertently end the processes that are not intended to be stopped.
Conditions:
Many database monitors, frequent PID reuse. This should be extremely rare.
Impact:
Some linux processes may unexpectedly end.
Workaround:
Preiodically clean up with PID files:
find /var/run/ -iname \*SQL__* -mtime +1 -exec rm -vf '{}' ';'
and/or increase the number of available Linux PIDs:
echo 4194304 > /proc/sys/kernel/pid_max
Fixed Versions:
17.1.1, 16.1.5
1297257-1 : Pool member Forced Offline then Enabled is marked down on peer after Incremental sync
Links to More Info: BT1297257
Component: TMOS
Symptoms:
When a Pool Member has been marked Forced Offline then later marked Enabled on one member of the Device Group, the Pool Member may be marked Down on Device Group members other than the member where the Pool Member was marked Enabled.
On the BIG-IP system (Device Group member) where the Pool Member was marked Enabled, the Pool Member's status will be marked correctly according to its actual state, as determined by the Health Monitor configured for the affected Pool or Pool Member.
Conditions:
This issue occurs on BIG-IP versions where ID1095217 is fixed for the following conditions:
-- Multiple BIG-IP systems are configured in a Sync-Failover Device Group
-- The Device Group is configured for Incremental sync
-- A pool member or the parent Node has been marked Forced Offline
-- A Health Monitor is configured for the pool or pool member
-- The same monitor assigned to the pool member is not set to the rule for LTM default-node-monitor
-- The pool member or its parent Node is later marked as Enabled on one member of the Device Group
-- This change is synced to the Device Group (either manually or automatically, through Incremental sync, not Full sync)
Impact:
The affected pool member that may be markded Down does not receive traffic as expected as the other Device Group members.
-- If the pool member is re-enabled on the Standby member, traffic on the Active member will not be sent to the pool member.
-- If the pool member is re-enabled on the Active member, traffic on the Standby member will not be sent to the pool member if the Active member fails over to the Standby member.
Workaround:
Perform one of the following actions as a workaround:
Option 1:
-- Perform a Full sync to the Device Group from the Device Group member with the correct pool member status.
Option 2:
-- Set the pool member as Disabled
-- Sync the change with the Device Group
-- Set the pool member Enabled
-- Sync the change with the Device Group
Option 3:
-- Remove the configured Health Monitor from the affected pool or pool member.
Note: If the Health Monitor is removed from the pool, all pool members may become unavailable, halting new connections to pool members.
-- Sync this change to the Device Group.
-- Add the previously configured Health Monitor back to the pool or pool member.
-- Sync the change to the Device Group.
Option 4:
Do not use WebUI for Force Offline or Enable. But, use the following TMSH command with the ‘replace-all-with’ option to set Force Offline/Enable.
For example:
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-down } } }
tmsh modify ltm pool http_pool { members replace-all-with { 10.xx.xx.xx:yy { session user-disabled state user-up } } }
Note: If the health monitor status remain Black circle after Option 2), perform Option 1)
Note: Option 4 does not resolve the issue; it prevents the issue from occurring.
Fix:
The pool member status is now correctly synced to other Device Group members after being Forced Offline and then Enabled on one Device Group member.
This fix causes a return of ID1095217 on versions where ID1095217 had previously been Fixed.
Fixed Versions:
17.1.2, 16.1.5
1297089-1 : Support Dynamic Parameter Extractions in declarative policy
Links to More Info: BT1297089
Component: Application Security Manager
Symptoms:
When a policy is exported in JSON format, the dynamic parameter extractions configuration is not exported to the policy file and when it is imported back into the policy, the dynamic extraction configuration is lost.
Conditions:
Policy contains Dynamic parameter extraction and it is exported in JSON format.
Impact:
Dynamic extraction configuration is lost.
Workaround:
Export the policy in xml or binary format.
Fix:
Added support in JSON policy also to dynamic parameter extractions.
Fixed Versions:
17.1.1, 16.1.4
1296489-1 : ASM UI hardening
Links to More Info: K000138047, BT1296489
1296469-1 : ASM UI hardening
Component: Application Security Manager
Symptoms:
The ASM UI does not follow best security practices.
Conditions:
N/A
Impact:
N/A
Workaround:
NA
Fix:
The ASM UI now follows best security practices.
Fixed Versions:
17.1.1, 16.1.4
1295661-1 : BIG-IP Edge Client for macOS vulnerability CVE-2023-38418
Links to More Info: K000134746, BT1295661
1295565-1 : BIG-IP DNS not identified in show gtm iquery for local IP
Links to More Info: BT1295565
Component: Global Traffic Manager (DNS)
Symptoms:
BIG-IP DNS is not identified in show gtm iquery for local IP.
Conditions:
The connection between local big3d and gtmd gets backlogged;
or
The connection between local big3d and gtmd gets reset.
Impact:
TMSH show gtm iquery does not show correct server type.
Workaround:
Restart big3d.
Fixed Versions:
17.1.1, 16.1.5
1295481-3 : FIPS keys are not restored when BIG-IP license is renewed after it expires
Links to More Info: BT1295481
Component: TMOS
Symptoms:
FIPS key are deleted
Conditions:
An expired license is renewed on the BIG-IP system.
Impact:
FIPS keys are deleted and cannot be used
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1295057-2 : Installation of Attack Signatures file reported as fail after 1 hour
Links to More Info: BT1295057
Component: Application Security Manager
Symptoms:
Installation of Attack Signatures file reported as fail after 1 hour. Installation process finished successfully including apply new signatures to all active policies after more than 1 hour, but reported as fail because of 1 hour of timeout.
Conditions:
Installing attack signatures with high number of active policies or high number of user defined signature sets.
Impact:
ASU file installation failed while installation successfully finished.
Workaround:
None
Fix:
Attack signature update will be done asynchronously now. The timeout is increased to 120 minutes.
Fixed Versions:
17.1.2, 16.1.5
1295017 : TMM crash when using MPTCP
Links to More Info: K000138477, BT1295017
1295009-2 : "JSON data does not comply with JSON schema" violation is raised when concurrent requests occur with same JSON data
Links to More Info: BT1295009
Component: Application Security Manager
Symptoms:
JSON schema validation fails when concurrent requests occur with the same JSON data.
Conditions:
Concurrent HTTP requests contain the same JSON data.
Impact:
JSON schema validation fails.
Workaround:
None
Fix:
JSON schema validation does not fail in case of concurrent requests with same JSON data.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1294993-1 : URL Database download logs are not visible
Links to More Info: BT1294993
Component: Access Policy Manager
Symptoms:
DB download happens either at regular intervals or when explicitly requested by the user. Download status should be visible as part of apm logs and currently, those are missing.
Conditions:
Urldb configured
Impact:
Database download status information will be unknown.
Fix:
- Removing the obsolete DB variables that were used for apm logging, also led to the removal of the log configuration for swg that is being used by urldb and urldbmgrd for logging.
- Updated swg member in the apm log configuration structure during initialization and run-time execution.
Fixed Versions:
17.1.1, 16.1.5
1294289-1 : SSL Persist leaks memory on when client and server hello exceeds MSS
Links to More Info: BT1294289
Component: Local Traffic Manager
Symptoms:
TMM memory leak growing linearly with Aggressive Reaper activated.
Conditions:
This issue occurs under the following conditions:
- SSL persistence should be configured in the virtual server.
- Small client-side MSS.
Impact:
TMM cores are observed during memory leaks. Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1294109-4 : MCP does not properly read certificates with empty subject name
Links to More Info: BT1294109
Component: TMOS
Symptoms:
A certificate that is not a CA certificate that does not have subject populated is valid if it contains subject alternative name, but missing subject is treated as invalid.
Conditions:
- Create a certificate with an empty subject by setting the
subject alternative name.
Impact:
MCP does not show certificate details and GUI details suggest that the certificate is self-signed.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1294089-1 : BIG-IP Advanced WAF and BIG-IP ASM vulnerability CVE-2024-23308
Links to More Info: K000137416, BT1294089
1293829-1 : The violation "Illegal cross-origin request" is raised when it is not enabled under learning-blocking settings
Links to More Info: BT1293829
Component: Application Security Manager
Symptoms:
Request with a cross-origin violation, raises a violation when the violation is not enabled.
Conditions:
- URL configured with enable staging and "CORS Enforcement"
- Violation "Illegal cross-origin request" is disabled
- Send a request with an illegal cross-origin header to that URL
Impact:
Although the violation "Illegal cross-origin request" is disabled, still the violation is raised.
Workaround:
None
Fix:
The violation "Illegal cross-origin request" is now raised only when it is enabled.
Fixed Versions:
17.1.2
1293289-1 : Credentials can be submitted to /my.policy as GET instead of POST
Component: Access Policy Manager
Symptoms:
A user can submit credentials in a GET request to /my.policy instead of POST. This may expose user credentials inappropriately under some circumstances.
Conditions:
1. A basic logon page is configured
2. The user sends a login request to /my.policy using a GET request instead of a POST request.
Impact:
User credentials may be exposed.
Workaround:
An iRule may be used to reject such requests. A sample iRule is given below:
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
# match /my.policy with query beginning character ?
if { [HTTP::uri] starts_with "/my.policy?" } {
if { [HTTP::method] equals "GET" } {
log local0. "HTTP method GET is not allowed for /my.policy?"
reject
}
}
}
Fix:
APM will no longer accept GET requests to /my.policy requests with credentials.
Fixed Versions:
17.1.1
1293261-1 : Subviolations (e.g., IP in host header violation) are not reported to the policy builder
Component: Application Security Manager
Symptoms:
Evasion Technique and HTTP Protocol Compliance subviolations (e.g., IP in host header violation) are not reported to the policy builder.
Conditions:
When the policy is set to only learn (alarm and block are turned off).
Impact:
Learning suggestions to permanently disable the subviolation is not received.
Workaround:
A user should also enable the alarm to receive learning and suggestions for this subviolation.
Fix:
None
Fixed Versions:
17.1.2
1293193-3 : Missing MAC filters for IPv6 multicast
Links to More Info: BT1293193
Component: TMOS
Symptoms:
Certain drivers are missing MAC filters for multicast. This prevents TMM from receiving messages sent to All Nodes and All Routers addresses.
Conditions:
- BIG-IP VE
- Using TMM's IAVF driver
Impact:
TMM does not receive multicast messages and traffic sent to All Nodes and All Routers, dropping potentially vital packets.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1292793-4 : FIX protocol late binding flows that are not PVA accelerated may fail
Links to More Info: BT1292793
Component: Local Traffic Manager
Symptoms:
FastL4 connections with late binding enabled typically used for FIX protocol can stall or hang if they are evicted from PVA and not re-offloaded.
Conditions:
- Late binding enabled on a FastL4 flow. The flow is not accelerated, and if the flow recieves approximately 50 packets, then it will hang. Captures would show packets ingressing to the BIG-IP and not being forwarded to the peer.
Impact:
Connection may stall.
Workaround:
Disable late binding. If late binding cannot be disabled, then
disable pva-flow-aging and pva-flow-evict to avoid the issue.
Fix:
FIX protocol flow works as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1292685-4 : The date-time RegExp pattern through swagger would not cover all valid options
Links to More Info: BT1292685
Component: Application Security Manager
Symptoms:
Some valid hours option would not match the Regular Expression (RegExp).
Conditions:
Creating a policy using swagger file and uploading a swagger file which contains parameter in date time format.
Impact:
Valid hours options 10 and 19 would not match the RegExp.
Workaround:
Manually fix the regular expression in the parameter
from:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|2[0-3]):([0-5]\d)))$'
to:
'^([12]\d{3}-(0[1-9]|1[0-2])-(0[1-9]|[12]\d|3[01]))T(0\d|1\d|2[0-3]):([0-5]\d):([0-5]\d)(\.\d+)?(Z|((\+|-)(0\d|1\d|2[0-3]):([0-5]\d)))$'
Fix:
The date-time regular expression for swagger is fixed and now suppose to cover all valid options.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1292645-1 : False positive CORS violation can occur after upgrading to 17.1.x under certain conditions★
Links to More Info: BT1292645
Component: Application Security Manager
Symptoms:
CORS violation can start appearing after upgrading to 17.1.x.
Conditions:
1) CORS violation is enabled.
2) CORS configuration is done with port 80 on a particular URL.
3) Request with URL from step 2 which BIG-IP receives, is of HTTPS type.
Impact:
Requests with HTTPS protocol can get blocked with CORS violation.
Workaround:
Change configured CORS port to 443 for URLs that receive HTTPS traffic.
Fix:
Added a new bd internal variable "cors_default_port_80" which can be used to allow HTTPS traffic with CORS port configured as 80.
Fixed Versions:
17.1.1, 16.1.5
1292493-1 : Enforcement of non-approved algorithms in FIPS or Common Criteria mode.
Links to More Info: BT1292493
Component: TMOS
Symptoms:
FIPS and Common Criteria require that only FIPS-approved algorithms be used for keys.
Conditions:
OpenSSH used in FIPS or Common Criteria mode.
Impact:
OpenSSH accepts non-approved algorithms in FIPS or Common Criteria mode.
Workaround:
None
Fix:
The allowed cipher list is changed to allow only FIPS-Approved algorithms.
Fixed Versions:
17.1.2, 16.1.5
1292141-2 : TMM crash while processing myvpn request
Links to More Info: BT1292141
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1291565-3 : BIG-IP generates more multicast packets in multicast failover high availability (HA) setup
Links to More Info: BT1291565
Component: Local Traffic Manager
Symptoms:
BIG-IP generates additional high availability (HA) multicast packets when the device name is changed.
Running the following commands shows the duplicate multicast entries on mgmt:mgmt interface on /var/log/sodlog file
# /usr/bin/cmd_sod get info
Conditions:
-- BIG-IPs configured with Multicast failover .
-- The self-device name is changed.
Impact:
BIG-IP multiplies the number of multicast packets when the device name is changed.
Workaround:
Restarting the sod would remove the duplicate multicast entries.
#bigstart restart sod
Fix:
Cleanup the multicast entries populated on old device name when the name is updated.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1291217-2 : EasySoap++-0.6.2 is not coded to add an SNI
Links to More Info: BT1291217
Component: TMOS
Symptoms:
Microsoft Azure has a firewall that blocks any outgoing TLS ClientHello without the SNI extension.
This causes our clients to be unable to orchestrate F5 VMs as they cannot successfully license the device automatically.
Conditions:
Clients using our devices on Azure cannot automatically license the device via f5-bigip-runtime-init using the command: /usr/bin/tmsh install /sys license registration-key ${LICENSE_KEY}
Impact:
Cannot successfully license the device automatically.
Workaround:
None
Fix:
Updated EasySoap++-0.6.2 with SNI fix
Fixed Versions:
17.1.2, 16.1.5
1291149-5 : Cores with fail over and message routing
Links to More Info: BT1291149
Component: Service Provider
Symptoms:
Seg faults for an active unit in an high availability (HA) pair when it goes to standby.
Conditions:
- Generic message routing is in use.
- high availability (HA) pairs
- This issue is observed when generic messages are in flight when fail over happens but there is some evidence that it can happen without fail over.
Impact:
This is a memory corruption issue, the effects are unpredictable and may not become visible for some time, but in testing seg faults leading to a core were observed in the device going to standby within 10-25s of the device failing over. This happened roughly for about 50% of the time but the effect will be sensitive to memory layout and other environmental perturbations.
Workaround:
None
Fix:
The MR message store iteration is fixed, no corruption or cores observed.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1290889-1 : TMM disconnects from processes such as mcpd causing TMM to restart
Links to More Info: K000134792, BT1290889
Component: TMOS
Symptoms:
When tunnels are in use on the BIG-IP, TMM may lose its connection to MCPD and exit and restart. At the time of the restart, a log message similar to the following will be seen in /var/log/ltm:
crit tmm6[19243]: 01010020:2: MCP Connection expired, exiting
When this occurs, in a default configuration, no core file is generated.
TMM may also disconnect unexpectedly from other services (i.e. tmrouted).
TMM may also suddenly fail to match traffic for existing virtual server connections against a connection flow. This could result in traffic stalling and timing out.
Conditions:
-- An IPsec, GRE or IPIP tunnel is in use.
Impact:
-- Traffic disrupted while tmm restarts.
-- Sudden poor performance
Workaround:
Do not use tunnels.
Fix:
TMM will not unexpectedly reset connections when tunnels are in use.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1289997-2 : Tenant clustering fails when adding a lower number slot to Tenant
Links to More Info: BT1289997
Component: F5OS Messaging Agent
Symptoms:
If an existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on, the Tenant can fail to cluster after a tenant reboot.
Conditions:
An existing Tenant is expanded to a new blade with a blade slot lower than any blade slot the Tenant is already running on.
Impact:
The Tenant can intermittently fail to cluster after a Tenant reboot.
Workaround:
In the partition CLI, set the tenant to provisioned, then back to deployed.
Fixed Versions:
17.1.1, 15.1.10
1289981 : Tenants on r2000 and r4000 systems will not pass traffic through VLAN groups, or if ltm global-settings general share-single-mac changed from "vmw-compat"
Links to More Info: BT1289981
Component: Local Traffic Manager
Symptoms:
A tenant running on an r2000 or r4000-series appliance is not able to pass traffic through a VLAN group, regardless of the VLAN group mode.
Traffic to/from the tenant does not work properly if the "ltm global-settings general share-single-mac" / "VLAN.MacAssignment" DB key is changed to "unique".
Conditions:
- r2000 and r4000-series appliances
- tenant using VLAN groups, or with the share-single-mac setting changed from the default ("vmw-compat") to "unique".
Impact:
Traffic to tenant stops working and all the traffic to tenant is dropped.
Workaround:
None
Fix:
Unicast promiscuous mode is set in the guest OS iavf driver during the initialization.
Fixed Versions:
17.1.1
1289845-4 : Pool member marked as offline while matching both receive string and receive disable strings
Links to More Info: BT1289845
Component: In-tmm monitors
Symptoms:
The monitor is marked offline when the expected state is up/available.
Conditions:
- Monitor configured to monitor in TMM.
- Monitor configured with receive string and receive disable string.
- Monitor associated with a member where the response to the health monitor matches the receive string and receive disable string and the member is marked as offline.
Impact:
The monitor is marked offline potentially impacting traffic to the pool when the health monitor is matching both receive and receive disable strings.
Workaround:
Configure the monitor such that the response does not match both the receive and receive disable strings at the same time. Alternatively, adjust the receive and receive disable strings such that they will not match at the same time.
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1289705-2 : MCPD always logs "01071323:4: Vlan (/<partition_name>/<vlan_name>:<ID>) is configured, but NOT on hypervisor allowed list" on F5OS tenant
Links to More Info: BT1289705
Component: TMOS
Symptoms:
An F5OS Tenant at startup may print a log to indicate that a VLAN configured on the Tenant has not been assigned by the hypervisor.
For example:
warning mcpd[7929]: 01071323:4: Vlan (/Common/vlan-999:999) is configured, but NOT on hypervisor allowed list.
This alerts the administrator to a possible problem in the hypervisor or tenant configuration. The log can appear at startup, complicating troubleshooting and leading the administrator to believe a problem exists when it does not.
Conditions:
This is often noticed at startup, but may also be observed when:
-- Adding vlans
-- Restarting chmand (bigstart restart chmand)
-- Other configuration changes on the F5OS hypervisor that may affect the tenant (e.g. disabling/enabling interfaces or changing trunk configurations)
Impact:
This is benign but misleading.
Workaround:
The administrator can verify the log is false by checking the Tenant configuration (show tenants) on the F5OS hypervisor.
Fix:
None
Fixed Versions:
17.1.1
1289417-2 : SSL Orchestrator SEGV TMM core
Links to More Info: BT1289417
Component: SSL Orchestrator
Symptoms:
TMM crashes while passing SSL Orchestrator traffic.
Conditions:
This can occur when a service is added or when an existing connector node configuration is freed.
Impact:
TMM crash occurs. Traffic disrupted while TMM restarts. This issue occurs intermittently.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1289365 : The Proxy Select agent fails to select the pool or upstream proxy in explicit proxy mode★
Links to More Info: BT1289365
Component: SSL Orchestrator
Symptoms:
The Proxy Select agent in the per-request policy does not select the pool or upstream proxy in explicit proxy mode. This prevents SSL Orchestrator or BIG-IP from forwarding the egress data to the upstream proxy.
Conditions:
- Proxy Select agent is used in the per-request policy.
- Proxy Select agent is set to explicit proxy mode.
- Flow is set to be bypassed using per-req policy agents such as IP Based SSL Bypass Set or dynamic bypass based on SSL profiles.
Impact:
SSL Orchestrator or BIG-IP does not forward any egress data to the upstream proxy.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1289313-1 : Creation of wideip with alias would cause inconsistent zone data across GTM sync group
Links to More Info: BT1289313
Component: Global Traffic Manager (DNS)
Symptoms:
Loss of resource record.
Conditions:
-- Creation of a wideip with alias
and
-- synchronize-zone-files is set to yes
Impact:
Loss of resource record.
Workaround:
Set synchronize-zone-files to no.
Fixed Versions:
17.1.2
1289189-4 : In certain traffic patterns, TMM crash
Links to More Info: K000137333, BT1289189
1288729-2 : Memory corruption due to use-after-free in the TCAM rule management module
Links to More Info: BT1288729
Component: TMOS
Symptoms:
- TMM crashes.
- Neuron client errors may be found in /var/log/ltm.
Conditions:
Platform with Neuron/TCAM support (BIG-IP iSeries).
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Released variable is cleared to avoid use-after-free.
Fixed Versions:
17.1.1, 15.1.10
1288517-1 : Item filter does not work on /mgmt/tm/asm/tasks/export-suggestions/
Links to More Info: BT1288517
Component: Application Security Manager
Symptoms:
Filter is not applied for export suggestions task.
Conditions:
Having a policy with suggestions. try to export in declarative format:
restcurl -u admin:admin /mgmt/tm/asm/tasks/export-suggestions/ -d '{"policyReference":{"link":"https://localhost/mgmt/tm/asm/policies/uaDQEF3ndTdKkawROqwQow"},"filter":"status eq 'accept'","inline":true}'
Impact:
You are unable to get filtered suggestions in a declarative format.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1287981-2 : Hardware SYN cookie mode may not exit
Links to More Info: BT1287981
Component: TMOS
Symptoms:
-- Virtual server reports SYN cookie mode is "full hardware" even after a SYN flood has stopped.
-- The virtual_server_stat tmstat table columns sc_mode0,sc_mode1 show "FRS" and the syncookies.hwsyncookie_inst column is greater than zero, even after a SYN flood has stopped.
Conditions:
-- Platform with Neuron/TCAM support.
-- AFM is not provisioned.
Impact:
-- SYN/ACK responses that include a SYN cookie are generated by HW even after a SYN flood attacked has stopped.
-- SYN pkts are not seen by the virtual server.
Workaround:
Set the pvasyncookies.preferhwlmode BigDB variable to "true".
Fix:
Virtual servers properly exit HW SYN cookie mode.
Fixed Versions:
17.1.1, 15.1.10
1287821-2 : Missing Neuron/TCAM rules
Links to More Info: BT1287821
Component: TMOS
Symptoms:
- Neuron/TCAM rules are missing for a virtual server that has a rule based feature activated.
- /var/log/ltm has the following error :
Apr 12 02:31:14 bigip1 err tmm5[23326]: 01010331:3: Neuron client neuron_app_dyn_tcam failed with rule add(request full)
Conditions:
- On platforms with Neuron/TCAM support.
- A single virtual server requires more than 16 rules.
Impact:
Features that rely on the Neuron/TCAM rules are not fully offloaded to hardware and thus fall back to software.
Workaround:
None
Fix:
Rules are created correctly for all virtual servers.
Fixed Versions:
17.1.1, 15.1.10
1287313-3 : SIP response message with missing Reason-Phrase or with spaces are not accepted
Links to More Info: BT1287313
Component: Service Provider
Symptoms:
BIG-IP drops SIP response messages that are missing the Reason-Phrase.
Conditions:
A SIP response message in this format
SIP/2.0 424 \r\n
are dropped
If the message has a reason text
Status-Line = SIP-Version SP Status-Code SP Reason-Phrase CRLF
Like this
SIP/2.0 404 Not Found\r\n
then it would not be dropped
Impact:
Connectivity issue.
Workaround:
None
Fix:
BIG-IP now accepts SIP response with Status-line missing a reason text.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1287045-4 : In-TMM monitor may mark pool member offline despite its response matches Receive Disable String
Links to More Info: BT1287045
Component: In-tmm monitors
Symptoms:
Despite response matching monitor's Receive Disable String, pool member may by marked offline by the in-TMM monitor while the BIGD monitor would mark it as available/disabled. It is particularly likely if the matched pattern is located in the front of the pool member's response data.
Conditions:
-- HTTP, HTTP2, or TCP monitor is used.
-- In-TMM monitor is enabled.
-- Both Receive String and Receive Disable String are provided.
Impact:
Pool member is marked offline while it should be marked available/disabled by the in-TMM monitor.
Workaround:
Use BIGD instead of in-TMM monitor.
Fix:
When pool member's response matches Receive Disable String it is correctly marked as Availabe/Disabled by in-TMM monitor. The same as BIGD monitor.
Fixed Versions:
17.1.2, 16.1.5
1286621-1 : BD crashes when the UMU OOM limit is reached and the request has an authorization bearer header
Links to More Info: BT1286621
Component: Application Security Manager
Symptoms:
BD crashes when the UMU OOM limit is reached and the request includes an authorization bearer header.
Conditions:
- UMU OOM limit is reached
- The request has authorization bearer header
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.1
1286433-2 : Improve ASM performance for BIG-IP instances running on r2k / r4k appliances
Links to More Info: BT1286433
Component: TMOS
Symptoms:
ASM performance has regressed on BIG-IP instances running on r2k / r4k appliances (since F5OS release 1.3.0)
Conditions:
BIG-IP instance running on r2k / r4k
ASM traffic flowing through BIG-IP
Impact:
Improvement in ASM performance.
Workaround:
None (because this change is an improvement that alleviates performance regression)
Fix:
The kernel scheduling parameters are modified to enable better sharing of CPU resources between TMM and ASM daemons.
Fixed Versions:
17.1.1, 15.1.9
1286357-2 : Reducing packet loss for BIG-IP instance running on r2k / r4k appliances
Links to More Info: BT1286357
Component: Local Traffic Manager
Symptoms:
Packet loss occurs when DNS traffic flows through BIG-IP tenant on r2k / 4k appliances. This causes DNS performance to regress.
Conditions:
BIG-IP vCMP instance running on r2k / r4k appliances
DNS traffic (or other UDP traffic as well) flowing through BIG-IP
Impact:
Reduction in packet loss.
Workaround:
None (This change is an improvement that alleviates performance regression)
Fix:
The rx/tx ring buffer sizes of iavf driver have been increased.
Fixed Versions:
17.1.1, 15.1.9
1286101-2 : JSON Schema validation failure with E notation number
Links to More Info: BT1286101
Component: Application Security Manager
Symptoms:
An unexpected JSON Schema validation failure is seen with E notation number.
Conditions:
The E notation is without a dot.
For example, the following trigger this issue:
- 0E-8
- 0e-8
But, the following do not trigger this issue:
- 0.0E-8
- 0.0e-8
The problematic E notation number is used in object value, and the object is under an array, and the object is not the last member of the array.
Impact:
False positive.
Workaround:
Use E notation with a dot or disable schema validation violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1285173-1 : Improper query string handling on undisclosed pages
Links to More Info: K000133474, BT1285173
1284993-2 : TLS extensions which are configured after session_ticket are not parsed from Client Hello messages
Links to More Info: BT1284993
Component: Local Traffic Manager
Symptoms:
When the client Hello message contains session_ticket extension, it was observed that the extensions which are configured after the session ticket extension were not processed and all the extensions are being ignored.
Conditions:
Configure SSL extensions along with session_ticket extension.
Impact:
A few requests are not forwarded correctly, for example, in scenario where server_name extension is configured after session_ticket but due to the current issue, [SSL::extensions exists -type 0] is returning 0 even though the server_name extension is present in Client Hello.
Workaround:
Configure all the required extensions before the session_ticket extension.
Fix:
TLS extensions which are configured after session_ticket are not parsed from Client Hello messages. Changes have been made in such a way that ext_sz variable which holds the size of all the extns configured in client Hello message is not limited to SSL_SZ_SESSIONID which is 32 bytes.
Fixed Versions:
17.1.1, 16.1.4
1284969 : Adding ssh-rsa key for passwordless authentication
Links to More Info: BT1284969
Component: TMOS
Symptoms:
In FIPS 140-3, SSHD does not support the ssh-rsa key for passwordless authentication.
Conditions:
The system must be in FIPS 140-3 mode.
Impact:
SSHD does not support the ssh-rsa key for passwordless authentication.
Workaround:
None
Fix:
SSHD should support the ssh-rsa key for passwordless authentication.
Fixed Versions:
17.1.0.1, 16.1.4
1284897-3 : TMM can crash when it exits while still processing traffic
Links to More Info: BT1284897
Component: Local Traffic Manager
Symptoms:
Unexpected TMM crash during shutdown.
Conditions:
This is a randomly occurring, potentially timing-related issue that might be related to other operations also occurring during shutdown.
Impact:
An unclean tmm exit occurs.
Workaround:
None
Fixed Versions:
17.1.2
1284261-4 : Constant traffic on DHCPv6 virtual servers may cause a TMM crash.
Links to More Info: BT1284261
Component: Local Traffic Manager
Symptoms:
TMM may crash/core if there is a constant stream of DHCP traffic from the server towards the clients, not allowing a connection timeout.
Conditions:
Constant stream of traffic coming from DHCP server not allowing a connection timeout.
Very aggressive lease settings causing constant lease refresh may be a configuration example leading to the problem.
Impact:
Failover/crash.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1284097-1 : False positive 'Illegal cross-origin request' violation
Links to More Info: BT1284097
Component: Application Security Manager
Symptoms:
In certain configurations, an HTTP request containing an HTTPS origin header may be blocked due to an 'Illegal cross-origin request' violation.
Conditions:
A request sent to a virtual server on an HTTP port (or any port other than 443) with an origin header set to HTTPS will trigger a violation under the following conditions:
1. The 'Illegal cross-origin request' violation is enabled.
2. In Security > Application Security > Security Policies > Policies List, click Create. Add a policy name (for example, Auto_Security_Policy_Services) and click Save. Then, on the Policies List page, click the created policy name and go to HTTP Message Protection > Headers > Host Names. This issue occurs when the host name is configured with the origin header value specified in this path.
3. The URL where the request is sent has 'Enforce on ASM' enabled in the 'HTML5 Cross-Domain Request' configuration area.
Impact:
An 'Illegal cross-origin request' violation is reported in version 17.1.x, unlike in version 16.1.x, with the same configurations and traffic.
Workaround:
Add the HTTPS protocol and origin name to the required URL in the 'Allowed Origins' setting, located under 'HTML5 Cross-Domain Request'.
Fix:
With the internal parameter enabled, an 'Illegal cross-origin request' violation will not be reported.
By default, the internal parameter is disabled. However, it can be enabled using the following commands:
/usr/share/ts/bin/add_del_internal add cors_match_protocol_port 1
/usr/share/ts/bin/add_del_internal add cors_default_port_80 1
tmsh restart sys service asm
This enables the parameter and restarts the ASM service to apply the changes.
Fixed Versions:
17.1.1, 16.1.5
1284081-1 : Incorrect Enforcement After Sync
Links to More Info: BT1284081
Component: Application Security Manager
Symptoms:
In some scenarios, configuration updates are not sent to the enforcer which can cause unexpected enforcement.
In bd and asm_config_server logs you may see the following logged repeatedly:
ECARD_POLICY|NOTICE|Mar 28 12:53:26.872|18357|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
BD_FLUSH_TBLS|ERR |Mar 28 12:53:26.872|18357|AccountDomainsTbl.cpp:0049|attempting to add policy name crc while it already exists crc:[10127277905900865307]
Conditions:
A large configuration is synchronized to a device.
Impact:
Incorrect policy enforcement.
Workaround:
1) Apply each policy individually on the affected devices/blades
or
2) Restart ASM on the affected devices and blades
Fix:
Configuration updates are handled correctly.
Fixed Versions:
17.1.1
1284073-1 : Cookies are truncated when number of cookies exceed the value configured in "max_enforced_cookies"
Links to More Info: BT1284073
Component: Application Security Manager
Symptoms:
When a request contains more cookies than configured in “max_enforced_cookies” and the “strip_asm_cookies” parameter is enabled, the cookie header is truncated and not all the cookies reach the server.
Conditions:
Occurs when
- ASM is provisioned.
- Request contains more cookies than configured in “max_enforced_cookies”.
- Parameter “strip_asm_cookies” is enabled.
Impact:
All the cookies do not reach the server.
Workaround:
-- Disable the internal parameter “strip_asm_cookies”.
-- Disabling the database key makes the behavior similar to the behavior in BIG-IP version 14. For more information, see K30023210.
-- If you don’t want the old behavior before BIG-IP version 14, you can use the same solution as for versions before BIG-IP version 14: disable the sys db key. You can also use an iRule to remove the TS cookie from the server side. For more information, see K66438993.
Fix:
Skipping the removal of ASM cookies when the cookies are more than max_enforced_cookies.
Fixed Versions:
17.1.1, 16.1.5
1283645-4 : Mac Edge Client Compatibility Issues with MacOS 13.3 as the support for WebView plugin is discontinued
Links to More Info: BT1283645
Component: Access Policy Manager
Symptoms:
The WebView based End Point Inspection does not work in Mac Edge Client.
Conditions:
When using Edge Client on MacOS "Ventura" 13.3 Beta2 and later.
Impact:
Affected MacOS Edge client is unable to proceed with establishing the VPN connection.
Workaround:
Use the browser-based VPN. Note that there are some limitations if you are using your VPN in the AutoConnect mode and in the Blocked mode; it means the system cannot access the external network until you are disconnected.
The issue is not fixed in the BIG-IP versions 14.1.5.5, 16.1.3.5, and 17.1.0.2 releases. Refer to the KB article K000134990 for recommended actions.
Fix:
The issue is fixed by invoking the EPI helper application instead of the inspection host plugin in Mac Edge Client running on 13.3 and newer.
For more details on the deployment of the fix, refer to the K000133476 article.
For more details regarding the issue, refer to the K000132932 article.
Fixed Versions:
17.1.0.3, 16.1.4, 15.1.9, 14.1.5.6
1282513-1 : Redirections on the lowest numbered blade in mirroring configuration.
Links to More Info: BT1282513
Component: TMOS
Symptoms:
Incorrect DAG context mirroring causes redirections on the lowest numbered blade.
Conditions:
- B4460 platform.
- Mirroring is enabled.
- Failover is performed.
Impact:
The lowest numbered blade is redirecting packets, which can be checked by executing `tmctl -d blade tmm/flow_redir_stats`.
It can cause traffic disruption/performance loss.
Workaround:
N/A
Fix:
Fixed incorrect DAG context mirroring causing redirections on the lowest numbered blade.
Fixed Versions:
17.1.1, 15.1.9
1282357-3 : Double HTTP::disable can lead to tmm core
Links to More Info: BT1282357
Component: Local Traffic Manager
Symptoms:
Calling the HTTP::disable command more than once in an irule can result in the tmm process crashing.
Conditions:
->Basic http configuration
-> iRule
when CLIENT_ACCEPTED {
set collects 0
TCP::collect
}
when CLIENT_DATA {
if { $collects eq 1 } {
HTTP::disable
HTTP::disable
}
TCP::release
TCP::collect
incr collects
}
when HTTP_REQUEST {
log local0. "Request"
}
when HTTP_DISABLED {
log local0. "Disabled"
}
Impact:
BIG-IP may crash during an HTTP CONNECT request from a client.
Workaround:
Avoid calling HTTP::disable more than once per connflow
Fix:
Treat disable via iRule as a NOP when a disable is in progress
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1282281-5 : Roll forward upgrade fails with policy that has unapplied changes and Threat Campaigns
Links to More Info: BT1282281
Component: Application Security Manager
Symptoms:
Roll forward upgrade fails.
The following error message in /ts/log/ts_debug.log and WAF enforcement is not complete:
----------------------------------------------------------------------
Can't locate object method "id_field" via package "F5::ASMConfig::Entity::ThreatCampaign" (perhaps you forgot to load "F5::ASMConfig::Entity::ThreatCampaign"?) at /usr/local/share/perl5/F5/ImportExportPolicy/Binary.pm line 2171.
----------------------------------------------------------------------
Conditions:
- Roll forward upgrade when there is a policy that has unapplied changes and Threat Campaigns.
Impact:
Incorrect enforcement until workaround is applied.
Workaround:
Perform an apply policy operation on all policies.
Fix:
Roll forward upgrade is successful.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1282193-1 : Missing NAT46/64 offload support on F5OS platforms
Links to More Info: BT1282193
Component: TMOS
Symptoms:
Hardware offload of NAT46/64 flows are not supported on F5OS platforms.
Conditions:
- F5OS platform.
- Mixed IP version on client- and server-side.
Impact:
No hardware acceleration.
Workaround:
None
Fix:
NAT46/64 flows are now offloaded.
Fixed Versions:
17.1.2
1282105 : Assertion response attributes parsing issue after upgrade to BIG-IP 17.1.0★
Links to More Info: K000134865, BT1282105
Component: Access Policy Manager
Symptoms:
During SAML Authentication while TMM parses the assertion to extract the attributes and its respective values, all the attributes values are combined into a single string with '|' as separator and are assigned to a single variable leaving remaining ones empty.
Conditions:
When the incoming attributes, in the assertion, are considered as multi-valued attributes, all the values of attributes are combined to form a single valued attribute in order to store in the SessionDB.
Impact:
All the session variables related to assertion attributes are assigned and stored incorrectly.
Related IDs:
ID1282105 at https://cdn.f5.com/product/bugtracker/ID1282105.html
ID1353021 at https://cdn.f5.com/product/bugtracker/ID1353021.html
ID1354673 at https://cdn.f5.com/product/bugtracker/ID1354673.html
Workaround:
None
Fixed Versions:
17.1.1
1281709-4 : Traffic-group ID may not be updated properly on a TMM listener
Links to More Info: BT1281709
Component: Local Traffic Manager
Symptoms:
A few virtual servers may belong to incorrect traffic-group after a full sync or when mcp transaction is performed.
Conditions:
- The BIG-IP High Availability (HA) is configured with full load on sync.
- Traffic-group is changed on a virtual-address belonging to multiple virtuals.
- Sync happens, leaving the device receiving a sync in an incorrect state.
OR
An MCP transaction that is updating a virtual-address along with a profile change on a virtual-server is executed.
Impact:
Listeners may not belong to a correct traffic group and the the traffic is not forwarded.
Workaround:
Use an incremental sync. Do not use MCP transactions.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1281637-2 : When END_STREAM is delayed, HTTP detects a Content-Length header and raises HUDEVT_RESPONSE_DONE before HTTP/2 raises HUDEVT_RESPONSE_DONE
Links to More Info: BT1281637
Component: Local Traffic Manager
Symptoms:
A RST_STREAM is observed from BIG-IP to server after receiving response from server.
Conditions:
- HTTP/2 full proxy configuration.
- Server to send a DATA_FRAME with END_STREAM flag with a delay.
Impact:
Once the server gets around to process the RST_STREAM, it stops accepting new requests on that connection.
Workaround:
None
Fix:
The message HUDEVT_RESPONSE_DONE is delayed until the HTTP completes EV_BODY_COMPLETE action.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1281397-3 : SMTP requests are dropped by ASM under certain conditions
Links to More Info: BT1281397
Component: Application Security Manager
Symptoms:
When virus check is enabled on SMTP security profile, sometimes ASM drops the request even though no violation is reported.
Conditions:
- SMTP security profile is configured and applied with virus check on.
- ICAP server is configured
Impact:
ASM sometimes drops valid SMTP requests even when no violation is reported.
Workaround:
None
Fix:
SMTP requests are now processed.
Fixed Versions:
17.1.1, 16.1.5
1281381-1 : BD continuously restarting after upgrade to 17.1.0.1★
Links to More Info: BT1281381
Component: Application Security Manager
Symptoms:
After upgrading a previously working BIG-IP system, ASM restarts repeatedly and the system will not process ASM traffic.
Conditions:
-- An upgrade was performed
-- One or more virtual server names is longer than 64 characters.
Impact:
Repeated ASM restarts (ASM restarts in loop).
Workaround:
Change the virtual server name to be shorter than 64 characters.
Fix:
No ASM restart loop for virtual server with a name longer than 64 characters.
Fixed Versions:
17.1.1
1280857-3 : Illegal file type is enabled in Rapid Deployment Template.
Component: Application Security Manager
Symptoms:
The Rapid Deployment Template has a list of illegal filetypes and did not have the Illegal File Type violation enabled, by default.
Conditions:
A new policy is created based on the Rapid Deployment Template.
Impact:
Protection against Illegal File Type browsing is missing, by default.
Workaround:
The violation can be enabled, if required, on any existing policies.
Fix:
The new policies created based on the Rapid Deployment Template will have the Illegal File Type violation enabled, by default.
Fixed Versions:
17.1.2
1280769 : Fipsutil's fwcheck and fwupdate sub-commands show errors when run on R10920 and R5920 tenant.
Links to More Info: BT1280769
Component: Local Traffic Manager
Symptoms:
When the two commands fwcheck and fwupdate are run, they will not be successful and throw error messages.
bigip#fipsutil fwcheck
ERROR: Failed to parse firmware version: CNN35XX-NFBE-FW-2.08-12
ERROR: Firmare version check failed.
bigip#
Conditions:
When the commands fwcheck and fwupdate are run on R10920 and R5920 fips tenant.
Impact:
No functional impact. Only ignorable error messages displayed.
Workaround:
Do not run these two commands on R10920 and R5920 fips tenant.
To know the present firmware from tenant use "fipsutil info".
To update the firmware on HSM card, do it from host system.
Fix:
NA
Fixed Versions:
17.1.1
1280281-4 : SCP allow list may have issues with file paths that have spaces in them
Links to More Info: BT1280281
Component: TMOS
Symptoms:
SCP may error out.
Conditions:
A file path with a space that is allowlisted in /config/ssh/scp.whitelist.
This affects BIG-IP 14.x.x and BIG-IP 15.x.x only if running an EHF with BugID 819429 is included.
Impact:
May not copy files to a path present under allow list.
Workaround:
Remove spaces from any allowlisted file paths.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1277381-2 : PEM resource leak in MW layer leads to crash of Diameter interface
Component: Policy Enforcement Manager
Symptoms:
The BIG-IP PEM connects to the PCRF through a TCP DIAMETER connection. Under certain situations, CCR or AVP messages may remain queued indefinitely. If message queues build up, middleware enforces flow control, halting further CCR messages to the PCRF.
Conditions:
The response from the PCRF is being dropped at the DIAMETER level when in response to certain AVPs or CCR messages.
Impact:
No further transactions with PCRF once the MW bus is exhausted with resources.
Workaround:
Only a restart of TMM will restore regular operation.
Note: Devices configured with BIG-IP LTM should not reproduce this issue.
Fix:
Incorporated the sweeper feature to remove outdated entries from the MW bus upon reaching a 20-second timeout. This 20-second duration represents the maximum time that users can set for retrying DIAMETER messages. Once this timeout elapses, the MW bus will systematically clear all entries and transmit a notification to the PEM.
Fixed Versions:
17.1.2, 16.1.5
1273997-1 : BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty
Links to More Info: BT1273997
Component: Application Security Manager
Symptoms:
BD crashes when the ACCOUNT_ENFORCER_SETTINGS table is empty
Conditions:
ACCOUNT_ENFORCER_SETTINGS table is empty
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fix:
BD does not crash when ACCOUNT_ENFORCER_SETTINGS table is empty
Fixed Versions:
17.1.1
1273881-3 : TMM crashes while processing traffic on the virtual server
Links to More Info: BT1273881
Component: Access Policy Manager
Symptoms:
TMM crashes while processing traffic on the virtual server.
Conditions:
Network Access resource is configured.
Impact:
TMM crashes leading to disruption in traffic flow.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1273041-3 : Observing config error on R2x00/R4x00 low/high devices while doing tmsh load sys config via performance scripts
Links to More Info: BT1273041
Component: TMOS
Symptoms:
The following error occurs which is not expected while doing tmsh load sys config default:
"Invalid attempt to register an n-stage validator, the stage must be greater than the current stage, and within the range 1 to 101 inclusive, current stage: 7 registered: 5 Unexpected Error: Loading configuration process failed. , retrying 5 more times"
Conditions:
In the Performance test environment, executing a script to load configs fails.
Impact:
Getting Config error and unable to proceed with ptt tests.
Workaround:
Reboot the device.
Fix:
Executing tmsh load sys config fails as vlan tags are not ready by the time in R2x00/R4x00 as tenant restart solves the same.
Fixed Versions:
17.1.0.1
1272501-1 : Connections are reset with the cause "F5RST:HTTP redirect rewrite failure"★
Links to More Info: BT1272501
Component: Local Traffic Manager
Symptoms:
Application failures with reset-cause: "F5RST: HTTP redirect rewrite failure".
Conditions:
-- HTTPS virtual server
-- HTTP profile attached
-- Redirect-rewrite of the HTTP profile is set to 'matching' or 'all'.
Impact:
Connections are being reset with the cause "F5RST:HTTP redirect rewrite failure".
Workaround:
Disable the Redirect Rewrite Option.
Fixed Versions:
17.1.1, 16.1.5
1271349-5 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Links to More Info: K000133098, BT1271349
1270501 : Before upgrade, if log level is configured as debug, then APMD will continuously restarts with coredump
Links to More Info: BT1270501
Component: Access Policy Manager
Symptoms:
If access policy log level is configured to debug and proceeds with upgrading the software, rebooting the BIG-IP, or restarting the APM, then coredump is observed from APMD process while starting.
Conditions:
1. Configure the HTTP connection and request timeouts in HTTP authentication using TMSH.
2. Access policy log level is configured to debug.
3. Upgrading the software, rebooting the BIG-IP, or restarting the APMD.
Impact:
APMD will reboot continuously with coredump.
Workaround:
Configure the access policy log level to other than debug.
Fix:
The coredump is not observed from APMD process while starting.
Fixed Versions:
17.1.1
1270497-3 : MRF SIP/ALG Core dump observed while accessing trans_data in sipmsg_register_ingress_register_request_session_reply_common method
Links to More Info: BT1270497
Component: Service Provider
Symptoms:
TMM generates core file while MRF SIP handles register request.
Conditions:
- SIP ALG configuration with SNAT.
Impact:
TMM generates core file while running SIP traffic with ALG configuration. Traffic is disrupted.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1270133-1 : bd crash during configuration update
Links to More Info: BT1270133
Component: Application Security Manager
Symptoms:
bd crash occurred during the configuration update.
Conditions:
This issue occurs during configuration update.
Impact:
bd crash that causes failover in High Availability (HA) pair. Intermittent offline with standalone system.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.5
1269889-1 : LTM crashes are observed while running SIP traffic and pool members are offline
Links to More Info: BT1269889
Component: Service Provider
Symptoms:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Conditions:
- When all pool members are offline or there are no pool members in the pool.
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1269845-4 : When upgrading IM, seeing errors like MCPD timed out and Error: 'insp_id'
Links to More Info: BT1269845
Component: Protocol Inspection
Symptoms:
During the hitless upgrade, MCPD will be timed out and the IM upgrade will fail.
Conditions:
IM Package upgrade to the latest IM.
Impact:
New signatures will not be part of the IPS IM library.
Workaround:
Need to reinitiate the hitless upgrade.
Fix:
The hitless upgrade will be successful without any issues.
Fixed Versions:
17.1.2, 16.1.5
1269773-1 : Convert network-order to host-order for extensions in TLS1.3 certificate request
Links to More Info: BT1269773
Component: Local Traffic Manager
Symptoms:
The network-order length is sent as argument instead of host-order length.
Conditions:
- A signature algorithms extension is present in the certificate request message from the server.
Impact:
Handshake fails with illegal parameter alert.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1269733-1 : HTTP GET request with headers has incorrect flags causing timeout
Links to More Info: BT1269733
Component: Local Traffic Manager
Symptoms:
The 504 Gateway Timeout pool member responses are generated from a Microsoft webserver handling HTTP/2 requests.
The tcpdump shows that the HTTP/2 stream sends the request without an appropriate End Stream flag on the Headers packet.
Conditions:
The server has to provide settings with max-frame-size small enough to force BIG-IP to split the headers across multiple HTTP/2 frames, otherwise this issue does not occur.
Impact:
The HTTP GET request causing timeout.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1269709-4 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles
Links to More Info: BT1269709
Component: Access Policy Manager
Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.
Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.
Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.
Workaround:
None
Fix:
Display the warning message on the BIG-IP GUI for the Configuration error: "Virtual server cannot have vdi and http/2 profiles at the same time" when both vdi and http/2 profiles are attached on the VS.
Fixed Versions:
17.1.2, 16.1.5
1269593-1 : SSH client fails to connect using host key type ssh-rsa
Links to More Info: K000137127, BT1269593
Component: TMOS
Symptoms:
When trying to connect to BIG-IP via SSH, the connection fails with an error:
Unable to negotiate with <IP> port 22: no matching host key type found. Their offer: rsa-sha2-512,rsa-sha2-256,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
This issue is observed only in non FIPS mode.
Conditions:
-- SSH connection
-- The algorithm is set to ssh-rsa
-- The BIG-IP system is not operating in FIPS mode
Impact:
The ssh-rsa as a host key algorithm fails to connect to BIG-IP in non FIPS mode.
Workaround:
None
Fix:
Enabling ssh-rsa as host-key algorithm, in Non-FIPS mode for ssh connections.
Fixed Versions:
17.1.2, 16.1.5
1268521-1 : SAML authentication with the VCS fails when launching applications or remote desktops from the APM Webtop if multiple RD resources are assigned.
Links to More Info: BT1268521
Component: Access Policy Manager
Symptoms:
The client is unable to authenticate with VMware VDI using SAML when multiple remote desktop (i.e. Windows App) resources are assigned to Webtop.
Conditions:
1. Webtop with VMware View Client access or HTML5 is used to connect to a remote desktop.
2. Multiple VCS servers are used.
3. SAML authentication is configured in remote desktop SSO configuration or
4. Password based SSO with different username and password on each remote desktop resource is used.
Impact:
The remote desktop does not open.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1267317-6 : Disabling Access and/or WebSSO for flows causes memory leak
Links to More Info: BT1267317
Component: Local Traffic Manager
Symptoms:
Disabling Access and/or WebSSO via iRules causes TMM to leak memory.
Conditions:
-- Virtual server with SSO Access profile attached.
-- Virtual server with iRule having WEBSSO::disable
and/or ACCESS::disable for HTTP_REQUEST event.
Impact:
Continuous memory leak causes system to go out of memory and reboot.
Workaround:
None
Fixed Versions:
17.1.0.1
1265425-1 : Improper query string handling on undisclosed pages
Links to More Info: K000134535, BT1265425
1259489-2 : PEM subsystem memory leak is observed when using PEM::subscriber information
Links to More Info: BT1259489
Component: Policy Enforcement Manager
Symptoms:
TMM may show a higher memory allocation in the PEM category observed in the memory_usage_stat table.
Conditions:
- PEM is provisioned.
- PEM iRules are used that access PEM::session or PEM::subscriber information.
Impact:
TMM can have excessive memory consumption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256841-3 : AWS Metadata crawling fails due to incorrect cloud provider name set by cloud-init script
Links to More Info: BT1256841
Component: TMOS
Symptoms:
On the customer’s BIG-IP instances, the cloud-init script fails to render the cloud provider’s name correctly. And so, cloud_name=unknown is set.
Conditions:
Deploy BIG-IP VE on AWS in autoscaling group (1-NIC deployments) using Terraform.
Impact:
Whenever the cloud provider is not set to AWS, the DataSourceEc2.py cloud-init script, which is supposed to set up minimal network config with an ephemeral interface including fetching DHCP lease info, fails to do what it is supposed to and as a result metadata service is unreachable
Workaround:
The Identify_aws function is responsible to set the cloud name as AWS. The existing function fails when the network is not up. The customer had faced a similar issue. I have modified the function to check for UUID and serial. As these are available during boot-up itself, we are not dependent on network status.
Fix:
Cloud-init now renders the cloud provider name (AWS) successfully. It does not depend on the network status anymore. Thus, AWS metadata crawling goes through smoothly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1256777-5 : In BGP, as-origination interval not persisting after restart when configured on a peer-group.
Links to More Info: BT1256777
Component: TMOS
Symptoms:
When as-origination interval is configured on a peer-group the setting might not survive a process restart or configuration reload.
Conditions:
- When as-origination interval is configured on a peer-group.
Impact:
The as-origination interval resets to default (15s) after a process restart or configuration reload.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1253481 : Traffic loss observed after reconfiguring Virtual Networks
Links to More Info: BT1253481
Component: Local Traffic Manager
Symptoms:
The traffic exiting from the tenant is being forwarded to an incorrect virtual network.
Conditions:
Reconfigure Virtual-wire by removing the current configured Virtual networks and adding another pair of virtual networks in one step and commit it.
Impact:
NTI Identifier is populated incorrectly causing traffic loss.
Workaround:
Remove the existing Virtual Networks. Commit the changes. Now reconfigure the Virtual networks and commit again.
Fix:
Modify Virtual Networks has been handled to resolve the issue. Add/Remove were handled already.
Fixed Versions:
17.1.1, 15.1.10
1252537-4 : Reboot and shutdown options are available in GUI but unavailable in TMSH when using Resource Administrator Role
Links to More Info: BT1252537
Component: TMOS
Symptoms:
The Resource Admin role has reboot and shutdown options are available in GUI but unavailable in TMSH.
Conditions:
- Resource Admin accessing reboot and shutdown options in TMSH.
Impact:
Limited availability, forces Resource Admin to use GUI.
Workaround:
Resource admin can still use GUI to initiate a reboot or shutdown.
Fix:
Resource Administrator can now initiate a reboot and shutdown using both the GUI or TMSH.
Fixed Versions:
17.1.1, 16.1.4
1252093 : BIG-IP OpenSSL now supports Extended Master Secret
Links to More Info: BT1252093
Component: TMOS
Symptoms:
FIPS 140-3 certification now requires OpenSSL to use the algorithm that computes the Extended Master Secret instead of the current algorithm computing the (legacy) Master Secret.
If FIPS 140-3 license were not installed and an external OpenSSL client did not support Extended Master secret, the handshake will downgrade to legacy Master Secret and continue without errors.
If FIPS 140-3 license is enabled and any external OpenSSL client did not support Extended Master Secret, OpenSSL will no longer downgrade to legacy master secret and will instead, abort the handshake and report failure.
Conditions:
[1] No conditions if FIPS 140-3 license is not installed.
[2] If FIPS 140-3 license is installed and an external OpenSSL client did not have extended master secret supported.
Impact:
There is no impact to BIG-IP production traffic.
Fixed Versions:
17.1.0.1
1252005-1 : VMware USB redirection does not work with DaaS
Links to More Info: BT1252005
Component: Access Policy Manager
Symptoms:
User is unable to access a USB device connected to the client machine in remote desktop using an APM VDI and VMware DaaS setup.
Note: This works as expected if a VCS server is used.
Conditions:
1. VMware DaaS setup is used
2. APM VDI desktop resource is accessed from native client or desktop
Impact:
USB device is not available.
Workaround:
None.
Fix:
USB device should be available
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1251157-1 : Ping Access filter can accumulate connections increasing the memory use
Links to More Info: BT1251157
Component: Access Policy Manager
Symptoms:
The maximum HTTP header count value for ping access is 128. The connection to the backend is aborted if there are more than 128 headers.
Conditions:
- Ping access is configured.
- The HTTP header count is more than 128.
Impact:
Connection is aborted by the BIG-IP, users are unable to access the backend.
Workaround:
None
Fix:
Fixed the issue with the ping access filter.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1251033-1 : HA is not established between Active and Standby devices when the vwire configuration is added
Links to More Info: BT1251033
Component: Local Traffic Manager
Symptoms:
Active and Standby shows disconnected since the HA packets are not exchanged resulting in failure to establish HA.
Conditions:
Condition occurs only when the vwire configs are added to the tenant.
Impact:
-- HA fails to establish, Active and Standby shows disconnected.
-- Config sync between the Active and Standby is not established.
Workaround:
HA exchange packets or failover packets mode should be set to default mode.
Fix:
HA fix Optimized
Fixed Versions:
17.1.1, 15.1.10
1251013-1 : Allow non-RFC compliant URI characters
Links to More Info: BT1251013
Component: Service Provider
Symptoms:
The MRF Parser fails if the URIs are not as per RFC.
It is required to not validate against the RFC for proper URI formatting, required message headers, and usage of defined method names.
Conditions:
- SIP URIs are not formatted as per RFC.
Impact:
MRF parser allows URI formats which are not comply with RFC.
Workaround:
None
Fix:
Set allow-unknown-methods to enabled in SIP session profile, which relaxes the SIP parser to allow unknown SIP messages to be used.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1250209-1 : The message "ERR: in Graphql disallowed response, pcre is null" appears in BD logs
Links to More Info: BT1250209
Component: Application Security Manager
Symptoms:
The following message can appear in BD logs during response enforcement:
"ERR: in Graphql disallowed response, pcre is null"
Conditions:
Two different GraphQL profiles assigned to two different URLs, one of the profiles has "Block Error Responses" enabled, the other does not.
Impact:
Error message in BD logs.
Workaround:
None
Fix:
The The message "ERR: in Graphql disallowed response, pcre is null" is not logged.
Fixed Versions:
17.1.1
1250085-4 : BPDU is not processed with STP passthough mode enabled in BIG-IP
Links to More Info: BT1250085
Component: Local Traffic Manager
Symptoms:
- Connected interfaces under a VLAN.
- Bridge Protocol Data Unit (BPDU) is not transmitted through BIG-IP which is in passthrough mode.
- Can see DST MAC STP (Mac: 01:80:c2:00:00:00) IN packets and missing OUT packets in TCP dump.
- No packet drop for DST MAC PVST (MAC:01:00:0C:CC:CC:CD) and VTP (MAC:01:00:0C:CC:CC:CC).
tshark -nnr < .pcap >
Conditions:
- Platforms C117, C115, C112, and C113
Impact:
BPDU packets will not pass through other devices if BIG-IP is in the middle of the topology with passthrough mode enabled.
Workaround:
None
Fix:
STP passthrough mode now works as expected on C117, C115, C112, and C113 platforms
Fixed Versions:
17.1.1, 16.1.4
1250077-6 : TMM memory leak
Links to More Info: BT1250077
Component: Global Traffic Manager (DNS)
Symptoms:
TMM leaks memory for Domain Name System Security Extensions (DNSSEC) requests.
Conditions:
DNSSEC signing process is unable keep pace with the incoming DNSSEC requests.
Impact:
TMM memory utilization increases over time and could crash due to Out of Memory (OOM) issue.
Workaround:
None
Fix:
A new DB variable dnssec.signwaitqueuecap is introduced to configure the limit for the software based crypto operations for DNSSEC.
You can throttle the incoming DNSSEC requests based on the count of outstanding DNSSEC requests on crypto software queue.
tmsh modify sys db dnssec.signwaitqueuecap value <value>
this value sets the capacity per TMM process.
Fixed Versions:
17.1.1, 15.1.10
1245221-2 : ASM Policy IP Intelligence configuration does not seem to synchronize when the device group is set to automatic sync
Links to More Info: BT1245221
Component: Application Security Manager
Symptoms:
Navigate to the Security > Application Security : Security Policies : Policies List > POLICY_NAME path.
In the IP Intelligence tab, click the ON/OFF switch to enable IPI. Therefore, any changes to the Alarm or Block for any category are not synced to the peer device.
Conditions:
Having High Availability (HA) pair in Sync-Failover DG w/ Autosync enabled and ASM sync enabled. Devices licensed with ASM and IPI.
Impact:
changes to the "Alarm" or "Block" for any category - are not synced to the peer device.
Workaround:
Use Manual (not Auto) sync on the DG and push the configuration.
Fix:
None
Fixed Versions:
17.1.2
1245209-1 : Introspection query violation is reported regardless the flag status
Links to More Info: BT1245209
Component: Application Security Manager
Symptoms:
The "GraphQL Introspection Query" violation is reported even though introspection queries are allowed.
Conditions:
In the GraphQL profile "Allow Introspection Queries" and "Maximum Query Cost" should be enabled.
Impact:
The "GraphQL Introspection Query" violation is reported while the "Allow Introspection Queries" flag is enabled.
Workaround:
None
Fix:
The "GraphQL Introspection Query" is not reported if the "Allow Introspection Queries" flag is enabled.
Fixed Versions:
17.1.1
1240937-4 : The FastL4 TOS specify setting towards server may not function for IPv6 traffic
Links to More Info: BT1240937
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-server setting in a FastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a serverside flow. There are three special values mimic, pass-through, and specify.
The "specify" setting causes the TMM to set the egress TOS to the specific value configured from GUI for that connflow.
The IPv6 serverside egress TOS is not set to the expected "specify" value. No issue is observed with IPv4 connflow.
Conditions:
- FastL4 profile with ip-tos-to-client set to "specify" with value.
-Connflow is IPv6.
Impact:
The IPv6 serverside egress TOS is not set to the expected value.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1240121-5 : CVE-2023-46747 and CVE-2022-36760: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
Links to More Info: K000132643, BT1240121
1239905-3 : FCS errors between the switch and HSB on iSeries platforms
Component: TMOS
Symptoms:
There are cases where FCS errors occur between the switch and HSB. This can be observed in the snmp_dot3_stat stats table, following is an example:
name fcs_errors
---- ----------
10.1 19729052
Conditions:
This requires a BIG-IP iSeries platform that has a switch and HSB.
Impact:
Networking traffic can be impacted when this condition occurs.
Workaround:
The device needs to be rebooted in order to clear the FCS errors.
Fix:
The improvement adds the ability to trigger an High Availability (HA) action when FCS errors are detected on the switch <-> HSB interfaces on iSeries platforms. This is disabled by default but can be enabled with DB variables.
There are three DB variables that control this feature:
sys db bcm56xxd.hgmfcsthreshold {
value "0"
}
bcm56xxd.hgmfcsthreshold = 0 indicates the feature is disabled. Otherwise it is the number of FCS errors per second that need to occur before the nic_failsafe HA event is triggered.
sys db bcm56xxd.hgmfcsrebootaction {
value "enable"
}
bcm56xxd.hgmfcsrebootaction = enable triggers a nic_failsafe reboot. If this variable is set to disable, then go-offline-downlinks is triggered if the FCS threshold is exceeded.
sys db bcm56xxd.hgmfcsnumpolls {
value "5"
}
This controls the number of consecutive poll loops FCS errors have to occur before triggering the HA event. Each poll loop is one second, so the default is 5s.
Fixed Versions:
17.1.2
1239901-3 : LTM crashes while running SIP traffic
Links to More Info: BT1239901
Component: Service Provider
Symptoms:
LTM crashes are observed while running SIP traffic.
Conditions:
Crash may occur while processing HTTP traffic that involves persist record and the use of pick_host, following is an example:
set dest_host [MR::message pick_host peer
Impact:
TMM is inoperative while reloading after crash.
Workaround:
Avoid use of the following pick_host, particularly the use of carp:
MR::message pick_host peer <peer-object-name> [carp <carp-key>]
Fix:
TMM does not crash while running SIP traffic.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1238693-1 : Adding SSHD support for rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and removing support for ed25519
Links to More Info: BT1238693
Component: TMOS
Symptoms:
In FIPS 140-3 mode, SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Conditions:
System must be in FIPS 140-3 mode.
Impact:
SSHD does not support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms, it supports ed25519 which is not FIPS approved.
Workaround:
None
Fix:
SSHD should support rsa-sha2-256 and rsa-sha2-512 HostKeyAlgorithms and must reject ED25519.
Fixed Versions:
17.1.0.1, 16.1.4
1238629-2 : TMM core when processing certain DNS traffic with bad actor (BA) enabled
Links to More Info: K000137521, BT1238629
1238529-3 : TMM might crash when modifying a virtual server in low memory conditions
Links to More Info: BT1238529
Component: Local Traffic Manager
Symptoms:
Messages similar to the following are seen in the LTM log:
Feb 1 14:17:09 BIG-IP err tmm[1139]: 01010008:3: Listener config update failed for /Common/virtual: ERR:ERR_MEM
TMM restarts and writes a core file.
Conditions:
- Low memory available in TMM.
- A virtual server modification is made.
Impact:
Traffic is interrupted while TMM writes a core file and restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1238449-1 : Replacement of the same policy from a full JSON file with a non UTF-8 character fails
Links to More Info: BT1238449
Component: Application Security Manager
Symptoms:
When a non UTF-8 policy is exported in full JSON format and then replaced with the original policy, the following error occurs:
"InternalError - import_policy failed: fatal: Failed action: Imported and replaced policies have different encodings."
Conditions:
The policy is encoded with non UTF-8 characters. The exported policy is in full JSON format, and you are trying to replace the original policy.
Impact:
Unable to replace policy.
Workaround:
None
Fix:
Allowed to change the default encoding of the base policy.
Fixed Versions:
17.1.2
1238413-4 : The BIG-IP might fail to update ARL entry for a host in a VLAN-group
Links to More Info: BT1238413
Component: Local Traffic Manager
Symptoms:
ARP requests through a transparent or translucent VLAN-group might fail.
The command "tmsh show net arp" displays the VLAN as the VLAN-group rather than a child VLAN. This symptom might be intermittent.
Conditions:
- A transparent or translucent VLAN-group is configured.
- ARP requests passing through the VLAN-group.
- Higher gaps (approximately 9 hours) in layer 2 traffic seen by the BIG-IP from the target of the ARP request.
Impact:
ARP resolution failure.
Workaround:
Create a monitor on the BIG-IP to monitor the target of the ARP resolution. This will ensure that layer 2 traffic is seen by the BIG-IP from that host, keeping the ARL entries current.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1238329-1 : Intermittent request for /vdesk/c_ses.php3?orig_uri is reset with cause Access encountered error: ERR_NOT_FOUND
Links to More Info: BT1238329
Component: Access Policy Manager
Symptoms:
->RST is sent by the BIG-IP and the following logs are seen in /var/log/apm:
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis warning tmm2[13658]: 01490573:4: /Common/NPEUSECUQ_OAuth:Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis warning tmm2[13658]: 01490573:4: /Common/NPEUSECUQ_OAuth:Common:eb204975: Decryption failed for ORIG_URI with error: ERR_NOT_FOUND
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_redirect_client_to_original_uri, Line: 9404
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: access_process_state_client_enforce_policy, Line: 9653
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis err tmm2[13658]: 01490514:3: (null):Common:00000000: Access encountered error: ERR_NOT_FOUND. File: ../modules/hudfilter/access/access.c, Function: hud_access_handler, Line: 3481
Dec 19 10:39:19 LBENDMZQ01.fibe.fortis notice tmm[13658]: 01490567:5:
Conditions:
->packetcapture to BIG-IP virtual server should have request /vdesk/c_ses.php3?orig_uri=...
Impact:
The end user is trying to re-authenticate and just receives a blank page.
Fix:
Access will create a new sessionkey if the existing key is not found
Fixed Versions:
17.1.2, 16.1.5
1238321-6 : OpenSSL Vulnerability CVE-2022-4304
Links to More Info: K000132943
1238249-5 : PEM Report Usage Flow log is inaccurate
Links to More Info: BT1238249
Component: Policy Enforcement Manager
Symptoms:
PEM Report Usage Flow log for Flow-duration-seconds and Flow-duration-milli-seconds sometimes report incorrectly.
Conditions:
- HSL logging is configured.
Impact:
The statistics for flow duration report longer than the actual, this can result in showing incorrect data and can impact the policy behaviour.
Workaround:
None
Fix:
Updated the flow duration calculation for Flow-duration-seconds and Flow-duration-milli-seconds.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1235813 : OpenSSL vulnerability CVE-2023-0215
Links to More Info: K000132946, BT1235813
1235801 : OpenSSL vulnerability CVE-2023-0286
Links to More Info: K000132941, BT1235801
1235337-2 : The 'JSON profile' with 'JSON schema validation' was not created for the body parameter in the OpenAPI URL
Links to More Info: BT1235337
Component: Application Security Manager
Symptoms:
The 'JSON profile' with 'JSON schema validation' was not created for the OpenAPI parameters with 'body' location and has 'schema' definitions in case the 'schema' type is 'array' (if the type is 'object' and the 'JSON profile' is created properly).
Conditions:
OpenAPI parameter with 'body' location having schema type 'array'.
Impact:
Some OpenAPI parameters will not include JSON content profile validation.
Workaround:
JSON content profile with JSON schema validation can be created manually after creating a security policy from the OpenAPI file.
Fixed Versions:
17.1.2
1235085-1 : Reinitialization of FIPS HSM in BIG-IP tenant.
Links to More Info: BT1235085
Component: Local Traffic Manager
Symptoms:
During reinitialization of FIPS HSM in BIG-IP tenant, the presence of existing keys is not validated.
Conditions:
When FIPS HSM in BIG-IP tenant is already initialized and keys are created. Then the reinitialization is triggered.
Impact:
When reinitialization triggered, the existing keys are erased without a warning to the user.
Workaround:
Before reinitialization of FIPS HSM in BIG-IP tenant, make sure the existing keys are deleted.
Use following TMSH command to view the current keys:
"show sys crypto fips keys"
Fix:
When the FIPS HSM in BIG-IP tenant reinitialization is triggered, the existing keys are validated and a message is displayed that the keys are available. Delete all the existing keys before reinitialization.
Fixed Versions:
17.1.0.1
1232977-4 : TMM leaking memory in OAuth scope identifiers when parsing scope lists
Links to More Info: BT1232977
Component: Access Policy Manager
Symptoms:
It is observed that oauth_parse_scope fails to increment the index then storing discrete scope identifiers into the output array. Thus all scope identifiers are stored in element 0 and all but the last element parsed are leaked.
Conditions:
OAuth functionality, scope comparisons happen if a scope is provided in request.
Impact:
Failure of High Availability (HA) due to memory issues in TMM over time.
Workaround:
None
Fix:
Increment the index so that all scope identifiers are stored and parsed without any leaks.
Fixed Versions:
17.1.1, 16.1.4
1232629-1 : Support to download Linux ARM64 VPN Client in BIG-IP
Links to More Info: BT1232629
Component: Access Policy Manager
Symptoms:
Unable to download the Linux ARM64 VPN Client from a BIG-IP system.
Conditions:
Downloading and installing the Linux RM64 VPN client.
Impact:
No support to download Linux ARM64 VPN Client in BIG-IP.
Workaround:
None
Fix:
Added support to download Linux ARM64 VPN Client in BIG-IP.
Fixed Versions:
17.1.1
1232521-4 : SCTP connection sticking on BIG-IP even after connection terminated
Component: TMOS
Symptoms:
After an SCTP client has terminated, the BIG-IP still shows the connection when issuing "show sys conn protocol sctp"
Conditions:
Under certain conditions, an SCTP client connection may still exist even if the client has sent a SHUTDOWN request.
Impact:
Memory resources will be consumed as these type of lingering connections accumulate
Fix:
SCTP connections are properly internally closed when required.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1231137-1 : During signature update, Bot signature from one user partition affecting the Bot profile created in another Partition
Links to More Info: BT1231137
Component: Application Security Manager
Symptoms:
Signature update is not allowed.
Conditions:
- In Security > Bot Defense > Bot Defense Profiles, when the field Signature Staging upon Update is set to Enabled.
Impact:
None
Workaround:
Set the field Signature Staging upon Update to Disabled.
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1231001-3 : PEM flow-term-on-sess-delete can cause cores
Links to More Info: BT1231001
Component: Policy Enforcement Manager
Symptoms:
SOD sends a SIGABRT to TMM which then cores.
Conditions:
* PEM is provisioned.
* `pem global-settings session-mgmt-attributes flow-term-on-sess-delete` is enabled.
Impact:
TMM is restarted causing traffic interruption.
Workaround:
Disable `pem global-settings session-mgmt-attributes flow-term-on-sess-delete`.
Fixed Versions:
17.1.2, 16.1.5
1230757-5 : Handling concurrent lookups can cause memory leak in MRF
Component: Service Provider
Symptoms:
Message Router cache spike up under certain conditions which causes memory leak.
Conditions:
Multiple pool members configured with the same IP address but different ports.
Impact:
Due to this memory leak, the system can run out of memory.
Workaround:
Configure multiple routers or assign different IP addresses to the pool members
Fix:
Memory leaks no longer occur.
Fixed Versions:
17.1.2
1229813-4 : The ref schema handling fails with oneOf/anyOf
Links to More Info: BT1229813
Component: Application Security Manager
Symptoms:
In JSON schema validation, it fails in handling of a ref schema that is referenced from multiple places under oneOf/anyOf.
Conditions:
Using oneOf or anyOf, a ref schema is referenced multiple times from oneOf/anyOf section.
Impact:
JSON schema validation fails and request gets blocked.
Workaround:
Change schema structure so that the single ref schema is not referenced from multiple places under oneOf/anyOf.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1229417-1 : BIG-IP iRulesLX: CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: Local Traffic Manager
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality.
It may cause denial of service and data integrity when untrusted input via locale.
Conditions:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Impact:
When node inspector gets untrusted input passed to y18n, it may affect data confidentiality and system availability.
Workaround:
NA
Fix:
The library has been patched to address the issue.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1229401-2 : TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats
Links to More Info: BT1229401
Component: Advanced Firewall Manager
Symptoms:
TMM on an F5OS BIG-IP tenant crashes while fetching DDoS stats from the host.
Conditions:
Undetermined circumstances on a BIG-IP tenant with AFM provisioning.
Impact:
TMM crashes on the tenant which effects the application traffic failure.
Workaround:
None
Fixed Versions:
17.1.1
1229369-4 : The fastl4 TOS mimic setting towards client may not function
Links to More Info: BT1229369
Component: Local Traffic Manager
Symptoms:
The ip-tos-to-client setting in a fastL4 profile is used to control the Type Of Service (TOS) field in the IP header for egress frames on a clientside flow. There are two special values - 'mimic' and 'pass-through'.
The mimic setting causes tmm to set the egress TOS to the value seen on the last ingress packet for that connflow.
In affected versions of BIG-IP, this is not set correctly, and behaves like pass-through (uses the TOS value seen arriving on the serverside flow)
Conditions:
FastL4 profile with ip-tos-to-client set to "mimic" (shown as the value 65534 in tmsh)
Impact:
The clientside egress TOS is not set to the expected value
Workaround:
Use an irule to set IP::tos to the desired value. Note that processing every packet with an irule will incur a performance penalty.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1226585-1 : Some SSL Orchestrator rest endpoints not loading on startup after BIG-IP is rebooted when it is set to CC/STIP mode
Links to More Info: BT1226585
Component: TMOS
Symptoms:
Restnoded framework availability monitor times out while waiting for the dependencies(/mgmt/tm/*/** APIs/endpoints registration w.r.t all the provisioned modules) that are initialized during the restjavad startup.
Conditions:
STIP Mode is enabled, hence the below DB variables values are set to true,
tmsh list sys db security.commoncriteria
tmsh list sys db security.commoncriteria.stip
Impact:
Certain functionalities in SSL Orchestrator config GUI are not operational or operational in a limited manner.
Fix:
Now, you can configure a timeout that controls the time period for which restjavad must wait for the initialization to complete before restarting restnoded programmatically; so that, the SSL Orchestrator app finds the dependent rest endpoints that are already registered.
The DB variable Restjavad.Startup.RestnodedRestart.AwaitTimeout was added with the default value set to 1200 seconds.
Fixed Versions:
17.1.0.1
1226537-1 : Duplicated details are shown in files preview.
Component: Application Security Manager
Symptoms:
Duplicated details are shown in the preview for threat campaigns.
Conditions:
Upload the attached file, or install the latest file after checking for updates.
Impact:
Duplicated details are shown in the preview.
Workaround:
None
Fix:
No duplicate records.
Fixed Versions:
17.1.2
1226121-5 : TMM crashes when using PEM logging enabled on session
Links to More Info: BT1226121
Component: Policy Enforcement Manager
Symptoms:
TMM may crash when using PEM logging.
Conditions:
When a sessions has PEM logging enabled on it:
pem global-settings subscriber-activity-log
Impact:
TMM crashes and restarts, losing all prior connection.
Workaround:
Disabling PEM logging on sessions will avoid the issue.
Fix:
PEM session logging can be used as expected.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1225797 : SIP alg inbound_media_reinvite test fails
Links to More Info: BT1225797
Component: Service Provider
Symptoms:
On BIG-IP versions that fixed ID 1167941, certain SIP ALG inbound media re-invite test cases fail.
Conditions:
This occurs for re-invites on inbound calls.
Impact:
The re-invite will be dropped.
Workaround:
None
Fix:
BIG-IP will drop the messages only when the header is not registered and if it’s a request on the client side of an ephemeral listener.
Fixed Versions:
17.1.1, 16.1.5
1225789-1 : The iHealth API is transitioning from SSODB to OKTA
Links to More Info: BT1225789
Component: TMOS
Symptoms:
The iHealth is switching to OKTA from using SSODB for authentication. The ihealth-api.f5.com and api.f5.com are replaced by ihealth2-api.f5.com and identity.account.f5.com.
Conditions:
- Authentication
Impact:
Qkview file will not be uploaded to iHealth automatically.
Workaround:
Qkview file must be uploaded manually to iHealth.
Fix:
Qkview file will be uploaded to iHealth automatically once Client ID and Client Secret are configured.
TMSH interface will still display ihealth user/password rather than client ID/ Client Secret. For more details, see article K000130498.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1225061-1 : The zxfrd segfault with numerous zone transfers
Links to More Info: BT1225061
Component: Global Traffic Manager (DNS)
Symptoms:
The zxfrd restart loop with cores occasionally.
Conditions:
Numerous dns express zones are doing zone transfers at the same time.
Impact:
The zxfrd restart loops or cores.
Workaround:
Do not add large number of DNS express zones at the same time and also reduce the total number of DNS express zones.
Fixed Versions:
17.1.2, 16.1.5
1224409-1 : Unable to set session variables of length >4080 using the -secure flag
Links to More Info: BT1224409
Component: Access Policy Manager
Symptoms:
Secure Session Variables are limited to 4k length in the access filter, unable to set variables of length >4080 using the "ACCESS::session data set -secure". On trial an error "Operation not supported" gets raised in LTM.
Conditions:
The limit imposed on the maximum URI in CL1416175 in 2015 restricts setting secure session variables greater than 4K in size.
Impact:
Customers have the requirement of setting variables more than 6K in length, but due to internal limits imposed on the session variables they are unable to capture them in the session.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1224329-2 : No learning suggestion for URL "Override policy allowed methods" attribute
Component: Application Security Manager
Symptoms:
The suggestion to allow a method on a specific URL is not generated as expected on URLs with "Override policy allowed methods" enabled.
Conditions:
Learn Allowed Methods on HTTP URLs" option is enabled in the policy and the specific URL is "Override policy allowed methods
Impact:
No learning suggestion to allow violating the method of the specific URL
Workaround:
None
Fix:
With the fix the suggestion is generated as expected.
Fixed Versions:
17.1.2
1223369-1 : Classification of certain UDP traffic may cause crash
Links to More Info: K000135946, BT1223369
1220629-1 : TMM may crash on response from certain backend traffic
Links to More Info: K000137675, BT1220629
1218813-6 : "Timeout waiting for TMM to release running semaphore" after running platform_diag
Links to More Info: BT1218813
Component: Access Policy Manager
Symptoms:
The platform_diag might not complete properly leaving TMM in an inoperational state. The 'bigstart restart' is required to recover.
Conditions:
Running platform_diag tool on a platform licensed with URL filtering.
Impact:
Unable to run platform_diag tool. TMM remains inoperative.
Workaround:
Open /etc/bigstart/scripts/urldb and modify the dependency list to be:
# wait for processes
depend ${service} mcpd running 1 ${start_cnt}
require ${service} urldbmgrd running 1 ${start_cnt}
require ${service} tmm running 1 ${start_cnt}
Then restart urldb:
> bigstart restart urldb
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1217549-4 : Missed ASM Sync on startup
Links to More Info: BT1217549
Component: Application Security Manager
Symptoms:
In few deployment environments, if a device is configured to be part of a device-group before the ASM startup has finished initializing, then it may miss the initial sync from its peer, and not re-request it until another event happens in the system.
Conditions:
Devices are in an auto-sync ASM enabled device-group and a new device is brought into the device-group while initializing the device settings.
Impact:
The devices are out of sync until another action occurs and the sync is requested again.
Workaround:
Restarting ASM on the affected device or causing another sync event will resolve the issue.
Fixed Versions:
17.1.2
1217365-2 : OIDC: larger id_token encoded incorrectly by APM
Links to More Info: BT1217365
Component: Access Policy Manager
Symptoms:
APM Websso decrypts id_token incorrectly when OIDC id_token is larger than ~5mb. The generated token size can be larger when the user belongs to many groups.
Conditions:
1) configure BIG-IP as oauth client and Resource server and Authorization server as Azure AD
2) configure Azure AD such that it sends a large token.
)access policy start -> oauth client ->scope ->allow
3)create a oauth bearer sso in "passthrough" mode and send token on 4xx response
4)attach sso to access policy
5)attach the access policy to the virtual server
Impact:
Access to applications will fail due to incorrect processing of the access token.
Workaround:
None
Fix:
Handling of decryption to support large data than usual limit which makes users to able to access applications.
Fixed Versions:
17.1.2
1216297-3 : TMM core occurs when using disabling ASM of request_send event
Links to More Info: BT1216297
Component: Application Security Manager
Symptoms:
When adding an iRule to disable ASM on request_send event, the TMM core occurs.
Conditions:
ASM is provisioned and attached to policy.
Add iRule that disables ASM and HTTP on HTTP_REQUEST_SEND event.
Impact:
TMM cores, system is down.
Workaround:
Remove the iRule, or disable ASM for all events of the URL.
Fixed Versions:
17.1.1, 16.1.4
1215613-3 : ConfigSync-IP changed to IPv6 address and it cannot be changed back to IPv4 address
Links to More Info: BT1215613
Component: TMOS
Symptoms:
In var/log/ltm following error log is available:
0107146f:3: Self-device config sync address cannot reference the non-existent Self IP (10.155.119.13); Create it in the /Common folder first.
Conditions:
- In High Availability (HA) system ConfigSync-IP is set to IPv6 management address.
[root@00327474-bigip1:Standby:Disconnected] config # tmsh list cm device | grep -iE 'cm device|configsync-ip'
cm device 00327474-bigip1.lucas {
configsync-ip 10.155.119.12
cm device 00327474-bigip2.lucas {
configsync-ip 2001:dead:beef::13 <<-------
- Modifying the ConfigSync-IP to IPv4.
tmsh modify cm device 00327474-bigip2.lucas configsync-ip 10.155.119.13
Impact:
Device is not able to configure the ConfigSync-IP for IPv4 once IPv6 is configured.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
1215161-4 : A new CLI option introduced to display rule-number for policy, rules and rule-lists
Links to More Info: BT1215161
Component: Advanced Firewall Manager
Symptoms:
If a large number of rules and rule-lists are configured, it takes more than 10 minutes to display the output with rule-numbers.
Ex:
tmsh - "list security firewall rule-list"
icrd - "restcurl -u admin /tm/security/firewall/rule-list"
AFM service discovery of BIG-IP fails in BIG-IQ when upgraded to a newer version.
Conditions:
- AFM license is enabled
- Large number of rules and rule-lists are configured
Impact:
AFM service discovery from BIG-IQ fails on upgrade.
Workaround:
-
Fix:
The rule-number feature is used in TMSH or icrd.
The default CLI command and REST query are modified to not generate rule-number straight away. This considerably improves the performance when BIG-IQ discovers AFM service from BIG-IP and when a large number of rules and rule-lists are configured.
TMSH users can list the rules, rule-list, and policy with rule-number by adding the 'with-rule-number' CLI option.
BIG-IQ and TMUI are not affected due to this change.
Fixed Versions:
17.1.1
1213469-5 : MRF SIP ALG: INVITE request with FQDN Route header will not translate SDP and 200 OK SDP is dropped
Links to More Info: BT1213469
Component: Service Provider
Symptoms:
BIG-IP does not translate the SDP or via headers IP with listener IP for an outbound call which causes it to drop the 200 OK response.
Conditions:
In SIP ALG, the INVITE request contains an FQDN Route header.
Impact:
Media pinholes are not created for INVITE.
Workaround:
In the SIP_REQUEST event, a specific Route header could be removed and Insert it again in the SIP_REQUEST_SEND event before sending the request out. For example,
when SIP_REQUEST {
set pd_route_hdr_count [SIP::header count Route]
set pd_route_unset 0
set pd_route [SIP::header Route]
if {[SIP::method] == "INVITE" && ($pd_route_hdr_count equals 1) && $pd_route contains "sip:someclient.site.net;lr" } then {
SIP::header remove "Route"
set pd_route_unset 1
}
}
when SIP_REQUEST_SEND {
if {[SIP::method] == "INVITE" && ($pd_route_unset == 1)} {
SIP::header insert "Route" $pd_route
}
}
Fix:
In SIP ALG, if the Route header is FQDN in INVITE, then it should allow it to pass without any modification.
Fixed Versions:
17.1.1, 16.1.4
1213305-6 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1213305
1211985-6 : BIG-IP delays marking Nodes or Pool Members down that use In-TMM monitoring
Links to More Info: BT1211985
Component: In-tmm monitors
Symptoms:
When configured with a high number of In-TMM monitors and a high portion are configured as either Reverse monitors or as monitors using the Receive Disable field, the BIG-IP may not mark Nodes and Pool Members DOWN immediately once the configured timeout lapses for non-responsive targets.
Conditions:
This may occur when both:
- In-TMM monitoring is enabled through sys db bigd.tmm.
- A portion of the monitors are configured as Reverse monitors or use the Receive Disable field.
Impact:
Non-Responsive Nodes or Pool Members may not be marked DOWN.
Workaround:
You can work around this issue by disabling In-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1211905-3 : Error occurs when importing ASM Policy in XML format with element "violation_ratings_counts"
Links to More Info: BT1211905
Component: Application Security Manager
Symptoms:
Unable to import the XML format policy.
Conditions:
Having an XML policy with violation_rating_counts elements.
Impact:
Unable to import XML policy.
Workaround:
1) Remove the elements from an exported policy file.
sed -i '/<violation_rating_counts\/>/d' *xml
2) Import the policy again.
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1211513-3 : Data payload validation is added to HSB validation loopback packets
Links to More Info: BT1211513
Component: TMOS
Symptoms:
Send validation loopback packets to the HSB on the BIG-IP platforms.
Conditions:
This issue occurs while running a BIG-IP hardware platform with HSB.
Impact:
No impact, this is a new diagnostic feature.
Workaround:
None
Fix:
Loopback validation now occurs on hardware platforms equipped with HSB, except on iSeries platforms i4600, i4800, i2600, i2800, and i850 as wd_rx_timer is disabled by default.
Behavior Change:
A new diagnostic feature with failsafe periodically sends validation loopback packets to the HSB on BIG-IP platforms with the hardware component.
The feature adds following two new db variables that can be altered with TMSH modify sys db:
- The variable tmm.hsb.loopbackValidation is enabled by default, change it to disabled to stop the loopback validation packets sent to HSB.
- The variable tmm.hsb.loopbackvalidationErrthreshold is set to 0 by default. If this value is set to 0, the BIG-IP will only log corruption detection without taking any action. If the value is set to greater than 0, then an HSB nic_failsafe will be triggered when the number of detected corrupt loopback packets reaches the value.
An HSB reset typically dumps some diagnostic information in /var/log/tmm and reboots the system.
If a validation loopback packet is found to be corrupt, one or more messages like the following will appear in /var/log/tmm:
notice HSB loopback corruption at offset 46. tx: 0x4f, rx: 0x50, len: 2043
These logs are rate-limited to 129 logs per 24-hour period. If the variable tmm.hsb.loopbackvalidationErrthreshold is set to a value greater than 0 and the number of corrupt packets reaches this value, the following log message will also appear:
notice Reached threshold count for corrupted HSB loopback packets
Typically, the log message will then be followed by a reboot.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1211297-1 : Handling DoS profiles created dynamically using iRule and L7Policy
Links to More Info: BT1211297
Component: Anomaly Detection Services
Symptoms:
Persistent connections with HTTP requests that may switch according to dynamic change of DoS policy (using iRule or L7Policy) can cause a TMM crash.
Conditions:
A request arrives to BIG-IP and is waiting to be served (it is delayed using iRule), however, if the DoS profile is unbound during that time from the virtual server and a dynamic DoS profile change decision is made, it could potentially cause the request to be incorrectly associated with a context that has already been freed.
Impact:
In few scenarios, when DoS policy is changed during connection lifetime, TMM might crash.
Workaround:
None
Fix:
No TMM crash due to persistent connections.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1211189-4 : Stale connections observed and handshake failures observed with errors
Links to More Info: BT1211189
Component: Local Traffic Manager
Symptoms:
SSL handshake fails.
Invalid or expired certificates are being used in the handshake.
Conditions:
- When the certificates in BIG-IP are expired and being renewed remotely.
- When the clientssl or serverssl profiles are dynamically being attached to a virtual server through iRule.
Impact:
SSL handshake fails.
Vitual server (SSL Profiles) use old or expired certificates.
Workaround:
Restart the TMM or BIG-IP to resolve the issue temporarily (until next expiry time of the certificates).
Fix:
None
Fixed Versions:
17.1.1, 16.1.4
1211009-4 : Policy Builder core dump occurs while modifying or accessing the policies, concurrently
Component: Application Security Manager
Symptoms:
Policy Builder core dump.
Conditions:
Occurs while modifying or accessing policies concurrently from Policy Builder flows that run parallelly.
Impact:
Policy Builder core dump and a restart. Policy Builder learning progress is lost to the configurable persistence periodic saving interval.
Workaround:
None
Fix:
Fixed a Policy Builder crash flow
Fixed Versions:
17.1.2
1210469-1 : TMM can crash when processing AXFR query for DNSX zone
Links to More Info: BT1210469
Component: Local Traffic Manager
Symptoms:
TMM crash with SIGABRT and multiple log messages with "Clock advanced by" messages.
Conditions:
Client querying AXFR to a virtual server or wideip listener that has DNSX enabled in the DNS profile and has a large amount of DNSX zones with a large amount of resource records.
Impact:
TMM cores and runs slow with "Clock advanced by" messages.
Workaround:
Disable zone transfer for the DNS profile associated with the virtual server.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1210321-2 : Parameters are not created for properties defined in multipart request body when URL include path parameter
Links to More Info: BT1210321
Component: Application Security Manager
Symptoms:
Security policy parameters are not created for OpenAPI schema properties in multipart request body section.
Conditions:
Request body defined for URL that include path parameter.
Impact:
Some parameters defined by OpenAPI file will not be created in security policy.
Workaround:
Missed parameters should be created manually through GUI, REST, or TMSH.
Fixed Versions:
17.1.2, 16.1.5
1209945-2 : Egress traffic degraded after "notice SEP: Tx completion failed" in TMM logs
Links to More Info: BT1209945
Component: Local Traffic Manager
Symptoms:
In a case where traffic is not properly egressing a BIG-IP tenant running on rSeries or VELOS platforms, if any TMM log file contains any line with the text "notice SEP: Tx completion failed", that tenant VM may need to be manually restarted. The BIG-IP is unable to detect the traffic degradation automatically and recover or fail-over; the user must manually intervene to restart the tenant.
Conditions:
This is specific to rSeries and VELOS platforms, and does not affect other BIG-IP platforms or virtual editions.
Egress traffic from the affected tenant may appear to be degraded or non-functional. There may be a high number of transmit packet drops.
Check the tenant TMM log files for any line containing the text "notice SEP: Tx completion failed" (which may include additional trailing text). The log files of concern reside in the tenant at paths:
/var/log/tmm*
Impact:
Egress traffic may be severely degraded until the tenant with the offending log messages is manually restarted.
Workaround:
Restart the tenant VM by moving the tenant from deployed -> provisioned -> deployed in the partition or system ConfD command line interface.
Alternatively, issue the "reboot" command from the tenant bash shell.
Fix:
None
Fixed Versions:
17.1.1, 15.1.9
1209709-5 : Memory leak in icrd_child when license is applied through BIG-IQ
Links to More Info: BT1209709
Component: TMOS
Symptoms:
The memory use for icrd_child may slowly increase, eventually leading to an OOM condition.
Conditions:
License applied through BIG-IQ.
Impact:
Higher than normal control-plane memory usage, possible OOM related crash.
Workaround:
Periodically kill the icrd_child processes. The restjavad will restart them automatically.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1209589-5 : BFD multihop does not work with ECMP routes
Links to More Info: BT1209589
Component: TMOS
Symptoms:
BFD multihop does not work with ECMP routes. TMMs are unable to agree on session ownership and dropping the session after 30 seconds.
Conditions:
On a multi-TMM box, configure BFD multihop peer reachable over ECMP route.
Impact:
BFD multihop does not work with ECMP routes and BFD session is getting dropped every 30 seconds.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2
1209409-5 : Address lists with thousands of addresses can cause MCPD to become unresponsive and use 100% CPU
Links to More Info: BT1209409
Component: Advanced Firewall Manager
Symptoms:
If there are thousands of addresses in an address list, validation of the addresses can take extended time. While MCPD is validating the addresses it will use nearly 100% of the CPU. Also, during this time, other daemon might timeout their connection with MCPD and/or restart.
Conditions:
- Thousands of addresses in an address list.
Impact:
- Longer load /sys configuration time including on upgrade.
- Longer configuration sync time, where full configuration sync is more prone to cause this issue.
- Modifications using the webUI consume longer time and might timeout.
Depending on how long MCPD spends validating the addresses, other daemons, including TMM, might timeout their connection to MCPD and/or restart.
Workaround:
None
Fix:
The time it takes mcpd to validate an addresses list that contains nested address lists is greatly reduced.
Fixed Versions:
17.1.2, 16.1.4
1208949-4 : TMM cored with SIGSEGV at 'vpn_idle_timer_callback'
Links to More Info: BT1208949
Component: Access Policy Manager
Symptoms:
TMM cores.
Conditions:
Network Access is in use.
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1208001-3 : iControl SOAP vulnerability CVE-2023-22374
Links to More Info: K000130415, BT1208001
1207821-1 : APM internal virtual server leaks memory under certain conditions
Links to More Info: BT1207821
Component: Access Policy Manager
Symptoms:
Memory leaks are observed while passing traffic in the internal virtual server used for APM.
Client/Backend is slow in responding to packets from the BIG-IP. Congestion is observed on the network which prompts BIG-IP to throttle egress.
Conditions:
- Traffic processing in the internal virtual server used for APM.
Impact:
TMM memory grows over time, this will lead to out of memory for TMM and eventual restart. Traffic is disrupted when TMM restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207793-2 : Bracket expression in JSON schema pattern does not work with non basic latin characters
Links to More Info: BT1207793
Component: Application Security Manager
Symptoms:
Pattern matching in JSON schema has an issue of unable to match string in a specific pattern expression.
Conditions:
When all the following conditions are satisfied:
- a non-basic latin character is in bracket expression []
- the bracket expression is led by ^ or followed by $
- there is at least one character just before or after bracket expression
Following are examples for pattern that has issue:
- /^[€]1/
- /1[€]$/
The bracket would have multiple characters in real scenario.
Following are examples for patterns that do not have the issue:
- /^[€]/
- /[€]1/
- /^€1/
Impact:
The JSON content profile fails matching legitimate JSON token with JSON schema, resulting a false positive.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1207381 : PEM policy: configuration update of a rule flow filter with 'source port' or 'destination port' of '0' (ANY) is ignored
Links to More Info: BT1207381
Component: Policy Enforcement Manager
Symptoms:
From the following example, a PEM policy rule flow filter
matches the traffic from any source address and any port, to any destination address and port 81 (the port number is an example):
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 81
When the rule is updated through the GUI or CLI to match traffic from any source address and any port, to any destination address and any port:
Source Address Source Port VLAN Destination Address Destination Port
0.0.0.0/0 0 ANY 0.0.0.0/0 0
The updated rule is correctly saved into the configuration as shown by the GUI and the CLI, but the new flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule (destination port 81 in the example).
Conditions:
An existing PEM policy rule flow filter that is updated through GUI or CLI selecting Source Port '0' ('any') and/or destination port '0' ('any').
Impact:
The updated flow filter does not filter the traffic as expected.
The actual flow filter being applied is still the one from the previous version of the policy rule.
Workaround:
- Restart TMM to make the updated flow filter effective.
or
- Remove the flow filter altogether instead of replacing it with a filter like '0.0.0.0/0:0 --> 0.0.0.0/0:0' .
The intended result is the same: the rule will catch all traffic.
or
- Create a new additional rule with port number 0 and place in higher precedence (under the same policy).
- For example, rule with precedence 10 allow flow for port 80 (instead of modifying this rule) and
- Create a new rule with precedence 9 to allow flow for port "0" and delete the old rule.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205501-4 : The iRule command SSL::profile can select server SSL profile with outdated configuration
Links to More Info: BT1205501
Component: Local Traffic Manager
Symptoms:
Under few circumstances, an iRule selected server SSL profile can send previously configured certificate to the peer.
Conditions:
The iRule command SSL::profile is used to select a profile that is not attached to the virtual server, and changes have been made to the profile.
Impact:
The TLS handshake may use an outdated certificate that does not match the current configuration, potentially leading to handshake failures.
Workaround:
Terminate all traffic running on the virtual servers that are using the iRule command for the update to take effect.
or
Do not make changes to a profile that is actively being used by the iRule command.
Fix:
The server SSL profiles will now reloaded successfully after changes are made.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1205061-5 : DNSSEC keys removed from the configuration before expiration date when iQuery connection goes down
Links to More Info: BT1205061
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC keys removed from the configuration before expiration date.
Conditions:
On a GTM sync group, if the iQuery connection goes down, the DNSSEC keys may be removed from the BIG-IP DNS configuration before expiration date on any BIG-IP DNS device with a gtm.peerinfolocalid value greater than zero.
Impact:
Removing KSK from the configuration before the expiration date can cause an outage if the BIG-IP administrator has not updated the DS record.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2
1205029-1 : WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Links to More Info: BT1205029
Component: Access Policy Manager
Symptoms:
In some cases of WEBSSO same token is sent to different sessions in the backend.
Conditions:
WEBSSO with an OAuth Bearer token and the Cache option enabled cached tokens from a diff per-session context are flowed to the backend application
Impact:
Situations where JWTs (via WEBSSO / OAuth Bearer profile) are being sent downstream for requests which belong to a different user. The problem seems to be related to when these requests share the same client IP address. This is a big problem when clients are using NAT themselves to mask different users/sessions behind the same IP address.
Workaround:
None
Fix:
BIG-IP now clears the cache tokens when sessions are different so that new tokens are generated for different sessions.
Fixed Versions:
17.1.1, 16.1.4
1204961-1 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204961
1204793-6 : Improper query string handling on undisclosed pages
Links to More Info: K000132726, BT1204793
1199025-3 : DNS vectors auto-threshold events are not seen in webUI
Links to More Info: BT1199025
Component: Advanced Firewall Manager
Symptoms:
No option to see DNS auto-threshold event logs from webUI.
Conditions:
- DNS profile configured with fully automatic mode.
Impact:
DNS auto-threshold event logs are not visible from webUI.
Workaround:
None
Fix:
Option to see the DNS auto-threshold logs is available in webUI.
Fixed Versions:
17.1.1, 15.1.10
1196537-5 : BD process crashes when you use SMTP security profile
Links to More Info: BT1196537
Component: Application Security Manager
Symptoms:
The BD process may crash when an SMTP security profile is attached to a virtual server, and the SMTP request is sent to the same virtual server.
Conditions:
- SMTP security profile is attached to VS
- SMTP request is sent to VS
Impact:
Intermittent BD crash
Workaround:
N/A
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196477-8 : Request timeout in restnoded
Links to More Info: BT1196477
Component: Device Management
Symptoms:
The below exception can be observed in restnoded log
Request timeout., stack=Error: [RestOperationNetworkHandler] request timeout.
At ClientRequest. <anonymous> (/usr/share/rest/node/src/infrastructure/restOperationNetworkHandler.js:195:19)
Conditions:
When BIG-IP is loaded with a heavy configuration.
Impact:
SSL Orchestrator deployment will not be successful.
Workaround:
1. mount -o remount,rw /usr
2. In getDefaultTimeout : function() at /usr/share/rest/node/src/infrastructure/restHelper.js
replace 60000 with required required timeout.
3. bigstart restart restnoded
4. mount -o remount /usr
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1196185-1 : Policy Version History is not presented correctly with scrolling
Links to More Info: BT1196185
Component: Application Security Manager
Symptoms:
When higher version history is available, then modal window becomes scrollable, and gets distorted.
Conditions:
- Apply Policy multiple times.
- Open Policy Version History in General Settings ->
Version -> Date Link.
Impact:
Policy history modal window gets distorted.
Workaround:
None
Fix:
Policy version history modal window scroll displays without an issue.
Fixed Versions:
17.1.1
1196053-4 : The autodosd log file is not truncating when it rotates
Links to More Info: BT1196053
Component: Advanced Firewall Manager
Symptoms:
The autodosd file size increasing continuously irrespective of log rotation occurring every hour.
Conditions:
- DOS profiles (at Device/VS) configured with fully automatic, autodosd daemon will calculate the thresholds periodically and updates the log file with relevant logs.
Impact:
Logs are not truncated as expected. The autodosd log file size continue to increase even though it is rotated every hour.
Workaround:
Restarting autodosd daemon will truncate the log file content to zero.
Fix:
The bigstart script of autodosd deamon is updated to open the file in correct mode.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1195489-6 : iControl REST input sanitization
Links to More Info: K000137522, BT1195489
1195385-1 : OAuth Scope Internal Validation fails upon multiple providers with same type
Links to More Info: BT1195385
Component: Access Policy Manager
Symptoms:
The Claim Validation in OAuth Scope Fails when two Azure providers with different tenant ID are provided in the JWT provider list such that, the non-expected provider comes first and expected one comes later. Once failure is logged OAuth flow is redirected to Deny Page.
Conditions:
When the list of providers are sent to TMM for Signature Validation the invalid provider is sent back as response indicating that it has passed the signature validation for the access_token that has been acquired in previous steps.
There are chances where Azure as AS might be using same key ID (kid) for different tenants, so in such cases even the invalid provider passes the signature validation.
In general practice, Claim Validation Comes after Signature Validation, when the invalid provider is sent back from TMM it fails Claim Validation in APMD.
Impact:
The policy rule displays the deny page.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1194173-5 : BIG-IP does not block the request when a parameter as a cookie has URL encoded base64 padding value
Links to More Info: BT1194173
Component: Application Security Manager
Symptoms:
Attack signature check is not run on normalised parameter value.
Conditions:
- A parameter with location configured as a cookie is present
in the parameters list.
- Request contains the explicit parameter with URL encoded
base64 padding value.
Impact:
- Attack signature not detected.
Workaround:
None
Fix:
The attack signature check runs on normalised parameter value.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1194077 : The iRule execution FastHTTP performance degradation on r-series R10000 and higher platforms upto R12000
Links to More Info: BT1194077
Component: Performance
Symptoms:
With BIG-IP vCMP tenants running on r-series R10000 (and higher viz R12000), performance degrades when executing iRules on a virtual server configured with FastHTTP profile.
Conditions:
- Executing iRule
- FastHTTP profile is selected for virtual server
- BIP-IP vCMP tenant running on R10000 or R12000 platforms
Impact:
Performance degradation is observed.
Workaround:
None
Fix:
Performance is improved.
Fixed Versions:
17.1.1
1191137-5 : WebUI crashes when the localized form data fails to match the expectations
Links to More Info: BT1191137
Component: TMOS
Symptoms:
In the Chinese BIG-IP, when multicast rate limit field is checked (enabled) and updated, the webUI is crashing.
Conditions:
On the Chinese BIG-IP:
- Navigate to the System Tab > Configuration.
- In Configuration, select Local Traffic > General.
- In Multicast Section, enable Maximum Multicast Rate Checkbox and click on Update.
Impact:
Chinese BIG-IP webUI is crashing.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1190765-1 : VelOS | Zone Base DDOS | Aggregation, BD | Seeing Entries in sPVA Registers are not getting reset once the attack is completed
Links to More Info: BT1190765
Component: Advanced Firewall Manager
Symptoms:
In VELOS platform, the ideal timeout for HW entries is 5 mins(Hw eviction timeout). However, when you delete the VS/Zone configuration it will initiate the eviction immediately(Software eviction). In this case, the eviction does not happen as expected and causes the entry to continue to stay at sPVA for some time.
Conditions:
This issue happens when we configure Zone based DDOS with Aggregation or BD in VELOS platform.
Impact:
This issue causes the sPVA entries to stay for 5 minutes(Ideal eviction timeout) even after the Corresponding Zone configuration is deleted.
Workaround:
Not available
Fix:
The issue is with handling software eviction cases in the Zone scenario. The code is updated to handle the software eviction in a similar way as the virtual server scenario.
Fixed Versions:
17.1.1
1190365-1 : OpenAPI parameters with type:object/explode:true/style:form serialized incorrectly
Links to More Info: BT1190365
Component: Application Security Manager
Symptoms:
The method used by ASM enforcer to serialize an OpenAPI object configured with "style:form", "explode:true", and "type:object" is not functioning as expected.
Conditions:
Repeated occurrences of parameter names in the query string with "type:object/explode:true/style:form" configured OpenAPI file.
Impact:
The violation "JSON data does not comply with JSON schema" is raised due to the repeated parameters from the query string with "array" configuration.
Workaround:
None
Fix:
The enforcer serializes the OpenAPI object correctly, no violation reported.
Note: In case of single occurrence of a parameter name in query string, it will be handled as a primitive (non-array) type.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1190353-4 : The wr_urldbd BrightCloud database downloading from a proxy server is not working
Links to More Info: BT1190353
Component: Policy Enforcement Manager
Symptoms:
Downloading BrightCloud database is not working with the proxy.
Conditions:
BrightCloud database download through Proxy management.
Impact:
URL categorization disruption as database not getting downloaded.
Workaround:
None
Fix:
Added the proxy settings in wr_urldbd BrightCloud database.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1190025-3 : The OAuth process crash
Links to More Info: BT1190025
Component: Access Policy Manager
Symptoms:
The Oauth process crashes and you may observe the following log in /var/log/messages
Nov 4 06:24:56 <hostname> notice logger[16306]: Started writing core file: /var/core/oauth.bld0.175.14.core.gz for PID 20854
Conditions:
Unknown
Impact:
OAuth stopped working.
Fixed Versions:
17.1.2, 16.1.5
1189865-5 : "Cookie not RFC-compliant" violation missing the "Description" in the event logs
Links to More Info: BT1189865
Component: Application Security Manager
Symptoms:
When a request is blocked due to "Cookie not RFC-compliant' violation, the description field in the request log details is shown as "N/A" instead of having the description (for example "Invalid equal sign preceding cookie name" or "Invalid space in cookie name").
Conditions:
-- The violation is blocked due to "Cookie not RFC-compliant" violation
-- Looking at the request log details.
Impact:
The description is empty it is not possible to determine what is the problem with the request.
Workaround:
None
Fix:
After the fix, the description is shown in the request log details in the description field
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189513-6 : SIP media flow pinholes are not created if SDP MIME multipart body part miss the content-length header
Links to More Info: BT1189513
Component: Service Provider
Symptoms:
The SIP MRF failed to extract the SDP data and not created media flow pinholes, if SDP Multipurpose Internet Mail Extensions (MIME) multipart body is not generated with content-length header.
Conditions:
An INVITE message contained a MIME multipart payload and body parts miss content-length header.
Impact:
Media flow pinholes are not created.
Workaround:
None
Fix:
The SIP MRF extracts the SDP information and media flow pinholes are created on the BIG-IP even when the SDP MIME body part does not have a content-length header.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1189465-1 : Edge Client allows connections to untrusted APM Virtual Servers
Links to More Info: K000132539, BT1189465
1189461-1 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-36858
Links to More Info: K000132563, BT1189461
1188417-4 : OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Links to More Info: BT1188417
Component: Access Policy Manager
Symptoms:
Kerberos SSO fails, and BIG-IP may reboot or become unresponsive with the following error log in /var/log/apm.
err websso.7[8608]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Conditions:
-- WebSSO is configured
Impact:
Traffic is disrupted while the system reboots or becomes unresponsive.
Workaround:
None
Fix:
Proper locking mechanisms have been introduced to prevent race conditions in multi-threaded WebSSO environments for the RAND_bytes API used in the OpenSSL crypto library.
Fixed Versions:
17.1.2, 16.1.5
1186925-6 : When FUA in CCA-i, PEM does not send CCR-u for other rating-groups
Links to More Info: BT1186925
Component: Policy Enforcement Manager
Symptoms:
When Final Unit Action (FUA) in CCA-i, the traffic is immediately blocked for that rating-group.
But, PEM does not send CCR-u for other rating-groups any more, which causes all other rating-groups traffic to pass through.
If FUA in CCA-u, everything works as expected.
Conditions:
When FUA received in in CCA-i.
Impact:
PEM receives FUA redirect first and ignores further requests.
Workaround:
Use iRule to remove FUA in CCA-i.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1186789-4 : DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x
Links to More Info: BT1186789
Component: Global Traffic Manager (DNS)
Symptoms:
DNSSEC signatures are not generated after the upgrade.
Conditions:
DNSSEC key stored on FIPS card;
and
Upgrade to versions >= 16.x.
Impact:
DNSSEC signing will not work.
Workaround:
Edit bigip_gtm.conf and update the key generation handles to match the first 32-hex characters of the key modulus and then run these commands:
# tmsh load sys config gtm-only
# bigstart restart gtmd
(OR)
Before the upgrade, modify the key handle as mentioned above and then reload the config with 'tmsh load sys config gtm-only'
Fixed Versions:
17.1.1, 16.1.5
1186661-1 : The security policy JSON profile created from OpenAPI file should have value "any" for it's defense attributes
Links to More Info: BT1186661
Component: Application Security Manager
Symptoms:
The JSON profile of security policy created from OpenAPI file has defense attributes required for JSON content validation. Defense attributes created with default values specific to each defense attribute. The default values can be incorrect, thus by default JSON defense attributes should not be enforced and they should have value "any".
Conditions:
- Creating JSON profile from OpenAPI file.
Impact:
Security policy created from OpenAPI file may enforce some requests with JSON content while it was not required by OpenAPI file.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1186401-4 : Using REST API to change policy signature settings changes all the signatures.
Links to More Info: BT1186401
Component: Application Security Manager
Symptoms:
When you use iControl REST to modify the signatures associated with a policy, the modifications are applied to all the signatures.
Conditions:
-- Create a policy named 'test'
-- Associate a signature set like "SQL Injection Signatures" to the policy
For example, remove the "Generic Detection Signatures (High/Medium Accuracy)" set
-- Look at the low-risk signatures associated with the policy
Commmand:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' | jq . | head
-- Turn off staging for these signatures:
Commands:
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": false }' -X PATCH | jq . | head
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low' -d '{ "performStaging": true }' -X PATCH | jq . | head
-- The "totalItems" shows that 187 signatures were changed
Impact:
The user was unable to leverage the REST API to make the desired changes to the ASM signature policy.
Workaround:
Add 'inPolicy eq true' to the filter
Command :
curl -sku admin:admin 'https://localhost/mgmt/tm/asm/policies/MrLpFzRHNarvj_zuAOD0fw/signatures?$expand=signatureReference&$filter=signature/risk+eq+low+and+inPolicy+eq+true' -d '{ "performStaging": false }' -X PATCH | jq . | head
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1185421-8 : iControl SOAP uncaught exception when handling certain payloads
Links to More Info: K000133472, BT1185421
1185257-6 : BGP confederations do not support 4-byte ASNs
Links to More Info: BT1185257
Component: TMOS
Symptoms:
The BGP confederations do not support 4-byte AS numbers. Only 2-byte ASNs are supported.
Conditions:
Using BGP confederations.
Impact:
Unable to configure 4-byte AS number under BGP confederation.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1184841-6 : Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API
Links to More Info: BT1184841
Component: Application Security Manager
Symptoms:
Header Based Content Profile is synced differently to peer unit in auto-sync mode, when updating URL through REST API.
Conditions:
- ASM-Sync enabled
- Auto-Sync enabled
- Updating URL through REST API
Impact:
Configuration will be de-synced.
Workaround:
Use TMUI to update configuration.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1183901 : VLAN name greater than 31 characters results in invalid F5OS tenant configuration
Links to More Info: BT1183901
Component: TMOS
Symptoms:
VLAN names 32 characters or longer results in invalid BIG-IP tenant configuration, and mcpd errors.
01070712:3: Internal error, object is not in a folder: type: vlan id: /Common/this_is_a_very_long_vlan_name_32
On F5OS tenants, mcpd, devmgmtd and lind restart in a loop.
Conditions:
VLAN with a name that is 32 characters or longer is assigned to a BIG-IP tenant.
Impact:
-- Invalid configuration
-- mcpd errors
-- Blank VLAN name in webUI of tenant
Workaround:
Use shorter VLAN names, with a maximum of 31 characters.
Fixed Versions:
17.1.1, 15.1.10
1182353-6 : DNS cache consumes more memory because of the accumulated mesh_states
Links to More Info: BT1182353
Component: Global Traffic Manager (DNS)
Symptoms:
DNS cache consumes more memory and the mesh_states are accumulated quickly.
Conditions:
Mixed queries with rd flag set and cd flag set/unset.
Impact:
TMM runs out of memory.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1181757-7 : BGPD assert when sending an update
Links to More Info: BT1181757
Component: TMOS
Symptoms:
BGPD might trip an assert when sending an update to a peer.
Conditions:
Large number of prefixes advertised to a peer (~800). This happens rarely, as it requires a specific update layout.
Impact:
BGPD may crash or core.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2, 16.1.5
1180365-3 : APM Integration with Citrix Cloud Connector
Links to More Info: BT1180365
Component: Access Policy Manager
Symptoms:
-- Configure Citrix cloud connector instead of Citrix Delivery controller to publish apps and desktops from the cloud configured using DaaS.
-- Apps/Desktop will not be published.
Conditions:
-- Citrix cloud connector is used to publish apps instead of Citrix Delivery controller
-- The user clicks on the App/Desktop
Impact:
The cloud connector sends an empty response, and users will not be able to publish any Apps/Desktops in webtop which are published through Citrix Cloud Connector.
Workaround:
None
Fix:
After integration of APM with Citrix Cloud Connector, the user is able to publish Apps/Desktops which are published through Citrix Cloud Connector.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1174085-7 : Spmdb_session_hash_entry_delete releases the hash's reference
Links to More Info: BT1174085
Component: Policy Enforcement Manager
Symptoms:
Tmm crashes while passing traffic. Multiple references accessing and trying to modify the same entry
Conditions:
BIG-IP passing certain network traffic.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Delete the entry for every reference
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1173493-2 : Bot signature staging timestamp corrupted after modifying the profile
Links to More Info: BT1173493
Component: Application Security Manager
Symptoms:
Bot signature timestamp is not accurate.
Conditions:
Have a bot signature "A" in staging, record the timestamp.
Using webUI, set another bot signature "B" to be in staging and click Save.
The time stamp on "A" is updated and shows the year 1970 in webUI.
Impact:
Can not verify from when the signature was in staging.
Workaround:
Use TMSH, instead of webUI, to update the profile.
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1168157-1 : OpenAPI: Special ASCII characters in "schema" block should not be converted to UTF8
Links to More Info: BT1168157
Component: Application Security Manager
Symptoms:
Content of "schema" entry in OpenAPI file is source of new "JSON schema validation file" created in security policy based on OpenAPI file. This content of "schema" entry is converted to UTF8 encoding to fulfil requirements of "JSON schema" requirements. In case "schema" entry contain ASCII special characters those characters should not be converted to UTF8.
Conditions:
ASCII special characters found under schema entry in OpenAPI file
Impact:
The entity "JSON schema validation file" in security policy will not be created for "schema" entry that contain special ASCII characters.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1167985-3 : Network Access resource settings validation errors
Links to More Info: BT1167985
Component: Access Policy Manager
Symptoms:
When trying to add "0.0.0.0/1" under the IPV4 LAN Address Space and in a Network Access resource, the UI would throw such error:
"Invalid IP or Hostname"
When trying to add DNS Exclude Address Space starting with an underscore (such as "_ldap._tcp.dc._msdcs.test.lan"), the UI would throw such error:
01b7005b:3: APM Network Access (/Common/test) DNS name (_ldap._tcp.dc._msdcs.test.lan) is not a valid domain name
Conditions:
Use a Network Access resource in split tunneling mode.
Add "0.0.0.0/1" under the IPV4 LAN Address Space
Add DNS Exclude Address Space starting with an underscore
Impact:
Administrators could not correctly configure some network access resource settings.
Fixed Versions:
17.1.1, 16.1.4
1167949-2 : Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware
Links to More Info: BT1167949
Component: Advanced Firewall Manager
Symptoms:
Vectors "IPv6 fragmented" and "IPv6 atomic fragment" offloading is not working on hardware. It is working as expected on software.
Conditions:
Offloading vectors.
Impact:
Hardware offload is not successful for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Workaround:
None
Fix:
Hardware offload is performed correctly for "IPv6 fragmented" and "IPv6 atomic fragment" vectors.
Fixed Versions:
17.1.1, 15.1.9
1167929-6 : CVE-2022-40674 - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1167897-9 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1166261-1 : HTTP/2 should not translate "Host" header to ":authority" pseudo-header in response
Links to More Info: BT1166261
Component: Local Traffic Manager
Symptoms:
BIG-IP inserts ":authority" pseudo-header within client-side response when receiving a server response containing a Host header in the response.
Host header in a HTTP/1.1 response is not in violation of RFC; however, a HTTP/2 response with an ":authority" pseudo-header is in violation of RFC7540.
Conditions:
Virtual server with a HTTP/2 profile applied with client-side context.
This configuration would translate HTTP/2 requests from client-side to HTTP/1.1 on server-side.
Impact:
HTTP/2 response must only have the ":status" pseudo-header in the response.
HTTP/2 responses containing any other pseudo-headers, such as ":authority", is considered malformed and those connections will be rejected.
Workaround:
Consider using an iRule to remove the Host header when it arrives from the server. The following iRule can be created and applied to the virtual server:
when HTTP_RESPONSE {
HTTP::header remove Host
}
Fixed Versions:
17.1.2
1160805-4 : The scp-checkfp fail to cat scp.whitelist for remote admin
Links to More Info: BT1160805
Component: TMOS
Symptoms:
Attempt SCP file to BIG-IP:
/shared/images
root user success
remote admin user fails, following is an example:
$ scp test.iso apiuser@10.201.69.106:/shared/images
Password:
cat: /co: No such file or directory
cat: fig/ssh/scp.whitelist: No such file or directory
"/shared/images/test.iso": path not allowed
Conditions:
-- Running BIG-IP version with fix for ID 1097193.
-- Create remote admin user.
-- Use SCP command to transfer a file to remote admin user path.
Impact:
SCP command is not working for the remote admin users.
Workaround:
None
Fix:
Issue is with the Internal Field Separation (IFS) environment variable from /bin/scp-checkfp file. Following is an example for IFS:
IFS=$"\n" -->
This means, it expects a string character.
It should expect a character value to read the paths from the SCP files.
IFS=$'\n' -->
This means, it expects a character.
Fixed Versions:
17.1.2, 16.1.4, 15.1.9
1156889-5 : TMM 'DoS Layer 7' memory leak during Bot Defense redirect actions
Links to More Info: BT1156889
Component: Application Security Manager
Symptoms:
When using bot-defense profile with a browser verification and performing redirect actions, there is a memory leak in TMM.
Conditions:
- The bot-defense profile with "Verify After Access" or "Verify Before Access" browser verification is configured.
- Surfing using a browser, during grace period (5 Minutes after config change) to a non-qualified URL, or configuring "Validate Upon Request" in "Cross Domain Requests" configuration, and configuring A and B as "Related Site Domains".
- Surfing using a browser from Domain A to Domain B.
Impact:
Degraded performance, potential eventual out-of-memory.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1156753 : Valid qname DNS query handled as malformed packets in hardware (qnames starting with underscore )
Links to More Info: BT1156753
Component: Advanced Firewall Manager
Symptoms:
'DNS malformed' DoS vector drops valid DNS queries for qnames that begin with an underscore character.
Conditions:
DoS is being offloaded in hardware.
Impact:
Legitimate DNS queries are dropped by the DoS engine.
Workaround:
-- Disable hardware DoS acceleration for all vectors (dos.forceswdos).
or:
-- Disable this specific DoS vector.
-- In some cases, if the request is sent from a known valid IP, you can also add this IP address to an allow list; however, this will bypass all DoS vectors for this IP address.
Fix:
'DNS malformed' DoS vector correctly handles valid DNS queries for qnames that begin with an underscore character.
Fixed Versions:
17.1.1
1155861-3 : 'Unlicensed objects' error message appears despite there being no unlicensed configuration
Links to More Info: BT1155861
Component: TMOS
Symptoms:
Following error message appears in the GUI:
This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.
Conditions:
- The primary blade disabled manually using the following TMSH command:
modify sys cluster default members { 1 { disabled } }
Impact:
Failed to load the license on disabled slot from primary slot.
Workaround:
Execute the following command on disabled slot:
rm /var/db/mcpdb.*
bigstart restart mcpd
Note: This causes a system to go offline while services restart. Traffic disrupted while services restart.
or
Execute command "reloadlic" which reloads the license into the current MCPD object.
Fix:
None
Fixed Versions:
17.1.1, 15.1.9
1154381-6 : The tmrouted might crash when management route subnet is received over a dynamic routing protocol
Links to More Info: BT1154381
Component: TMOS
Symptoms:
The tmrouted might crash when management route subnet is received over a dynamic routing protocol.
Conditions:
- Management route subnet is received over a dynamic routing protocol.
- Multi-bladed VIPRION.
- Blade failover or IP address change occurs.
Impact:
Dynamic routes are lost during tmrouted restart.
Workaround:
Do not advertise a management subnet over a dynamic routing protocol towards BIG-IP. Use route-map to suppress incoming update.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1154313-3 : TMM crash due to rrsets structure corruption
Links to More Info: BT1154313
Component: Global Traffic Manager (DNS)
Symptoms:
Tmm crashes.
Conditions:
- DNS module is provisioned
- The DNS-Express (DNSX) feature is configured with at least one DNS zone
- DNSX is used to try to resolve a DNS query received via a DNS listener
- DNSX is enabled as a resolver method in the DNS profile associated with the DNS listener.
- The DNS query is received on one tmm thread while another tmm thread is updating the DNSX database files
The DNSX database files are updated whenever DNSX performs a zone transfer, or when a new zone is added or one removed from the DNSX configuration.
TMM handling dns request while another tmm thread is reloading dns db files (for example, after performing a zone transfer, or when adding/removing a zone from the configuration) This issue primarily affects the DNS module, but it also affects LTM when DNS caching is enabled, such as when using a DNS resolver.(see K12140128)
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.2
1153969-6 : Excessive resource consumption when processing LDAP and CRLDP auth traffic
Links to More Info: K000134516, BT1153969
1148113-1 : The websocket_ep_send_down_ws_message does an extra websockets_frame release
Links to More Info: BT1148113
Component: Local Traffic Manager
Symptoms:
TMM crashes due to memory corruption.
Conditions:
- MQTT Over Websockets configuration in End-to-End mode
- Server should send sufficient traffic to cause congestion on the client-side
Impact:
Traffic disrupted while TMM restarts.
Workaround:
None
Fixed Versions:
17.1.2
1148009-8 : Cannot sync an ASM logging profile on a local-only VIP
Links to More Info: BT1148009
Component: Application Security Manager
Symptoms:
If an ASM profile, such as a logging profile is applied to a virtual that is local-only, then the state changes to "Changes Pending" but configuration sync breaks.
Conditions:
- ASM provisioned
- high availability (HA) pair
- ASM profile, such as a logging profile is applied to a virtual that is local-only.
Impact:
The state changes to "Changes Pending" but configuration sync breaks.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1147849-6 : Rest token creation does not follow all best practices
Component: TMOS
Symptoms:
No input sanitization for X-Forwarded-For header.
Conditions:
X-Forwarded-For accepts any input values in /mgmt/shared/authn/login endpoint and the same was stored in auth token.
Impact:
Any malicious texts can be stored as part of the token.
Workaround:
Pass only valid addresses in X-forwarded-for
Fix:
Only valid X-Forwarded-For data (IPV4 and IPv6 address) are allowed to persist in the auth token. All other contents are filtered out.
Fixed Versions:
17.1.2, 16.1.5
1147633-3 : Hardening of token creation by users with an administrative role
Component: TMOS
Symptoms:
Using certain endpoints, a user with an administrative role can generate tokens for noneligible users.
Conditions:
A user with an administrative role and access to certain iControl REST endpoints.
Impact:
Undisclosed
Workaround:
Ensure that only trusted users are given administrative roles.
Fix:
Token creation for non-eligible users is now disallowed.
Fixed Versions:
17.1.1, 16.1.5
1147621-3 : AD query do not change password does not come into effect when RSA Auth agent used
Links to More Info: BT1147621
Component: Access Policy Manager
Symptoms:
When RSA auth along with AD query is used the Negotiate login page checkbox "Do not change password" is not working as expected.
Even though "Do not change password" is checked the AD query is receiving F5_challenge post parameter with earlier RSA auth agent OTP content, And PSO criteria would not meet.
So when they click on "logon", it states 'The domain password change operation failed. Your new password must be more complex to meet domain password complexity requirements' and prompts for the fields "New password" and "verify password" again.
Conditions:
RSA Auth with OTP along with AD query agent with the negotiate logon page.
Impact:
User readability/experience even though "Do not change password" is checked it prompts as if user entered the logon credentials.
Workaround:
If you click on "logon" again in the Negotiate page, it goes to the webtop (next agent) with the previous logon or last logon credentials.
Fix:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1146377-6 : FastHTTP profiles do not insert HTTP headers triggered by iRules
Links to More Info: BT1146377
Component: Local Traffic Manager
Symptoms:
Virtual servers configured with the FastHTTP profile will not insert HTTP headers even when triggered by iRules.
Conditions:
A virtual server configured with FastHTTP, and an iRule that would insert an HTTP header.
Impact:
The expected headers will not be inserted on packets sent to servers.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1145989-3 : ID token sub-session variables are not populated
Links to More Info: BT1145989
Component: Access Policy Manager
Symptoms:
When refresh token is used, ID token sub-session variables are not populated.
Conditions:
- Configured APM as OAuth Client in per-request policy.
- OIDC is enabled.
- After token expires and refresh token is used to fetch new token (grant_type=refresh_token).
Impact:
The sub-session variables related to the ID token are not populated when APM per-request policy uses a refresh token to request a new access token and ID token.
Workaround:
None
Fix:
The sub-sessions of ID token populated in refresh token use-case.
Fixed Versions:
17.1.2, 16.1.5
1145729-2 : Partition description between GUI and REST API/TMSH does not match
Links to More Info: BT1145729
Component: TMOS
Symptoms:
When creating a partition with a description via the REST API, the description is not shown in the GUI.
For example:
[root@ltm1:Active:Standalone] config # curl -sku admin:<pass> -X POST https://localhost/mgmt/tm/auth/partition/ -H 'Content-Type: application/json' --data '{"name": "partition1", "description": "this is partition 1"}'
{
"kind": "tm:auth:partition:partitionstate",
"name": "partition1",
"fullPath": "partition1",
"generation": 154,
"selfLink": "https://localhost/mgmt/tm/auth/partition/partition1?ver=14.1.5.2",
"defaultRouteDomain": 0,
"description": "this is partition 1"
}
The description "this is partition 1" is not visible when viewing the partition1 object in the GUI at System >> Users >> Partition List.
Similarly, a partition description entered via the GUI is not retrieved with a REST API call to /mgmt/tm/auth/partition.
A partition description updated via the GUI is not retrieved with TMSH.
Conditions:
-- Partition description
-- GUI
-- REST API
-- TMSH
Impact:
GUI and REST API partition descriptions are inconsistent.
GUI and TMSH partition descriptions are inconsistent.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1145361-1 : When JWT is cached the error "JWT Expired and cannot be used" is observed
Links to More Info: BT1145361
Component: Access Policy Manager
Symptoms:
When JWT is cached, then the error "JWT Expired and cannot be used" is observed.
Conditions:
WebSSO is used with bearer option to generate JWT tokens.
Impact:
No impact.
Workaround:
None
Fix:
Removed the lee way default configured static value internally.
Proper fix would be to provide a leeway configuration option.
Fixed Versions:
17.1.1, 16.1.4
1144497-5 : Base64 encoded metachars are not detected on HTTP headers
Links to More Info: BT1144497
Component: Application Security Manager
Symptoms:
Base64 encoded illegal metachars are not detected.
Conditions:
No specific condition.
Impact:
False negative, illegal characters are not detected and request not blocked.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1144117-5 : "More data required" error when using the 'HTTP::payload' and 'HTTP::payload length' commands
Links to More Info: BT1144117
Component: Local Traffic Manager
Symptoms:
The "More data required" TCL error may occur and the connection may be terminated prematurely when using the 'HTTP::payload' or 'HTTP::payload length' commands.
Conditions:
Using the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Impact:
Some HTTP transactions might fail.
Workaround:
Do not use the 'HTTP::payload' or 'HTTP::payload length' TCL commands.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1144013-1 : Policy import fails with Lock wait timeout exceeded ASM subsystem error
Links to More Info: BT1144013
Component: Application Security Manager
Symptoms:
On an intermittent basis,Users are encountering the following ASM subsystem error when trying to import their security policy:
/var/log/asm:Jul 28 08:40:18 waf-editor01 crit g_server_rpc_handler.pl[25893]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): DBD::mysql::db do failed: Lock wait timeout exceeded; try restarting transaction at /usr/local/share/perl5/F5/CommonUpgrade/ForeignKeyMismatch.pm line 45.
Conditions:
-- ASM provisioned
-- Import a policy
Impact:
Policy import fails and requires a re-try
Workaround:
Re-try the import, possibly several times
Fixed Versions:
17.1.2
1142389-2 : APM UI report displays error "Error Processing log message ..." when the log contains some special character received in client request
Links to More Info: BT1142389
Component: Access Policy Manager
Symptoms:
Following message is displayed in APM Access Report:
"Error Processing log message. Original log_msg in database"
Conditions:
Checking APM Access Report while accessing VPN.
Impact:
Unable to see correct log messages in APM Access Report.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1137993-6 : Violation is not triggered on specific configuration
Links to More Info: BT1137993
Component: Application Security Manager
Symptoms:
The HTTP compliance violation is not triggered for the unparsable requests due to a specific scenario.
Conditions:
A microservice is configured in the security policy.
Impact:
Specific violation is not triggered. A possible false negative.
Workaround:
It is possible to do an irule workaround that checks the length of the URL and issues a custom violation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1137717-6 : There are no dynconfd logs during early initialization
Links to More Info: BT1137717
Component: Local Traffic Manager
Symptoms:
Regardless of the log level set, the initial dynconfd log entries are not displayed.
Setting the dynconfd log level (through DB variable or /service/dynconfd/debug touch file) will not catch the early logging during startup.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
Missing some informational logging from dynconfd during startup.
Workaround:
None
Fix:
The dynconfd logs are now logged at default (info) level during initial startup of the dynconfd process.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1137677-3 : GTMs in a GTM sync group have inconsistent status for 'require M from N' monitored resources
Links to More Info: BT1137677
Component: Global Traffic Manager (DNS)
Symptoms:
Inconsistent status for resources on multiple GTMs in the same GTM sync group.
Conditions:
The 'require M from N' rule is configured for the monitored resources.
Impact:
Inconsistent resource status.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.9
1137569-5 : Set nShield HSM environment variable.
Links to More Info: BT1137569
Component: Global Traffic Manager (DNS)
Symptoms:
The HSM Management fail to set a makepath.
Conditions:
When nShield HSM is configured .
Impact:
GTM rfs-sync fail.
Workaround:
N/A.
Fix:
Sync issue is fix.
Fixed Versions:
17.1.2, 16.1.5, 15.1.10
1137245-2 : Issue with injected javascript can cause an error in the browser.
Links to More Info: BT1137245
Component: Application Security Manager
Symptoms:
DosL7 module injected javascript causes an error on the browser when some conditions apply.
Conditions:
Specific response-side conditions can cause this error to appear in the browser console.
Impact:
Website malfunction with errors.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1137217-4 : DNS profile fails to set TC flag for the responses containing RRSIG algorithm 13
Links to More Info: BT1137217
Component: Global Traffic Manager (DNS)
Symptoms:
DNS express sends a malformed response when the UDP size limit is set to 512.
Conditions:
- The UDP size limit is set to 512 and a zone signed with algorithm 13 (ECDSA Curve P-256 with SHA-256), the DNS express responds with a malformed packet.
- Malformed responses were also seen without DNSSec; when the message size was equal to the EDNS buffer size advertised by the client.
--Malformed response for nslookup without DNSSec.
Impact:
Malformed DNS express responses are received when the UDP size limit is set to exactly 512 and a zone is signed with algorithm 13.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1136921-6 : BGP might delay route updates after failover
Links to More Info: BT1136921
Component: TMOS
Symptoms:
The BGP might delay route updates after failover.
Conditions:
- The BGP configured on an High Availability (HA) pair of BIG-IP devices.
- The BGP redistributing kernel routes.
- Failover occurs.
Impact:
New active unit might delay route advertisement up to 15 sec.
New standby unit might delay route withdrawal up to 15 sec.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1136837-5 : TMM crash in BFD code due to incorrect timer initialization
Links to More Info: BT1136837
Component: TMOS
Symptoms:
TMM crashes in BFD code due to incorrect timer initialization.
Conditions:
- BFD configured
- Multi-bladed system
- One of blades experiences failure.
Impact:
Crash or core.
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1135961-6 : The tmrouted generates core with double free or corruption
Links to More Info: BT1135961
Component: TMOS
Symptoms:
A tmrouted core is generated.
Conditions:
The system is a multi-blade system.
Impact:
A tmrouted core is generated. There are no other known impacts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1134509-5 : TMM crash in BFD code when peers from ipv4 and ipv6 families are in use.
Links to More Info: BT1134509
Component: TMOS
Symptoms:
TMM crashes in BFD code when peers from ipv4 and ipv6 families are in use.
Conditions:
- BFD configured
- Mixed IPv4 and IPv6 peers.
Impact:
Crash or core
Workaround:
None.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1134057-6 : BGP routes not advertised after graceful restart
Links to More Info: BT1134057
Component: TMOS
Symptoms:
The BGP routes not advertised after a graceful restart.
Conditions:
The BGP with graceful restart configured.
Impact:
The BGP routes not advertised after graceful restart.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1133997-4 : Duplicate user-defined Signature Set based on untagged signatures is created upon policy clone or import
Links to More Info: BT1133997
Component: Application Security Manager
Symptoms:
A duplicate user-defined Signature Set is created upon policy import or cloning when the Set has a filter using untagged signatures.
Conditions:
A policy using a user-defined Signature Set with a filter using untagged signatures is exported.
Impact:
A duplicate user-defined Signature Set is created upon policy import or cloning.
Workaround:
Modify the policy to use the original Signature Set, and then delete the duplicated Signature Set.
Fixed Versions:
17.1.1, 16.1.4
1133557-7 : Identifying DNS server BIG-IP is querying to resolve LTM node FQDN name
Links to More Info: BT1133557
Component: Local Traffic Manager
Symptoms:
When the BIG-IP (dynconfd process) is querying a DNS server, dynconfd log messages do not identify which server it is sending the request to. When more than one DNS server is used and there is a problem communicating with one of them, it might be difficult for system admin to identify the problematic DNS server.
Conditions:
This occurs when using FQDN nodes or pool members on affected BIG-IP versions.
Impact:
There are no show commands or log displaying which DNS is currently being used to resolve LTM node using FQDN. Problems with communications between the BIG-IP and DNS server(s) may be more difficult to diagnose without this information.
Workaround:
You can confirm which DNS server is being queried by monitoring DNS query traffic between the BIG-IP and DNS server(s).
Fix:
The DNS server being queried to resolve LTM node FQDN names is now logged by default in the /var/log/dynconfd.log file.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1133201-2 : Disabling a GTM pool member results in the same virtual server no longer being monitored in other pools
Links to More Info: BT1133201
Component: Global Traffic Manager (DNS)
Symptoms:
If you disable a GTM pool member in one of the pools, monitoring appears to be disabled for the members in the other pools.
Incorrect probe behavior when toggling or untoggling the monitor-disabled-objects GTM global setting.
Conditions:
- Same virtual server or monitor combination is used in multiple GTM pools.
- Disable the GTM pool member in one of the pool.
Impact:
Incorrect pool monitoring..
Workaround:
Enable the 'Monitor Disabled Objects' or, assign a different monitor to pools.
Fixed Versions:
17.1.1, 16.1.5
1132981-5 : Standby not persisting manually added session tracking records
Links to More Info: BT1132981
Component: Application Security Manager
Symptoms:
The Session tracking records, with Infinite Block-All period, have an expiration time on the Standby unit after sync.
Conditions:
ASM provisioned
Session Tracking enabled
session tracking records, with Infinite Block-All period, are added
Impact:
Infinite Session Tracking records being removed from standby ASMs.
Workaround:
Use auto-sync DG (instead of manual sync).
After changing the configuration on UI at Security->Application Security: Sessions and Logins: Session Tracking.
You must "Apply Policy" and wait for the DG status to become In-Sync before adding new data-points on UI at Security->Reporting: Application: Session Tracking Status.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132801-2 : Database monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
Links to More Info: BT1132801
Component: Local Traffic Manager
Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.
Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.
For BIG-IP versions earlier than v17.0.0, this issue has been addressed under ID912517.
Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.
Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).
Fix:
Database monitor no longer marks pool member down if 'send' is configured but no 'receive' strings are configured.
Fixed Versions:
17.1.1
1132741-7 : Tmm core when html parser scans endless html tag of size more then 50MB
Links to More Info: BT1132741
Component: Application Security Manager
Symptoms:
Tmm core, clock advanced by X ticks printed
Conditions:
- Dos Application or Bot defense profile assigned to a virtual server
- Single Page Application or Validate After access.
- 50MB response with huge html tag length.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
Exclude html parser for url in question.
tmsh modify sys db dosl7.parse_html_excluded_urls value <url>
Fix:
Break from html parser early stage for long html tags
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132697-5 : Use of proactive bot defense profile can trigger TMM crash
Links to More Info: BT1132697
Component: Application Security Manager
Symptoms:
TMM crash is triggered.
Conditions:
This causes under a rare traffic environment, and while using a proactive bot defense profile.
Impact:
The TMM goes offline temporarily or failover. Traffic disruption can occur.
Workaround:
Remove all proactive bot defense profiles from virtuals.
Fix:
TMM no longer crashes in the scenario.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1132105-6 : Database monitor daemon (DBDaemon) uses unsupported Java version
Component: Local Traffic Manager
Symptoms:
The BIG-IP database monitor daemon DBDaemon depends on Java 7, and is built using OpenJDK 1.7.0.
Security Support for Java 7 / OpenJDK 1.7.0 ended Ended 01 Jul 2019.
Current versions of components which operate within the Java runtime environment are not supported by Java 7.
Such components include JDBC (Java DataBase Connectivity) drivers which implement vendor-specific functionality to support multiple database implementations within a common Java-base programming environment.
Conditions:
This component provide core functionality for the following BIG-IP LTM and GTM monitor types:
-- mssql
-- mysql
-- oracle
-- postgresql
Impact:
The BIG-IP database monitor daemon DBDaemon does not benefit from updates to the Java runtime environment or other Java components (such as vendor-specific JDBC drivers).
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1128505-3 : HTTP::disable/enable sequence before first request may result in premature HUDEVT_ACCEPTED to proxy
Links to More Info: BT1128505
Component: Local Traffic Manager
Symptoms:
The ORBIT framework added HUDEVT_ACCEPTED handling through hud_orbit_accepted_handling. This allows ORBIT to move releasing HUDEVT_ACCEPTED from the filter to ORBIT, HTTP adopted this new feature.
When HTTP is disabled, HUDEVT_ACCEPTED handling is explicitly disabled by HTTP when going into passthru, subsequent enabling of HTTP does not restore this handling. If this sequence happens prior to the first HTTP request, then HUDEVT_ACCEPTED is released prematurely up the chain, thus the server-side connection may be established before the first request is processed. Attempts to manipulate the LB criteria at that point may fail due to the criteria being locked, this may result in the connection being RST with an "Address in use" reset cause.
Conditions:
-- HTTP Virtual server
-- HTTP::disable is called from CLIENT_ACCEPTED and the subsequently re-enabled before the first request arrives at HTTP in CLIENTSSL_HANDSHAKE
Impact:
Connection is reset with "Address in use" reset cause.
Workaround:
None
Fix:
N/A
Fixed Versions:
17.1.1, 16.1.4
1128369-2 : GTM (DNS) /Common/bigip monitor instances may show 'big3d: timed out' state
Links to More Info: BT1128369
Component: Global Traffic Manager (DNS)
Symptoms:
On affected versions of BIG-IP DNS, targets monitored with a "bigip" type monitor may show as 'big3d: timed out', or flap between that state and green.
While there can be many causes of the 'big3d: timed out' state (which indicates that a GTM monitor probe reply was expected, but not received within the timeout period), this particular cause is due to the order that the probes are sent, resulting in a bunching effect, where all the probes related to the same big3d (LTM) device are sent in rapid succession, leading to the message buffer between big3d and mcpd on the LTM becoming congested.
When gtmd schedules monitor probes, all the probes with the same interval are grouped together and spread out across the interval period. The issue is that within that list, monitors for the same gtm server can be grouped together, causing them to be sent to big3d in rapid succession.
When this happens, some of the messages relating to BIG-IP monitor probes may be dropped, and no response is sent back to the members of the GTM sync group.
Conditions:
- Running an affected version of BIG-IP DNS (versions that include the changes from ID863917)
- Use of a /Common/bigip monitor probe type
- Monitoring of sufficient targets per LTM to cause the message buffer between big3d and mcpd to fill (there is no indication or log message when this has happened)
Impact:
DNS (GTM) monitored targets that use a /Common/bigip probe type may be incorrectly marked down with a state of 'big3d: timed out'.
Note that this is not the only cause of this down state.
Workaround:
It is possible to work around this issue by creating separate monitor lists for each gtm server, so that all the probes related to the same big3d are spread out in time across the monitoring interval.
To do this:
- Create a separate BIG-IP monitor for each gtm server object with monitored virtual servers.
- Set the interval value for each of those BIG-IP monitors to a different value. For example, instead of the default 30-second BIG-IP probe interval, create monitors of 30,31,32,33,34,35,... seconds. Values of less than 30 seconds are not recommended, as these will increase the monitoring load further.
- Apply the new monitors to each gtm server so that each one has a different monitoring interval.
Fix:
gtmd monitor probes with the same interval are scrambled in oder so that the probes related to a target big3d (LTM) will be spread evenly across the entire interval time.
This results in avoiding the bunching of probes to a given target LTM, thereby preventing congestion at the target LTM.
Fixed Versions:
17.1.2, 16.1.5
1127241-6 : AS3 tenants don't sync reliably in GTM sync groups.
Links to More Info: BT1127241
Component: Global Traffic Manager (DNS)
Symptoms:
GTM AS3 tenants do not sync across GTM sync groups when using AS3 declarations.
Conditions:
-- GTM sync group.
-- Remove tenant in GTM1.
-- Sync does not happen and the tenant remains in GTM2.
Impact:
GTM sync fails to sync the AS3 tenants.
Workaround:
None
Fixed Versions:
17.1.2
1126841-5 : HTTP::enable can rarely cause cores
Links to More Info: BT1126841
Component: Local Traffic Manager
Symptoms:
The TMM crashes with seg fault.
Conditions:
- SSL profile used.
- The iRule that uses HTTP::enable.
Impact:
The TMM restarts causing traffic interruption.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1126401-1 : Variables are not displayed in Debug log messages for MGMT network firewall rules
Links to More Info: BT1126401
Component: Advanced Firewall Manager
Symptoms:
Setting the log level to Debug allows some logging to be displayed, but the log messages are not fully implemented as the variables are not displayed. See an example logging message below:
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: rule %s (act %s) sip %s dip %s sport %d dport %d protocol %d
Jun 23 08:11:07 metallurgist-1-bigip debug mgmt_acld[13359]: 01610008:7: processed %u packets in current iteration. total pkts processed %u
Conditions:
Enable the log level to Debug.
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db log.mgmt_acld.level value Debug
Impact:
Unable to see the debug logs for MGMT network firewall rules.
Workaround:
None
Fix:
Variables are displayed.
Fixed Versions:
17.1.1, 15.1.9
1126093-1 : DNSSEC Key creation failure with internal FIPS card.
Links to More Info: BT1126093
Component: Local Traffic Manager
Symptoms:
You are unable to create dnssec keys that use the internal FIPS HSM.
When this issue happens the following error messages appear in /var/log/gtm
Jul 20 04:37:47 localhost failed to read password encryption key from the file /shared/fips/nfbe0/pek.key_1, error 40000229
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0312:3: Failed to initiate session with FIPS card.
Jul 20 04:37:47 localhost.localdomain err gtmd[28729]: 011a0309:3: Failed to create new DNSSEC Key Generation /Common/abcd:1 due to HSM error.
Conditions:
-- Internal FIPS card present.
-- Clean installation from an installation ISO file.
-- DNSSKEY creation using internal FIPS card.
Impact:
DNSSEC deployments with internal FIPS HSMs are impacted.
Workaround:
Change the /shared/fips directory permissions.
Ex: chmod 700 /shared/fips
Fixed Versions:
17.1.1, 16.1.4
1124209-5 : Duplicate key objects when renewing certificate using pkcs12 bundle
Links to More Info: BT1124209
Component: TMOS
Symptoms:
Duplicate key objects are getting created while renewing the certificate using the pkcs12 bundle command.
Conditions:
When the certificate and key pair is present at the device and the pkcs12 command is executed to renew it.
Impact:
1) If the certificate and key pair is attached to the profile then certificate renewal is failing.
2) Duplicate key objects are getting created.
Workaround:
Delete the existing cert and key pair, and then execute the pkcs12 bundle command.
Fix:
Added the fix which has the capability to pass cert-name and key-name with the PKCS12 bundle command.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1123153-5 : "Such URL does not exist in policy" error in the GUI
Links to More Info: BT1123153
Component: Application Security Manager
Symptoms:
Unable to create a parameter under Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs ›› URL Parameters
Conditions:
When the policy setting "Differentiate between HTTP/WS and HTTPS/WSS URLs" is set to "Disabled".
Impact:
User is unable to create a Parameter with a URL.
Workaround:
N/A
Fix:
Resolved non-existent URL error during Parameter creation.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1122205-2 : The 'action' value changes when loading protocol-inspection profile config
Links to More Info: BT1122205
Component: Protocol Inspection
Symptoms:
The "action" values for signatures and compliances in Protocol Inspection profiles change when a new config or UCS file is loaded.
Conditions:
Use case 1:
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security : Inspection Profiles
-> Click "Add" >> "New"
1. Fill in the Profile Name field (pi_diameter in my example).
2. Services: pick "DIAMETER".
3. In the table for SYSTEM CHECKS, tick the checkboxes of all the items.
4. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
5. In the table of signatures and compliances for DIAMETER, tick the checkboxes of all the items.
6. In the right pane that opens up, make sure "Action: Accept" is selected and click "Apply".
7. Click "Commit Changes to System".
b) Check the current config via tmsh. Confirm there is no line with "action".
# tmsh list security protocol-inspection profile pi_diameter
c) Copy the result of the command in step b.
d). Delete the profile.
# tmsh delete security protocol-inspection profile pi_diameter
e). Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh. The action value has changed.
(tmos) # list security protocol-inspection profile pi_diameter
Use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase.
c) tmsh load sys config default.
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf.
Use case 3: Restore configuration by loading UCS/SCF after RMA.
Use case 4: Perform mcpd forceload for some purpose.
Use case 5: Change VM memory size or number of core on hypervisor.
Use case 6: System upgrade
Impact:
Some of the signatures and compliance action values are changed
Following commands output lists affected signatures and compliances.
## Signatures ##
tmsh list sec protocol-inspection signature all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
## Compliances ##
tmsh list sec protocol-inspection compliance all-properties | egrep "protocol-inspection|^\s*action" | awk '{ if($2 == "drop" || $2 == "reject") { print prev"\n"$0 } } { prev = $0 }'
Workaround:
Workaround for use case 1:
Follow the work-around mention below when you want to load the ips profile configuration from the terminal.
a) Create a protocol-inspection profile.
GUI: Security ›› Protocol Security: Inspection Profiles
-> Click "Add" >> "New" >> ips_testing
b) Check the current config via tmsh.
# tmsh list security protocol-inspection profile ips_testing all-properties
c) Copy the result of the command in step b.
d) Delete the profile.
# tmsh delete security protocol-inspection profile ips_testing
e) Load the config.
# tmsh
(tmos) # load sys config from-terminal merge
(tmos) # save sys config
Paste the pi_diameter profile config copied in step c. CTRL-D (maybe twice) to submit the change.
f) Check the config via tmsh using all-properties
(tmos) # list security protocol-inspection profile ips_testing all-properties
Workaround for use case 2:
a) Configure protocol-inspection profiles for http, diameter, and gtp. Set all "accept" including signatures and compliances.
b) tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
c) tmsh load sys config default
d) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
e) tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 3:
a) Load the ucs/scf config file twice.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Workaround for use case 4, 5, 6:
a) Before performing any of the operations of Use case 4, 5, 6, save the config.
tmsh save sys ucs ips_test.ucs or tmsh save sys config file ips_test.scf no-passphrase
b) Once the operation in use cases are done then perform the load operation.
tmsh load sys ucs ips_test.ucs or tmsh load sys config file ips_test.scf
Fix:
After fixing the issue, the action value will not be changed for signatures and compliances.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1121349-6 : CPM NFA may stall due to lack of other state transition
Links to More Info: BT1121349
Component: Local Traffic Manager
Symptoms:
When processing LTM policy rules as they apply to the incoming data, the CPM (Centralized Policy Matching) the state machine may incorrectly process the pattern, resulting in some of the policy rules not being applied
Conditions:
-- HTTP virtual server with LTM policy and iRule that triggers on "HTTP URI path contains" some value
Impact:
LTM policy rule does not trigger when it would be expected to
Workaround:
Change rule from "HTTP URI path contains" to "HTTP URI full string contains"
Fixed Versions:
17.1.1, 16.1.5
1117609-5 : VLAN guest tagging is not implemented for CX4 and CX5 on ESXi
Links to More Info: BT1117609
Component: Local Traffic Manager
Symptoms:
Tagged VLAN traffic is not received by the BIG-IP Virtual Edition (VE).
Conditions:
Mellanox CX4 or CX5 with SR-IOV on VMware ESXi.
Impact:
Host-side tagging is required.
Workaround:
If only one VLAN is required, use host-side tagging and set the VLAN to "untagged" in the BIG-IP guest.
If multiple VLANs are required, use the "sock" driver instead. Edit the /config/tmm_init.tcl file and restart the Virtual Edition (VE) instance. Network traffic is disrupted while the system restarts.
echo "device driver vendor_dev 15b3:1016 sock" >> /config/tmm_init.tcl
CPU utilization may increase as a result of switching to the sock driver.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117305-8 : The /api, a non-existent URI returns different error response with or without correct Basic Authorization credentials
Links to More Info: BT1117305
Component: TMOS
Symptoms:
The /api returns 401 when incorrect Basic Authorization credentials are supplied.
The /api returns 404 when correct Basic Authorization credentials are supplied.
Conditions:
Irrespective of the DB variable "httpd.basic_auth" value set to enable or disable.
Impact:
There is no functional impact, but all other non-existent URIs return a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials, /api should also be invariably exhibiting the same behavior.
Workaround:
None
Fix:
The /api like any other non-existent URI now returns a 302 redirect response to the TMUI login page irrespective of correct or incorrect Basic Authorization credentials.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1117245-5 : Tomcat fails to write log messages into /var/log/tomcat/liveupdate.log file
Links to More Info: BT1117245
Component: Application Security Manager
Symptoms:
You only see this message in /var/log/tomcat/liveupdate.log file. No other log messages are written, causing troubleshooting capability with LiveUpdate.
liveupdate.script file is corrupted, live update repository initialized with default schema
This error is emitted during tomcat startup.
/var/log/tomcat/catalina.out
java.io.FileNotFoundException: /usr/share/tomcat/logs/liveupdate.log (Permission denied)
Conditions:
You are running on a version which has a bug fix for ID907025. For more information see https://cdn.f5.com/product/bugtracker/ID907025.html
Impact:
Losing troubleshooting capability with LiveUpdate
Workaround:
chown tomcat:tomcat /var/log/tomcat/liveupdate.log
bigstart restart tomcat
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1117229-5 : CVE-2023-46747 and CVE-2022-26377: Inconsistent Interpretation of HTTP Requests in mod_proxy_ajp
1113753-5 : Signatures might not be detected when using truncated multipart requests
Links to More Info: BT1113753
Component: Application Security Manager
Symptoms:
On special cases when sending long requests that include a multipart section, signatures that should be detected in the multipart body might not be detected.
Conditions:
1. WAF-policy is attached to virtual server.
2. Signatures are enabled in the WAF policy.
3. Signatures contain special characters, i.e. ;"=\n
4. Request is longer than the value in max_raw_request_len.
5. Sending a multipart request.
Impact:
Signature is not detected.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1113693-4 : SSL Certificate List GUI page takes a long time to load
Links to More Info: BT1113693
Component: TMOS
Symptoms:
SSL Certificate List GUI page under System->Certificate Management->Traffic Certificate Management->SSL Certificate List does not load or takes a long time to load (more than 3 minutes).
Conditions:
-- When clicking on SSL Certificates List menu in the GUI.
-- BIG-IP is loaded with heavy configuration and more number of certificates.
-- BIG-IP is vCMP guest.
Impact:
Certificates list is not presented from GUI.
Workaround:
GET the certificate list through TMSH command
tmsh list sys crypto cert
Fix:
SSL Certificate list menu is displayed with out any delay.
Fixed Versions:
17.1.2, 16.1.5
1113609-4 : GUI unable to load Bot Profiles and tmsh is unable to list them as well.
Links to More Info: BT1113609
Component: TMOS
Symptoms:
If there are 10s of bot defense profiles that all have hundreds of staged signatures, neither the GUI nor tmsh will be able to list the Bot Profiles.
Conditions:
Tens of bot defense profiles that have 100s of staged signatures.
Impact:
-- Unable to edit bot profiles in the GUI.
-- Unable to save to config files or UCS
Workaround:
Remove staging for bot-signatures.
Fixed Versions:
17.1.1, 16.1.5
1112781-2 : DNS query drops on Virtual Edition platform if the packet size is above 1500 for NAPTR record.
Links to More Info: BT1112781
Component: Advanced Firewall Manager
Symptoms:
The BIG-IP system drops the packet if the DNS response size is larger than 2048.
Conditions:
When the DNS server sends a response larger than 2048 bytes.
Impact:
The BIG-IP system drops the packet and does not respond to the client.
Workaround:
If possible, switch from UDP to TCP to avoid dropping the packet.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1112537-6 : LTM/GTM config instantiated in a certain way can cause a LTM/GTM monitor to fail to delete.
Links to More Info: BT1112537
Component: TMOS
Symptoms:
Upon attempting to delete a LTM or GTM monitor, the system returns an error similar to the following example, even though the monitor being deleted is no longer in use anywhere:
01070083:3: Monitor /Common/my-tcp is in use.
Conditions:
-- The configuration was loaded from file (for example, as restoring a UCS archive would do).
-- A BIG-IP Administrator deletes all objects using the monitor, and then attempts to delete the monitor itself.
Impact:
LTM or GTM monitor no longer in use anywhere cannot be deleted from the configuration.
Workaround:
Run one of the following sets of commands (depending on the affected module) and then try to delete the monitor again:
tmsh save sys config
tmsh load sys config
tmsh save sys config gtm-only
tmsh load sys config gtm-only
Fix:
Unused monitors can now be deleted correctly.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1112385-6 : Traffic classes match when they shouldn't
Links to More Info: BT1112385
Component: Local Traffic Manager
Symptoms:
Traffic classes may match when they should not.
Conditions:
* Fix for ID1074505 is present (without that fix this bug is hidden).
* Traffic class uses none (or equivalently all 0s) for source-address.
Impact:
Traffic is not categorized properly.
Workaround:
Specify a source address, e.g.
ltm traffic-class /Common/blah {
source-address 1.1.1.1
source-mask none
...
}
Note that because the mask is none this won't have any effect (other than working around this bug).
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1111397-6 : [APM][UI] Wizard should also allow same patterns as the direct GUI
Links to More Info: BT1111397
Component: Access Policy Manager
Symptoms:
Device wizard fails if a certain string is used in the access policy name:
- access policy name that fails: abc_1234_wxyz
- access policy name that works: abc-1234-wxyz
An error can be found in the log:
ERROR SAWizard.SACreateAccessPolicy:error - java.sql.SQLException: General error: 01020036:3: The requested Access Profile /common/abc_1234_wxyz was not found. in statement [DELETE FROM profile_access WHERE name = ?]
Conditions:
Using certain string patterns when creating an access policy via the wizard (specifically the underscore character).
Impact:
The wizard fails and throws errors.
Workaround:
None
Fix:
Fixed the naming mismatch by removing function to concat strings with extra _x.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1111361-5 : Refreshing DNS wide IP pool statistics returns an error
Links to More Info: BT1111361
Component: Global Traffic Manager (DNS)
Symptoms:
Refreshing the wide IP pool statistics results in the error message 'An error has occurred while trying to process your request'.
Conditions:
Go to "Statistics > Module Statistics > DNS > GSLB > Wide IPs > Statistic Pools", and click "Refresh".
Impact:
No results are returned, and the error message 'An error has occurred while trying to process your request' is displayed.
Workaround:
None
Fixed Versions:
17.1.1
1111149-4 : Nlad core observed due to ERR_func_error_string can return NULL
Links to More Info: BT1111149
Component: Access Policy Manager
Symptoms:
The following symptoms are observed
In /var/log/ltm:
err nlad[17535]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
Nlad core is observed
/var/log/kern.log:Apr 7 03:46:53 <vs name > info kernel: nlad[13119]: segfault at 0 ip <> sp <> error 4.
Conditions:
NLAD core is SIGSEGV - crashing while processing a SSL Certificate via a SAML login.
Impact:
Core results in disruption of APM sessions
Workaround:
None
Fix:
NA
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110489-4 : TMM crash in nexthop_release with ACCESS_ACL_ALLOWED iRule event
Links to More Info: BT1110489
Component: Access Policy Manager
Symptoms:
Tmm crashes.
/var/log/tmm contains
May 24 18:06:24 sslo.test.local notice panic: ../net/nexthop.c:165: Assertion "nexthop ref valid" failed.
Conditions:
An iRule is applied to a virtual Server containing a ACCESS_ACL_ALLOWED iRule event.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1110281-7 : Behavioral DoS does not ignore non-http traffic when disabled via iRule HTTP::disable and DOSL7::disable
Links to More Info: BT1110281
Component: Advanced Firewall Manager
Symptoms:
Non-HTTP traffic is not forwarded to the backend server.
Conditions:
- ASM provisioned
- Behavioral DoS profile assigned to a virtual server
- DOSL7::disable and HTTP::disable applied at when CLIENT_ACCEPTED {}
Impact:
Broken webapps with non-HTTP traffic.
Workaround:
Instead of using DOSL7::disable, redirect non-HTTP traffic to a non-HTTP aware virtual server using the iRule command virtual <virtual_server_name>.
Fix:
Fixed the Behavioral DoS HTTP::disable command handler in the tmm code.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1108237-3 : Incorrect 'No reply from big3d: timed out' result for certain destinations monitored by GTM.
Links to More Info: BT1108237
Component: Global Traffic Manager (DNS)
Symptoms:
It is possible for monitor probes to a certain destination to be owned by no GTM device in the sync-group. As a result, no monitoring of the destination will be performed, and the monitored object will be incorrectly marked down with reason "no reply from big3d: timed out".
Conditions:
-- GTM sync-group with multiple GTM devices (including a sync-group that contains only a single GTM server with more than one GTM device in it).
-- Monitors specifying an explicit destination to connect to (e.g. with the property "destination 192.168.1.1:*").
-- The destination of a monitored object (e.g. the IP address of the gtm server) is different from the destination explicitly defined in a monitor assigned to the object.
-- The two mismatching destination values are assigned to different GTM devices in the sync-group for monitoring.
Impact:
Monitored GTM objects may have an incorrect status.
Workaround:
None
Fix:
All monitor probes are not correctly assigned to a GTM device.
Fixed Versions:
17.1.1, 16.1.4
1107565-3 : SSL Persistence behavior change for TLS1.3 connection between v16.1.0 and v16.1.2.2
Links to More Info: BT1107565
Component: Local Traffic Manager
Symptoms:
The BIG-IP system resets TLS 1.3 connections when the client-hello contains a session-ID.
Conditions:
-- Virtual server has ssl persistence enabled
-- TLS 1.3 is used
-- The client-hello message contains a session-ID.
Impact:
Traffic uses TLS 1.3 and SSL persistence is disrupted.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4
1106341-1 : /var/tmp/pccd.out file size increases rapidly and fills up the /shared partition
Links to More Info: BT1106341
Component: Advanced Firewall Manager
Symptoms:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Conditions:
Create a firewall rule or policy.
Impact:
The /var/tmp/pccd.out file size increases rapidly, filling up the /shared partition.
Workaround:
None
Fix:
Creating a firewall rule or policy no longer causes the /var/tmp/pccd.out file size to increase rapidly.
Fixed Versions:
17.1.1, 15.1.7
1106273-5 : "duplicate priming" assert in IPSECALG
Links to More Info: BT1106273
Component: Advanced Firewall Manager
Symptoms:
This is a specific issue with a complicated firewall/NAT/IPSEC scenario. In this case, when applying changes to a firewall policy in transparent mode, IPSECALG triggers a "duplicate priming" assert
Conditions:
When an IPSec session is established from a device with a source IP which has a firewall policy (transparent mode). As soon as traffic is passed over the new IPSec tunnel, this clash in the rules results in a tmm core.
Impact:
TMM asserts with "duplicate priming" assert.
Traffic disrupted while tmm restarts.
Workaround:
None
Fix:
Data is able to flow through tunnel and no crash
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1105901-6 : Tmm crash while doing high-speed logging
Links to More Info: BT1105901
Component: TMOS
Symptoms:
Tmm crashes
Conditions:
-- High-speed logging is configured
-- Network instability occurs with the logging pool members
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1105021-3 : F5OS BIG-IP tenants perform an MCPD "forceload" operation after a reboot
Links to More Info: BT1105021
Component: TMOS
Symptoms:
BIG-IP tenant software running on an F5OS device performs an MCPD "forceload" operation after a reboot which means the MCPD loads the configuration from the text config file rather than the binary database.
/var/log/ltm contains
chmand Hardware/Chassis change detected. Forcing db load from the file.
Conditions:
The management Mac address transfers from F5OS to BIG-IP tenant are not in sync.
Impact:
-- Devices report "changes pending" after the tenant is rebooted.
-- This may result in configuration loss if auto-sync is configured.
-- This may result in configuration loss as a result of operational foul-ups, regardless of which device had a newer configuration before one was rebooted, the newly-rebooted device will claim to have a newer configuration.
Workaround:
None
Fix:
None
Fixed Versions:
17.1.2
1104773-8 : REST API Access hardening
Component: TMOS
Symptoms:
REST API Access token generation may not follow security best practices.
Conditions:
N/A
Impact:
N/A
Workaround:
Restrict high-privileged access to the BIG-IP filesystem to trusted users.
Fix:
Security best practices are now followed.
Fixed Versions:
17.1.1, 16.1.5
1104553-1 : HTTP_REJECT processing can lead to zombie SPAWN flows piling up
Links to More Info: BT1104553
Component: Local Traffic Manager
Symptoms:
In the execution of a specific sequence of events, when TCL attempts to execute the non-existing event, it follows a path which in turn makes SPAWN flow to become a zombie, which pile up over time showing up on the monitoring system.
Conditions:
-- http2, client-ssl, optimized-caching filters on the virtual server
-- HTTP::respond iRule with LB_FAILED event and set of iRules like HTTP_REQUEST, HTTP_RESPONSE, CLIENTSSL_HANDSHAKE, CACHE_RESPONSE, ASM_REQUEST_BLOCKING
-- send http2 request through the virtual server
Impact:
Clients may not be able to connect to the virtual server after a point in time.
Fix:
This defect has been resolved and stale connections are being cleaned up as expected.
Fixed Versions:
17.1.1, 15.1.7
1104517-3 : In SWG explicit proxy, some TCP connections are reset because of inconsistency between sessionDB and local IP2SessionId map
Links to More Info: BT1104517
Component: Access Policy Manager
Symptoms:
Some clients' TCP connections are reset with an error "cl sm driver error (Illegal value)" when the BIG-IP system is in this error state.
Conditions:
SWG explicit proxy is configured.
Impact:
Some clients are unable to access a service.
Workaround:
Disable sessionDB mirroring on both active and standby
# tmsh modify sys db statemirror.mirrorsessions value disable
# tmsh save sys config
Restart tmm on standby
# bigstart restart tmm
Fix:
Fixed an issue causing a TCP reset with certain clients.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1103477-5 : Refreshing pool member statistics results in error while processing requests
Links to More Info: BT1103477
Component: Global Traffic Manager (DNS)
Symptoms:
Pool member statistics aren't displayed and the page shows an error message 'An error has occurred while trying to process your request'.
Conditions:
-- A GTM pool is configured with one or more pool members.
-- The 'Refresh' button or the timer is used to fetch the pool member statistics again.
Impact:
Refresh does not work as expected.
Workaround:
Although the refresh button or refresh timer is broken, you can refresh the page to see updated statistics.
Fix:
The page refreshes correctly on clicking the button or on setting the timer.
Fixed Versions:
17.1.1, 15.1.10
1103117-1 : iAppLX extension using express with httpserver script leaves lingering client-side flow on HTTP requests.
Links to More Info: BT1103117
Component: Local Traffic Manager
Symptoms:
While using an iAppLX extension using express with simple HTTP server script, tmsh show sys conn shows a lingering client-side flow that is eventually expired by the sweeper.
Conditions:
Virtual server with iAppLX extension using express with a simple httpserver script like below:
app.use(express.static('public'));
var plugin = new f5.ILXPlugin();
plugin.startHttpServer(app);
Impact:
The connection table (tmsh show sys conn) shows a lingering client-side flow that is eventually expired by the sweeper.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1102425-1 : F5OS tenant secondary slots are inoperative after licensing or restart of MCPD on the primary
Links to More Info: BT1102425
Component: TMOS
Symptoms:
The secondary blades are inoperative when MCPD is restarted on the primary slot, or the license is installed on the F5OS chassis.
Following are the symptoms:
- Following log message is logged in /var/log/ltm:
mprov:29790:[29790]: 'FPGA change is taking a long time. Unable to start the daemons.' for the secondary slots.
- The presence of the file /var/run/fpga_mcpd_lockfile on the secondary slots.
Conditions:
- Multi-Slot F5OS tenant.
- Restarting MCPD on the primary blade or installing the license from the F5OS chassis.
Impact:
Secondary blades are inoperative.
Workaround:
Execute the following command on the secondary blades that are inoperative:
bigstart restart mcpd
Fixed Versions:
17.1.1, 15.1.10
1101653-3 : Query Type Filter in DNS Security Profile blocks allowed query types
Links to More Info: BT1101653
Component: Advanced Firewall Manager
Symptoms:
When NXDomain is moved to active/enabled, a query response does not work in the GUI.
Conditions:
NXDomain field is in enable state in filtered-query-type in GUI.
Impact:
The query response fails.
Workaround:
NXDomain field should not be enabled using the GUI.
NXDomain is always response type.
Fixed Versions:
17.1.1, 15.1.10
1100761-4 : TMM crashes when DHCP pool member is not reachable.
Links to More Info: BT1100761
Component: Local Traffic Manager
Symptoms:
TMM might crash when DHCP virtual-server is configured and DHCP pool member is marked down by a monitor.
Conditions:
DHCP virtual server.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.2
1100721-5 : IPv6 link-local floating self-IP breaks IPv6 query to BIND
Links to More Info: BT1100721
Component: Local Traffic Manager
Symptoms:
A IPv6 link-local floating self-IP breaks IPv6 query to BIND.
Conditions:
1. Create a DNS record in BIND.
2. Create an IPv6 floating self-IP (for example, 2002::139) and place it into traffic-group-1.
3. Create an IPv6 DNS listener using the newly created self-IP (2002::139).
So far a DNS query should be answered properly by BIND and TMM.
4. Create a dummy IPv6 floating self-IP using a link-local IP (for example, fe80::4ff:0:0:202) and place it into traffic-group-1.
Now, the DNS query from outside will be timed out.
Impact:
DNS requests will get timed out.
Workaround:
None
Fixed Versions:
17.1.1, 15.1.10
1100561-3 : AAA: a trailing ampersand is added to serverside request when using HTTP forms based auth
Links to More Info: BT1100561
Component: Access Policy Manager
Symptoms:
An extra "&" is added to a request
Conditions:
A query is specified in a Form-Action field
Impact:
The server replies with an error due to the extra trailing & in the request from APM
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5
1100197-6 : Mcpd message: Unable to do incremental sync, reverting to full load for device group /Common/gtm
Links to More Info: BT1100197
Component: Global Traffic Manager (DNS)
Symptoms:
GTM may occasionally send the wrong commit_id_originator to other sync group members, causing a full sync to occur instead of an incremental one.
The following message may be seen in the /var/log/gtm log
"Unable to do incremental sync, reverting to full load for device group /Common/gtm"
Conditions:
Frequent GTM group syncs.
Impact:
Unnecessary GTM full sync when an incremental sync would have been more efficient.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1100169-2 : GTM iQuery connections may be reset after SSL key renegotiation.
Links to More Info: BT1100169
Component: Global Traffic Manager (DNS)
Symptoms:
During routine iQuery SSL renegotiation, the iQuery connection will occasionally be reset.
Conditions:
This occurs occasionally during routine renegotiation. Renegotiation occurs once very 24 hours, per connection, by default (but can be controlled by the db key big3d.renegotiation.interval)
Impact:
It causes a brief disconnection between the GTMs in the sync group.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1099833-3 : Add additional server side support for f5-epi links.
Component: Access Policy Manager
Symptoms:
f5-epi links do not properly validate during machine info check.
Conditions:
- Machine info check is enabled in access policy.
Impact:
Undesirable behavior
Workaround:
-No-
Fix:
Note: 1081133 must be resolved on the server as well
Behavior is as expected.
Fixed Versions:
17.1.2, 16.1.5
1099765-1 : Inconsistent behavior in violation detection with maximum parameter enforcement
Links to More Info: BT1099765
Component: Application Security Manager
Symptoms:
Request with JSON body with more than 600 parameters causes the event log to show incorrect violations.
Conditions:
-- 'Maximum params' configured to 600 in JSON profile
-- 'Maximum array length' configured to 'Any'
-- A request occurs that contains more than 600 parameters in the body in JSON format
Impact:
No violation for passing maximum parameters given in event log, although the maximum number of allowed parameters was exceeded.
Workaround:
None
Fix:
The violations VIOL_HTTP_PROTOCOL and VIOL_JSON_FORMAT are now recorded in the event log.
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1099341-7 : CVE-2018-25032: A flaw found in zlib, when compressing (not decompressing!) certain inputs
1098609-3 : BD crash on specific scenario
Links to More Info: BT1098609
Component: Application Security Manager
Symptoms:
BD crashes while passing traffic.
Conditions:
Specific request criterias that happens while there is a configuration change.
Impact:
Traffic disrupted while bd restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1096893-6 : TCP syncookie-initiated connections may end up unexpectedly IP-fragmenting packets mid-connection
Links to More Info: BT1096893
Component: Local Traffic Manager
Symptoms:
When route metrics are applied by the TCP filter to a connection initiated by a syncookie, TCP sets the effective MSS for packetization, thereafter the egress_mtu will be set as per the route metrics entry, if present. The packets falling between the effective MSS and the lowered egress_mtu end up being unexpectedly IP-fragmented.
Conditions:
SYN cookies enabled and activated. A route metrics PMTU entry for the destination address that is smaller than the VLAN's egress MTU.
Impact:
Application traffic can fail or see disruption due to unexpected IP fragmentation.
Workaround:
Disable syn cookies (Reference: https://support.f5.com/csp/article/K80970950).
Alternatively, you can apply a lower static MTU to the interface.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1096373-8 : Unexpected parameter handling in BIG3d
Links to More Info: K000132972, BT1096373
1096317-6 : SIP msg alg zombie flows
Links to More Info: BT1096317
Component: Carrier-Grade NAT
Symptoms:
The SIP msg alg can disrupt the expiration of a connflow in a way that it stays alive forever.
Conditions:
SIPGmsg alg with suspending iRule commands attached.
Impact:
Zombie flow, which cannot be expired anymore.
Workaround:
Restart TMM.
Fix:
Flows are now properly expired.
Fixed Versions:
17.1.1, 15.1.10
1093973-9 : Tmm may core when BFD peers select a new active device.
Links to More Info: BT1093973
Component: TMOS
Symptoms:
Tmm cores.
Conditions:
-- BFD is in use
-- the active/owner BFD device changes
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.2, 16.1.5
1093933-5 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: iApp Technology
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Conditions:
N/A
Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Workaround:
N/A
Fix:
The library has been patched to address the vulnerability.
Fixed Versions:
17.1.1, 16.1.4, 15.1.9
1093357-6 : PEM intra-session mirroring can lead to a crash
Links to More Info: BT1093357
Component: Policy Enforcement Manager
Symptoms:
TMM crashes while passing PEM traffic
Conditions:
-- PEM mirroring enabled and passing traffic
Impact:
Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1091969-5 : iRule 'virtual' command does not work for connections over virtual-wire.
Links to More Info: BT1091969
Component: Local Traffic Manager
Symptoms:
iRule 'virtual' command does not work for connections over virtual-wire.
Conditions:
- Connection over a virtual-wire.
- Redirecting traffic to another virtual-server (for example, using an iRule 'virtual' command)
Impact:
Connection stalls on the first virtual-server and never completes.
Fixed Versions:
17.1.2, 16.1.4, 15.1.9
1088597-6 : TCP keepalive timer can be immediately re-scheduled in rare circumstances
Links to More Info: BT1088597
Component: Local Traffic Manager
Symptoms:
In rare circumstances, the TCP timer is rescheduled immediately due to the utilization of the interval encompassing also the idle_timeout.
Conditions:
Virtual Server with:
- TCP Profile
- SSL Profile with alert timeout configured
Another way this can occur is by manually deleting connections, which effectively only sets the idle timeout to 0.
Impact:
High CPU utilization potentially leading to reduced performance.
Workaround:
If the alert timeout is not re-enabled in the SSL Profile that should be sufficient.
Fixed Versions:
17.1.1, 16.1.5, 15.1.10
1088445-11 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1086865-3 : GTM sync fails when trying to create/sync a previously deleted partition.
Links to More Info: BT1086865
Component: Global Traffic Manager (DNS)
Symptoms:
GTM synchronization fails when creating a GTM object in a previously deleted folder/partition from another BIG-IP.
Conditions:
GTM object created in a previously deleted folder/partition.
Impact:
GTM Sync failure.
Fix:
GTM sync works fine when trying to create a GTM object in the same folder that was previously deleted.
Fixed Versions:
17.1.2
1086393-4 : Sint Maarten and Curacao are missing in the GTM region list
Links to More Info: BT1086393
Component: TMOS
Symptoms:
Sint Maarten and Curacao are missing in the GTM region list.
Conditions:
- Create a GTM region record.
- Create a GTM region of Country Sint Maarten or Curacao.
Impact:
Cannot select Sint Maarten and Curacao from the GTM country list.
Workaround:
None
Fix:
Sint Maarten and Curacao are now present in the Countries List. The support for these countries is only provided for Region, ISP and Org Database.
Fixed Versions:
17.1.1, 16.1.5
1085661-6 : Standby system saves config and changes status after sync from peer
Links to More Info: BT1085661
Component: Application Security Manager
Symptoms:
After running config sync from an Active to a Standby device, the sync status is in SYNC for a short period time.
After a while, it automatically goes to Changes Pending status.
The same symptom was reported via ID698757 and fixed in earlier versions, but the same can happen via different scenario.
Conditions:
Create an ASM policy and let the system determining language encoding from traffic.
Impact:
The high availability (HA) configuration goes out of SYNC.
Workaround:
To prevent the issue from happening, you can manually configure language encoding
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1084965-4 : Low visibility of attack vector
Links to More Info: BT1084965
Component: Local Traffic Manager
Symptoms:
The DoS vector FIN 'Only Set' is not triggered and causes lack of visibility of the attack vector.
Conditions:
-- Using BIG-IP Virtual Edition
Impact:
There is reduced visibility of possible attacks on the BIG-IP.
Workaround:
Check 'drop_inv_pkt' with the tmctl table, "tmm/ndal_rx_stats".
Fixed Versions:
17.1.1, 16.1.5
1084901-3 : Updating the firewall rule list for IPv6 with route domain throws an error in the GUI, works from tmsh
Links to More Info: BT1084901
Component: Advanced Firewall Manager
Symptoms:
You are unable to modify IPV6 + Route domain for Network Firewall Rule Lists using the GUI
Conditions:
-- AFM is provisioned
-- IPv6 with route domain is being used in an address list
Impact:
Unable to create/manage Firewall rule lists for IPv6 with a route domain.
Workaround:
Use tmsh to create/manage firewall rule lists for IPv6 with a route domain.
Fix:
You can now add IPv6 firewall rules with a route domain using the GUI.
Fixed Versions:
17.1.1
1084857-6 : ASM::support_id iRule command does not display the 20th digit
Links to More Info: BT1084857
Component: Application Security Manager
Symptoms:
ASM::support_id iRule command does not display the 20th digit.
A support id seen in REST/TMUI that has 20 digits, e.g 13412620314886537617 is displayed as 1341262031488653761 with the iRule command ( the last digit '7' is stripped ).
Conditions:
ASM::support_id iRule command
Impact:
Inability to trace request events using the support id
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1084157-2 : Possible captcha loop when using Single Page Application
Links to More Info: BT1084157
Component: Application Security Manager
Symptoms:
When using Captcha and a Single Page Application the browser might log Console errors and Captcha cannot be completed.
Conditions:
-- Single Page Application is enabled.
-- Either of these two objects are attached to the virtual server:
-- ASM with Captcha mitigation on brute force
-- Bot Defense profile with Captcha mitigation
-- Special backend server conditions occur
Impact:
Captcha cannot be solved.
Workaround:
None.
Fix:
Fix Captcha handling in single-page applications.
Fixed Versions:
17.1.2, 16.1.5
1083621-6 : The virtio driver uses an incorrect packet length
Links to More Info: BT1083621
Component: Local Traffic Manager
Symptoms:
In some cases, tmm might drop network packets.
In rare circumstances, this might trigger tmm to crash.
Conditions:
BIG-IP Virtual Edition using the virtio driver. You can see this in /var/log/tmm ("indir" is zero):
notice virtio[0:5.0]: cso: 1 tso: 0 lro: 1 mrg: 1 event: 0 indir: 0 mq: 0 s: 1
Impact:
Tmm might drop packets.
In rare circumstances, this might trigger tmm to crash. Traffic disrupted while tmm restarts.
Workaround:
None
Fixed Versions:
17.1.1, 16.1.5, 15.1.9
1083513-4 : BD configuration for botdefense.disable_challenge_failure_reporting gets de-synced with mcpd
Links to More Info: BT1083513
Component: Application Security Manager
Symptoms:
"Challenge Failure Reason" field in a request event log shows N/A.
Conditions:
The db key has not been changed manually on the system.
Impact:
"Challenge Failure Reason" field is disabled.
Workaround:
Disable the key and re-enable, then save.
tmsh modify sys db botdefense.disable_challenge_failure_reporting value disable
tmsh modify sys db botdefense.disable_challenge_failure_reporting value enable
tmsh save sys config
Fix:
BD now initialize the db key internally, not depending on mcpd, that ensures the default db key value is "enable".
Fixed Versions:
17.1.1, 16.1.4, 15.1.10
1082453-1 : Dwbld stops working after adding an IP address to IPI category manually
Links to More Info: BT1082453
Component: Advanced Firewall Manager
Symptoms:
While adding IP addresses to IPI Category, dwbld can hang without giving a warning, and the IP addresses will not be added.
Conditions:
Adding and/or deleting multiple shun entries in parallel
Impact:
Dwbld will go in infinite loop and hang
Workaround:
bigstart restart dwbld
Fix:
Fixed all possible race and expectation condition
Fixed Versions:
17.1.1, 15.1.9
1081473-3 : GTM/DNS installations may observe the mcpd process crashing
Links to More Info: BT1081473
Component: Global Traffic Manager (DNS)
Symptoms:
1) The mcpd process may crash, potentially leading to failover/momentary traffic disruption