BIG-IP 17.5.1.4 Fixes and Known Issues

997169-4 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
21.0.0, 17.5.1, 17.1.2, 16.1.6, 15.1.4.1

993681-9 : CVE-2019-18282 Kernel: Device Tracking Vulnerability

Links to More Info: K32380005, BT993681

990173-8 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.

Fix:
Dynconfd no longer repeatedly resends MCP messages that have failed due to an error.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8

988589-11 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873, BT988589

987813-14 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

Links to More Info: K65234135, BT987813

985329-5 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed

Links to More Info: BT985329

Component: Device Management

Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed, and it may leave /shared/tmp/rpm-tmp* files.

You may see warnings that /var is full.

You may also see errors logged in /var/log/restjavad.0.log:

[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
        at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
        at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
        at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
        at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
        at java.lang.Thread.run(Thread.java:748)


Errors logged in /var/log/ltm:

err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery

Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.

Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).

/shared/tmp directory is filled with rpm-tmp* files.

Workaround:
The fix of another ID 929213 introduced a new database key iapplxrpm.timeout (default 60 seconds), which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

Fix:
Temp files under /shared/tmp is now cleaned up correctly.

Fixed Versions:
17.5.1, 17.5.0, 17.1.2, 16.1.5, 15.1.10.8

981885-8 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

Links to More Info: K61186963

975605-11 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

Links to More Info: K00409335, BT975605

966785-7 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

965545-10 : CVE-2020-27617 : QEMU Vulnerability

Links to More Info: K41142448, BT965545

949509-11 : Eviction Policy UI Hardening

Links to More Info: K000151308, BT949509

945421-12 : CVE-2020-1968: Raccoon vulnerability

Links to More Info: K92451315, BT945421

944817-10 : Improper IP based access access restrictions via HTTPD

Component: TMOS

Symptoms:
Under certain conditions HTTPD IP based access restriction may work improperly.

Conditions:
When using HTTPD IP based access restriction.

Impact:
Improper restriction based on IP address

Fix:
IP Access restrictions for HTTPD now works properly

Behavior Change:
IP Access restrictions for HTTPD now works properly

Fixed Versions:
21.0.0, 17.5.1.4

937665-3 : Relaystate in SLO request results in two Relaystates in SLO Response

Links to More Info: BT937665

Component: Access Policy Manager

Symptoms:
When BIG-IP APM acts as the SAML IdP and receives a redirect binding single logout (SLO) request that contains a relaystate, the BIG-IP APM generates an SLO response that contains two relaystates.

Conditions:
-- BIG-IP APM configured as IdP
-- Redirect binding SLO request contains a relaystate

Impact:
SLO processing on SP may not work.

Workaround:
None.

Fixed Versions:
17.5.1.4

937433-10 : SCP vulnerability CVE-2020-15778

Links to More Info: K04305530, BT937433

936829-11 : TMUI Dashboard Hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best security practices.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Best security practices are now applied.

Fixed Versions:
21.0.0, 17.5.1.4

936713-9 : REST UI interface enhancements

Links to More Info: K90301300, BT936713

935769-8 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★

Links to More Info: BT935769

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.

3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.

Fixed Versions:
21.0.0, 17.5.1.2

935633-3 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★

Links to More Info: BT935633

Component: TMOS

Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.

Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.

Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:

 err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.

-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.

Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.


-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.

Fixed Versions:
17.5.1.4

932461-9 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.

After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.

Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.

Workaround:
Use one of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.

The bigd utility successfully loads the new certificate file.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3

930625-6 : TMM crash is seen due to double free in SAML flow

Links to More Info: BT930625

Component: Access Policy Manager

Symptoms:
When this issue occurs the TMM will crash

Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
21.0.0, 17.5.1, 17.1.3

928905-11 : jQuery vulnerability CVE-2020-11022

Links to More Info: K02453220, BT928905

926917-4 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT926917

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None

Fix:
HTML entities in attribute values of HTML tags are no longer decoded by Portal Access

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8

921525-7 : CVE-2020-1752: glibc vulnerability using glob

Links to More Info: K49921213, BT921525

912797-12 : NTP Vulnerability: CVE-2020-11868

Links to More Info: K44305703, BT912797

901989-10 : Corruption detected in /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

warning <process>[10901]: pam_lastlog(<process>:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
This issue is triggered following a reboot of the BIG-IP system. Subsequently, you may observe the log message appearing in relation to various administrative activities, such as logging in through the console or restarting the tomcat service.

Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.

Workaround:
Option 1; After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
This will remove any instances of failed logins from the file.

--or--

Option 2; this will stop boot_markers from logging to /var/log/btmp:
CAVEATS:
- If the system has FIPS enabled, do not use this workaround! Modifying this file will cause FIPS validation to fail the next time it runs, and the system will halt on next boot.
- This workaround will not persist on software upgrades.
- Familiarity with vi is required to perform this.

Backup:
cp /etc/sysconfig/sysinit/01bootlogmarker.sysinit /var/tmp/01bootlogmarker.sysinit.bak

Open in vi:
vi /etc/sysconfig/sysinit/01bootlogmarker.sysinit

Change the following line to include "btmp":
old: excludeFiles=( "lastlog" "wtmp" "tmm*tech.out" "*.json" )
new: excludeFiles=( "lastlog" "wtmp" "btmp" "tmm*tech.out" "*.json" )

Force save and quit with (required since file is RO):
:wq!

Truncate the "/var/log/btmp" file:
truncate --size 0 /var/log/btmp

Reboot

Fixed Versions:
17.5.1.4

901569-7 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

Fixed Versions:
17.5.1.4

891333-6 : The HSB on BIG-IP platforms can get into a bad state resulting in packet corruption.

Links to More Info: K32545132, BT891333

Component: TMOS

Symptoms:
Networking connectivity issues, such as ARP resolution issues, high availability (HA) failures, health monitor instability, etc.

Packet captures with Wireshark or tshark can be used to show bit-errors/corruption in the network packet for traffic passing through the HSB. This corruption can occur in various parts of the packet such as the MAC address, EtherType, packet checksums, etc.

Conditions:
This can occur on BIG-IP hardware platforms containing a high-speed bridge (HSB).

Impact:
Network connectivity problems on some traffic passing through the affected HSB. Could be reflected in the status of Config Sync or more health monitors down on one member of HA pair.

Workaround:
Reboot the affected device.

If a reboot does not resolve the issue, then its most likely a hardware issue. Please work with Support on a RMA.

F5 has introduced a detection mechanism in newer versions of code. Please refer to the following document for more details: https://cdn.f5.com/product/bugtracker/ID1211513.html

Fix:
New FPGA firmware images are available for this issue.

Fixed Versions:
17.5.1

884801-12 : TMM may crash while processing ILX::call commands

Links to More Info: K44517780, BT884801

881065-8 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8

874521-3 : OpenSSL vulnerability: CVE-2019-1551

Links to More Info: K43798238, BT874521

872109-12 : CVE-2019-17563: Tomcat Vulnerability

Links to More Info: K24551552, BT872109

867253-7 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.

Fixed Versions:
21.0.0, 17.5.1

857973-1 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default

Links to More Info: BT857973

Component: Local Traffic Manager

Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.

Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.

Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled

Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.

Fixed Versions:
17.5.1.4

857045-6 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

Fixed Versions:
21.0.0, 17.5.1, 16.1.5

832153 : Crash due to incorrect format specifiers is fixed.

Links to More Info: BT832153

Component: Local Traffic Manager

Symptoms:
TMM crashes

Conditions:
This is handled internally in the code. Currently, the scenario is not possible, and the existing logic ensures that this issue is not triggered.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Corrected the format specifiers in the affected log statement to align with the actual data types being passed. This fix prevents potential TMM crashes.

Fixed Versions:
17.5.1.3

811829-3 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active

Links to More Info: BT811829

Component: Access Policy Manager

Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details

Conditions:
-- Access tokens/Refresh tokens should be expired

Impact:
Misleading information regarding the token status

Workaround:
Uuse 'tmsh list apm oauth token-details' but this shows only the first 100 tokens

Fix:
Made GUI changes to match the tmsh functionality

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8

798889-3 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free

Links to More Info: K11225249, BT798889

795993-13 : vim vulnerability: CVE-2019-12735

Links to More Info: K93144355, BT795993

785209-6 : CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32

Links to More Info: K09092524, BT785209

783077-4 : IPv6 host defined via static route unreachable after BIG-IP reboot

Links to More Info: BT783077

Component: Local Traffic Manager

Symptoms:
Static route unreachable after BIG-IP system reboot.

Conditions:
-- Add a static route.
-- Issue a ping (works fine).
-- Reboot the BIG-IP system.
-- Issue a ping (cannot pint the route).

Impact:
Static route exists in both kernel and LTM routing table but unable to ping the route after rebooting the BIG-IP system.

Workaround:
Workaround-1:
Delete the IPv6 route entry and recreate the route by issuing the following commands in sequence:

tmsh delete net route IPv6
tmsh create net route IPv6 network 2a05:d01c:959:8408::b/128 gw fe80::250:56ff:fe86:2065 interface internal

Workaround-2:

net route /Common/IPv6 {
    gw fe80::456:54ff:fea1:ee02 <-- Change this address to unicast address from 2a05:d01c:959:8409::/64 network
    interface /Common/Internal
    mtu 1500
    network 2a05:d01c:959:8408::b/128
}

Fixed Versions:
17.5.1.4

765053-11 : OpenSSL vulnerability CVE-2019-1559

Links to More Info: K18549143, BT765053

761853-2 : Send HOST header in OCSP responder request

Component: TMOS

Symptoms:
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert).
LTM uses HTTP1.1 without the host header in OCSP responder request

Conditions:
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests

Impact:
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za
OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1.
This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.

Workaround:
Add either of these iRules to the Virtual Server

Modify HTTP 1.0 to HTTP1.1

when HTTP_REQUEST {
    HTTP::version "1.1"
}

Add Host header
 
when HTTP_REQUEST {
    HTTP::host "[HTTP::host]”
}

Fix:
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version

Fixed Versions:
17.5.1.4

760895-13 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result

Links to More Info: K64119434, BT760895

753498-6 : CVE-2018-16869: Nettle vulnerability

Links to More Info: K45616155, BT753498

740258-2 : Support IPv6 connections to TACACS+ remote auth servers

Links to More Info: BT740258

Component: TMOS

Symptoms:
Pam_tacplus package 1.2.9 does not support IPv6 connections to TACACS+ remote auth server

Conditions:
IPv6 connections to TACACS+ remote auth server in system-auth methods

Impact:
On a pure IPv6 network, or a network where their TACACS server is only reachable via IPv6, will not be able to use TACACS for system-auth

Workaround:
None

Fix:
NA

Fixed Versions:
21.0.0, 17.5.1

714238-13 : CVE-2018-1301: Apache Vulnerability

Links to More Info: K78131906

685626-12 : iControl REST improper sanitisation of data

Component: TMOS

Symptoms:
A few values are not properly being sanitised by iControl REST.

Conditions:
When using iControl REST APIs

Impact:
Improper sanitisation of data

Workaround:
Limit access to management and self-ips to trusted networks and users to limit the exposure.

Fix:
iControl REST is now properly sanitising data.

Fixed Versions:
21.0.0, 17.5.1.4

659579-8 : Timestamps in icrd, restjavad, and restnoded logs are not synchronized with the system time

Links to More Info: BT659579

Component: TMOS

Symptoms:
Logs on icrd, restnoded, and restjavad are in the UTC time zone and are not aligned to the system time, which makes it difficult to determine the time during troubleshooting operations.

Conditions:
Checking the icrd, restnoded, and restjavad logs timestamps.

Impact:
Difficult to troubleshoot as the logs are not aligned with system time.

Workaround:
None

Fixed Versions:
17.5.1.4

648946-4 : Oauth server is not registered in the map for HA addresses

Links to More Info: BT648946

Component: Access Policy Manager

Symptoms:
The same loopback address is assigned to two listeners.

Conditions:
-- AAA Servers with pool.
-- OAuth Server.

Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1

641662-1 : Always connected exclusion list does not support more than 10 entries.

Links to More Info: BT641662

Component: Access Policy Manager

Symptoms:
In locked client mode, APM provides a way to configure destinations that can still be reached by client, even in locked client mode. Number of entries is limited to 10.

Conditions:
Locked client mode is enabled

Impact:
More than 10 exclusions cannot be added

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1

634576-6 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

Fixed Versions:
21.0.0, 17.5.1, 16.1.5, 13.1.0

608745-3 : Send HOST header in OCSP responder request

Links to More Info: BT608745

Component: Access Policy Manager

Symptoms:
HOST header not sent in OCSP responder request. APM OCSP responder object uses HTTP/1.0 to send a request to the OCSP responder and HTTP/1.0 does not have a host header.

Conditions:
OCSP configuration

Impact:
APM receives an invalid response because the OCSP Server didn't know which site to send the request to due to no HOST header.

Workaround:
Create a layer virtual server listening on the IP of the ocsp server and having an irule insert the host header.
ltm rule ocsp_insert_http_host {
    when HTTP_REQUEST {
        HTTP::header insert Host <e.g. IP address>
    }
}

Fix:
HOST header added in OCSP responder request for HTTP/1.1.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1

578989-15 : Maximum request body size is limited to 25 MB

Component: Access Policy Manager

Symptoms:
When a POST request with body size exceeds 25 MB is sent to APM virtual server, the request fails.

Conditions:
POST request body size exceeded 25 MB.

Impact:
The POST request fails. The maximum request body size is limited to 25 MB

Workaround:
There is no workaround at this time.

Behavior Change:
Request body size is increased.

Fixed Versions:
17.5.1.4

566995-6 : bgpd might crash in rare circumstances.

Links to More Info: BT566995

Component: TMOS

Symptoms:
Under unspecified conditions and in rare cases, bgpd might crash. Although bgpd restarts right away, routing table might be impacted.

Conditions:
The conditions under which this occurs are not known.

Impact:
This might impact routing table and reachability.

Workaround:
None known.

Fixed Versions:
17.5.1.4

551462-6 : CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability

Links to More Info: K17447

528314-4 : Generating new default certificate and key pairs for BIG-IP ssl profiles via CLI will not be reflected in GUI or in tmsh

Links to More Info: K16816, BT528314

Component: TMOS

Symptoms:
Using the CLI to generate new default certificate and key pairs for BIG-IP ssl profiles are not reflected in the GUI or tmsh.

Conditions:
Using OpenSSL commands to generate a new default certificate and key pair, as described in SOL13579: Generating new default certificate and key pairs for BIG-IP ssl profiles, available here: https://support.f5.com/kb/en-us/solutions/public/13000/500/sol13579.html.

Impact:
After the renewal, tmsh list sys file ssl-cert default.crt command or the general properties in the GUI SSL Cert List shows the old one. This is a cosmetic issue only. The system uses the new default.

Workaround:
Perform a force reload of mcpd by running the following commands: -- touch /service/mcpd/forceload. -- tmsh restart sys service mcpd.

Fix:
After renewing certificates with OpenSSL, you can now use the simpler command "tmsh install sys crypto cert default.crt from-local-file /config/ssl/ssl.crt/default.crt" and the new certificate is immediately reflected in tmsh list and the GUI. Alternatively, "tmsh load sys config" also now properly recognizes the renewed certificate. No manual mcpd restart is required with either method.

Fixed Versions:
17.5.1.4

485387-2 : EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.

Links to More Info: BT485387

Component: Access Policy Manager

Symptoms:
An encrypted assertion from an external SAML Identity Provider (IdP) can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element.

BIG-IP configured as a Service Provider (SP) does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: "Cannot decrypt SAML Assertion" and "failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found".

Conditions:
External IdP uses RetrievalMethod to specify EncryptedKey element.

BIG-IP is configured as SP. BIG-IP requires received assertions to be encrypted.

Impact:
Authentication will fail due to inability to process assertion.

Workaround:
To work around the problem, reconfigure IdP to use embedded EncryptedKey instead of using RetrievalMethod.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3

2198781 : BIG-IP high availability (HA) systems may experience an unexpected active-active state after an upgrade

Component: Local Traffic Manager

Symptoms:
Multiple HA devices become active and attempt to process traffic.

A traffic group may report "Initializing / Not Synced" while the device group reports that it is in sync.

Conditions:
This has been observed after a new installation or an upgrade.

Impact:
Multiple devices in a traffic group become active and attempt to process traffic. Devices remain in active active state.

Workaround:
To work around this issue, you can reboot or restart the sod process on the affected system.

To restart sod, perform the following procedure:

Impact of workaround: Restarting the sod process after an upgrade or reboot clears the condition. The following procedure will disrupt traffic processing and should only be performed during a maintenance window.


Log in to the BIG-IP command line.

From the terminal while logged in as root:
bigstart restart sod

Or from tmsh while logged in as admin:
restart sys service sod

Fixed Versions:
17.5.1.4

2197173-2 : Insufficient sanitization in SNMP configuration

Component: TMOS

Symptoms:
SNMP configuration is not sanitizing input properly.

Conditions:
NA

Impact:
It can lead to unexpected behaviour.

Workaround:
Restrict SNMP access to localhost.

Fix:
SNMP configuration is now properly sanitizing the inputs.

Fixed Versions:
17.5.1.4

2187529-1 : CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound

Component: TMOS

Symptoms:
A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.

Conditions:
A client application using a vulnerable libpq version connects to a malicious or compromised PostgreSQL server that sends crafted responses triggering integer wraparound during memory allocation.

Impact:
It can cause out-of-bounds memory writes, leading to a client application crash or segmentation fault (denial of service).

Workaround:
Upgrade to a patched libpq/PostgreSQL client version and avoid connecting to untrusted or compromised PostgreSQL servers.

Fix:
Upgrade to a patched libpq/PostgreSQL client version and avoid connections to untrusted or compromised PostgreSQL servers.

Fixed Versions:
17.5.1.4

2186897-2 : TMM core SIGSEVG upon replacing L7 DOS policy

Links to More Info: BT2186897

Component: Anomaly Detection Services

Symptoms:
On rare cases of expired connection, tmm can crash.

Conditions:
BADOS L7 configured
Replacing DOS policy under traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash upon replacing L7 DOS policy.

Fixed Versions:
17.5.1.4

2186153-4 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile

Component: TMOS

Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.

Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.

Impact:
It can cause an infinite loop leading to application hang or denial of service.

Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction

Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.

Fixed Versions:
17.5.1.4

2183705-2 : Improper access control on SMTP

Component: Application Visibility and Reporting

Symptoms:
Security best practices are not being followed for SMTP in BIGIP.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are being followed.

Fixed Versions:
17.5.1.4

2183353-1 : TMM Intel E810 VF driver updates the link state with 1 second delay

Links to More Info: BT2183353

Component: Local Traffic Manager

Symptoms:
TMM gets the old link state from the driver level. It leads to 1 second delay for the link state change.
The problem may also create link flapping messages in /var/log/ltm for the same interface in some conditions:
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is UP
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.2 is DOWN
Sep 17 15:02:22 notice mcpd[7553]: 01b5004a:5: Link: 1.8 is UP

Conditions:
- The interface link state is changed.
- Multiple VFs of the same physical interface are attached to BIG-IP VE.

Impact:
Link state is updated with a delay.

Workaround:
None

Fix:
TMM correctly get the link state from the driver layer.

Fixed Versions:
17.5.1.4

2172069-2 : GTM topology regions updates do not take effect within tmm

Links to More Info: BT2172069

Component: Global Traffic Manager (DNS)

Symptoms:
GTM topology regions updates do not take effect within tmm

Conditions:
Modifications made to gtm topology regions do not take effect when only one client is sending queries. Note that this issue is tmm-thread specific, meaning one or more tmm threads can get into this state, as long as DNS queries keep hitting the same tmm thread(s), coming from the same source IP address(es)

This is a very unlikely scenario in most production environments, and is likely to only be seen during lab testing with client traffic from one or few IP addresses.

Impact:
GTM not answering with latest GTM topology region updates.

Workaround:
Restart tmm, or perform the DNS lookup from a different client IP address (not the same address that the affected tmm thread previously processed a topology-based DNS query from)

Fixed Versions:
17.5.1.4

2163321-1 : Broken Address List hyperlink in the destination field of Virtual Server list

Links to More Info: BT2163321

Component: TMOS

Symptoms:
Clicking on the Address List hyperlink in the destination field of Virtual Server list directs the user to a Create new address list page instead of the expected address list page

Conditions:
1) A Virtual Server is set up with an address list
2) User clicks on the address list hyperlink in the Virtual Server list

Impact:
Hyperlink takes you to the wrong page.

Workaround:
None

Fixed Versions:
17.5.1.4

2162905-1 : AFM GUI does not display Port List members in Properties panel

Links to More Info: BT2162905

Component: Advanced Firewall Manager

Symptoms:
AFM GUI fails to display port-list members in the Properties pane

Conditions:
Occurs when viewing any Port List object in the AFM Policy Editor GUI

Impact:
Administrators cannot visually verify port-list contents in the GUI

Workaround:
Tmsh list security firewall port-list <port_list_name>

Fixed Versions:
17.5.1.4

2162849 : Removing the active controller does not trigger an immediate tenant failover

Links to More Info: BT2162849

Component: TMOS

Symptoms:
On a setup where BIG-IP tenant is active for a traffic group and is running on a VELOS chassis, and HA score configured with a weightage for F5OS_INTERNAL_TRUNK , pullinf out the active controller does not trigger an immediate failover

Conditions:
1)Tenant is active for a traffic group and is running on a controller that is active for the partition on which the tenant is running
2) Active system controller is removed or powered off using AOM

Impact:
Tenant failover is delayed upto 4min when an active controller of the active tenant is pulled out .

Workaround:
None

Fixed Versions:
17.5.1.4

2162705-1 : Tmm restarting on multi-NUMA AWS instances with ENA interfaces★

Links to More Info: BT2162705

Component: Local Traffic Manager

Symptoms:
Tmm is in the restart loop because dpdk driver is failing to attach with the error message in tmm log:

notice dpdk: [0000:00:06.0]: Multiple NUMA nodes usage is unsupported.

Conditions:
- BIG-IP VE large instance deployed on AWS cloud.
- NUMA node count more than 1 (check "lscpu | grep NUMA").

Impact:
Unable to use dpdk driver on some large AWS instances.

Workaround:
Switch to sock driver: https://my.f5.com/manage/s/article/K10142141

Fix:
DPDK correctly initializes the memory on multi-NUMA AWS instances.

Fixed Versions:
17.5.1.4

2162589-2 : BD crash with a specific configuration

Component: Application Security Manager

Symptoms:
BD daemon crash and restart

Conditions:
Navigation parameter is configured

Impact:
traffic disturbance, failover.

Workaround:
Remove navigation parameter from the configuration.

Fix:
BD working properly.

Fixed Versions:
17.5.1.4

2162189-2 : "Live Update" reinstalls the genesis ASU file, while the latest ASU file is installed manually★

Links to More Info: BT2162189

Component: Application Security Manager

Symptoms:
When operating in automatic mode, Live Update installs the genesis Automatic Signature Update (ASU) file instead of the manually installed latest ASU file.

Conditions:
Live Update is operating in automatic mode, there are only 2 installations in ASU files installations list, one is genesis file and another is latest ASU file that was published on ESDM.

Impact:
BIG-IP will not install the latest signatures.

Workaround:
Live Update should be switched to manual mode. The latest ASU file should be installed manually again instead of the genesis ASU file. When the newer ASU file is available on ESDM, do not install it manually, but switch Live Update to automatic mode again.

Fixed Versions:
17.5.1.4

2161077 : Bot profile properties page does not load when there are large number of SSL certs (> 1000)

Links to More Info: BT2161077

Component: TMOS

Symptoms:
When a large number of SSL certs are present, the Bot Defense profile properties page (Security > Bot Defense > Bot Profile Properties) does not load correctly

Conditions:
- ASM is provisioned
- SSL cert count > 1000

Impact:
Bot Defense profile properties page does not load

Workaround:
Use tmsh to manage the Bot profiles.

Fix:
Increase restjavad memory to 1.3GB after applying the fix and restart restjavad

> tmsh modify sys db provision.restjavad.extramb value 1280
> bigstart restart restjavad

Fixed Versions:
17.5.1.4

2153893-2 : With DNS64 configured, resolution aborts early on the first error response without trying other name servers.

Links to More Info: BT2153893

Component: Global Traffic Manager (DNS)

Symptoms:
When multiple name servers for a zone are known, as soon as one name server responds with an error rcode, resolution is aborted and other name server are not tried.

Conditions:
-- DNS64 is configured.
-- More than one name server is configured for a zone.
-- One name server responds with an error rcode.

Impact:
DNS resolution will intermittently fail. DNS resolution will succeed only if the cache randomly selects a working name server to contact first.

Workaround:
Disable DNS64.

Fixed Versions:
17.5.1.4

2152877-2 : Exclude /opt/CrowdStrike directory from Integrity Test

Component: TMOS

Symptoms:
CrowdStrike directory needs to be excluded from Integrity Test

Conditions:
CrowdStrike directory not present in Integrity Test exception list

Impact:
System integrity fails after Crowdstrike installation via falcon sensor

Workaround:
None

Fix:
CrowdStrike directory added Integrity Test exclusion

Fixed Versions:
17.5.1.4

2152785-2 : TMM may crash under certain conditions.

Component: Local Traffic Manager

Symptoms:
TMM crashes when HTTP/2 traffic

Conditions:
When HTTP/2 profile is configured on TMM.

Impact:
Traffic is disrupted

Workaround:
Add http router to the virtual, converting to HTTP/2 Full Proxy mode from HTTP/2 Gateway mode.

Fix:
TMM handling HTTP/2 traffic properly

Fixed Versions:
17.5.1.4

2152689-1 : ASM GUI "Failed to load requests" pop-up

Links to More Info: BT2152689

Component: Application Security Manager

Symptoms:
A "Failed to load requests" pop-up appears on the page.

REST framework responds with:
{"code":400,"message":"A valid filename must be supplied"}
This is visible in the log of the web browser's interaction with the BIG-IP UI (.har file).

Conditions:
A user with username that contains a slash i.e. "my＼name"
clicking
on Security -> Event Logs -> Application -> Requests
or Security -> Event Logs -> Bot Defense -> Bot Requests

Impact:
Can't view request details

Workaround:
Do not use '/' in the username

Fixed Versions:
17.5.1.4

2152445-2 : "Live Update" API is unresponsive after upgrade and recover only after tomcat restart★

Links to More Info: BT2152445

Component: Application Security Manager

Symptoms:
After upgrading BIG-IP, the Live Update GUI displays an empty installation list. Errors are logged in the Tomcat log file. When attempting to refresh the Live Update page, additional errors appear in the Live Update log file.

Conditions:
"Live Update" has very long list of installations of ASU files.

Impact:
After the upgrade, BIG-IP retains the latest signatures that were present before the upgrade. The Live Update feature becomes non-functional until it is restarted.

Workaround:
Before upgrading, shorten ASU file installations by removing old entries. This helps prevent issues. If a problem occurs, restart the Live Update system.

Fixed Versions:
17.5.1.4

2152301 : After upgrading from version 17.1.2 to 17.5.1.3, the guest-role user is unable to run the command show running-config in TMSH.★

Links to More Info: BT2152301

Component: TMOS

Symptoms:
Guest-role user is unable to run the command show running-config in TMSH.
Executing this command from TMSH results in an error:

"Unexpected Error: Can't display all items, can't get object count from mcpd"

MCPD throws error:

result_message "01070823:3: Read Access Denied: user (myguest) type (HPKE Key)"

Conditions:
Except for all these 4 user roles, all the other user roles (operator, cert manager, app editor...etc) hit the same error.

- admin
- resource-admin
- log-manager
- auditor

Impact:
Unable to show the running config, or use list or list sys commands.

Workaround:
Login with an account with admin access.

Fixed Versions:
17.5.1.4

2152269-2 : Low reputation URIs are found in the URL DB binary

Links to More Info: BT2152269

Component: Traffic Classification Engine

Symptoms:
Publishing BIG-IQ image to Azure cloud is blocked due to malware scan detecting these low reputed URLs.

Conditions:
When uploading the image on Azure Cloud and these low reputed URLs are detected in malware scanners.

Impact:
No impact on the functionality

Workaround:
None.

Fix:
Low reputation URIs such as che168, cssplay, newliveplayer, tinypic.info referring test code are removed from the product.

Fixed Versions:
21.0.0, 17.5.1.4

2150525-2 : Improvements in iControl SOAP

Component: TMOS

Symptoms:
Security best practices were not being followed in iControl SOAP.

Conditions:
NA

Impact:
Can lead to unexpected behaviour.

Workaround:
NA

Fix:
iControl SOAP now has security best practices.

Fixed Versions:
17.5.1.4

2150489-4 : Most DB keys encrypted by SecureVault master key are not persisted to BigDB.dat when the system master key is changed.

Links to More Info: BT2150489

Component: TMOS

Symptoms:
After restarting mcpd, mcpd is stuck in a restart loop.

Conditions:
-- You set a DB variable that's encrypted ( proxy.password, configsync.password)
-- Change the SecureVault master key and save the configuration

Impact:
BIG-IP is in inoperative state , MCPD in a restart loop

Workaround:
If a system is affected by this issue, set the DB key back to its default value. Once the configuration is loaded, set the DB key back to the correct value:

   - tmsh modify /sys db config.auditing.forward.sharedsecret value '<null>'


After changing the SecureValue master key but before encountering the issue, run the following command to update the value of the DB key on-disk:

    setdb config.auditing.forward.sharedsecret "$(getdb config.auditing.forward.sharedsecret)"

Fixed Versions:
17.5.1.4

2149233-2 : TMM crashes when using SSL

Component: Local Traffic Manager

Symptoms:
Under certain SSL condition, TMM crashes.

Conditions:
When SSL is configured

Impact:
Traffic is disrupted.

Fix:
TMM working properly now.

Fixed Versions:
17.5.1.4

2144497-3 : Mellanox driver timeouts and packet drops on Azure instances with high NIC count

Links to More Info: BT2144497

Component: TMOS

Symptoms:
On Azure instances with high interface count (6 or more) Mellanox linux kernel driver mlx5_core may fail to initialize the interface or attach it very slow. Another symptom of this problem: packets drops because of timeouts in Mellanox device queue processing.
mlx_core will report multiple errors in the kernel logs (run "dmesg | grep mlx5_core" to display it).

Conditions:
- BIG-IP VE instance deployed in Azure with 6 or more interfaces
- Accelerated networking is enabled

Impact:
- Azure instance starting time may be significant
- SSH access may be unavailable
- Packets drops on dataplane Mellanox interfaces

Workaround:
None

Fix:
Device interrupts are assigned on correct vCPUs in Azure/HyperV environments to prevent Mellanox device timeouts.

Fixed Versions:
17.5.1.4

2144445-2 : Insufficient sanitization in TMSH

Component: TMOS

Symptoms:
TMSH is not sanitizing input properly

Conditions:
NA

Impact:
Can cause unexpected behaviour in TMSH

Fix:
TMSH is now properly sanitizing the input.

Fixed Versions:
17.5.1.4

2144389-2 : CVE-2025-40780 BIND vulnerability

Links to More Info: K000157948, BT2144389

2144353-1 : BIND upgrade to stable version 9.18.41

Links to More Info: BT2144353

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.41.

Conditions:
Using local BIND.

Impact:
BIND upgrade to stable version 9.18.41.

Workaround:
None.

Fix:
BIND upgrade to stable version 9.18.41.

Fixed Versions:
17.5.1.4

2143165-1 : Oauth tokens are not shown in UI

Component: Access Policy Manager

Symptoms:
Oauth tokens are not shown in UI

Conditions:
Access >> Overview >> OAuth Reports >> Tokens

Impact:
Oauth tokens are not visible

Workaround:
Use tmsh to see the Oauth Tokens:
"tmsh list / apm oauth token-details db-instance oauthdb"

Fixed Versions:
17.5.1.4

2143101-2 : SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported

Links to More Info: BT2143101

Component: Advanced Firewall Manager

Symptoms:
The statistics counters retrieved via SNMP and tmctl do not reflect any increments for the corresponding blacklist category, despite packets being dropped and logged as expected.

Conditions:
Blacklist categories populated dynamically via feed lists or automatic updates.

Impact:
Inaccurate stats due to missing statistics.

Workaround:
None.

Fix:
When an IP address is dynamically blacklisted by IP Intelligence (IPI), packets from that source are dropped and logged as expected. The statistics counters for the relevant blacklist category viewed via SNMP or tmctl are also incremented.

Fixed Versions:
17.5.1.4

2141337-1 : Auto-upgrade of the BIG-IP APM Edge Client does not upgrade the MachineTunnel Service on Windows systems★

Component: Access Policy Manager

Symptoms:
When a new version of the MachineTunnel Service is available, the updated BIG-IP APM Edge Client package must be installed.

Conditions:
A new version of the MachineTunnel Service is available for Windows systems.

Impact:
Run the updated BIG-IP APM Edge Client installer package to upgrade the MachineTunnel Service.

Workaround:
Manually install the newest version of the BIG-IP APM Edge Client.

Fix:
The MachineTunnel Service automatically upgrades via the BIG-IP APM Edge Client on Windows systems.

Fixed Versions:
17.5.1.4

2141245-2 : Undisclosed traffic to TMM can lead to resource exhaustion

Component: Global Traffic Manager (DNS)

Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.

Conditions:
Undisclosed conditions

Impact:
TMM Resource exhaustion

Fix:
DNS LDNS API correction.

Fixed Versions:
17.5.1.4

2140905-2 : System Integrity Test on VE is halting the whole system in FIPS mode

Links to More Info: BT2140905

Component: TMOS

Symptoms:
System Integrity Test on VE halts the whole system in FIPS mode

Conditions:
-- BIG-IP Virtual Edition
-- FIPS Mode enabled
-- Falcon sensor installed

Impact:
System integrity test fails and the system will not boot.

Workaround:
None

Fix:
System Integrity Test on VE will stop tmm in FIPS mode now and user can bigstart tmm start.

Fixed Versions:
17.5.1.4

2140621-1 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling

Links to More Info: K000157317, BT2140621

2139901-1 : Server-ssl profile "do-not-remove-without-replacement" is recreated

Links to More Info: BT2139901

Component: Application Security Manager

Symptoms:
A required profile for a deprecated service is recreated on restart, but not saved to bigip.conf

Conditions:
The "do-not-remove-without-replacement" profile is deleted and the bewaf daemon is restarted

Impact:
The profile is recreated, but not saved to bigip.conf without another user action.

Workaround:
"tmsh save sys config" can be run to save the active config to bigip.conf

Fixed Versions:
17.5.1.4

2137977-1 : Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy★

Links to More Info: BT2137977

Component: TMOS

Symptoms:
The hyperlink for the policy on virtual server's resource page navigates to the incorrect location.

Conditions:
Virtual server with an ltm policy attached.

Impact:
The hyperlink navigates to the full policy list, so the specific policy would still need to be found in the full list to navigate to it.

Workaround:
None

Fixed Versions:
17.5.1.4

2137773-1 : Table content in FPS/DataSafe webUI page not shown correctly★

Links to More Info: BT2137773

Component: Application Security Manager

Symptoms:
When the user navigates either to
Security ›› Fraud Protection Service : Anti-Fraud Profiles
or
Security ›› Data Protection : BIG-IP DataSafe

The table content is not shown.

Conditions:
Navigate to
Security ›› Fraud Protection Service : Anti-Fraud Profiles
or
Security ›› Data Protection : BIG-IP DataSafe

Impact:
User cannot see or access the profile contents via GUI.

Workaround:
None

Fix:
User can see the profiles table.

Fixed Versions:
21.0.0, 17.5.1.4

2137653-1 : Unable to upload files that contain a colon in the filename★

Links to More Info: BT2137653

Component: TMOS

Symptoms:
You are unable to upload files where the filename contains a colon.
The BIG-IP returns a 400 HTTP error with the following error message: "A valid filename must be supplied".

Conditions:
Trying to upload a file to the BIG-IP where the filename uses one or more colons.

Impact:
Files that contain colons in the filename are unable to me uploaded.