997169-4 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
17.5.1, 17.1.2, 15.1.4.1

988589-11 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873, BT988589

987813-14 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

Links to More Info: K65234135

985329-5 : Saving UCS takes longer and leaves temp files when iControl LX extension is installed

Links to More Info: BT985329

Component: Device Management

Symptoms:
The tmsh command 'save sys ucs' takes longer when iControl LX extensions is installed, and it may leave /shared/tmp/rpm-tmp* files.

You may also see errors logged in /var/log/restjavad.0.log:

[WARNING][211][date and time UTC][8100/shared/iapp/build-package BuildRpmTaskCollectionWorker] Failed to execute the build command 'rpmbuild -bb --define '_tmppath /shared/tmp' --define 'main /var/config/rest/iapps/f5-service-discovery' --define '_topdir /var/config/rest/node/tmp' '/var/config/rest/node/tmp/ac891731-acb1-4832-b9f0-325e73ed1fd1.spec'', Threw:com.f5.rest.common.CommandExecuteException: Command execution process killed
        at com.f5.rest.common.ShellExecutor.finishExecution(ShellExecutor.java:281)
        at com.f5.rest.common.ShellExecutor.access$000(ShellExecutor.java:33)
        at com.f5.rest.common.ShellExecutor$1.onProcessFailed(ShellExecutor.java:320)
        at org.apache.commons.exec.DefaultExecutor$1.run(DefaultExecutor.java:203)
        at java.lang.Thread.run(Thread.java:748)


Errors logged in /var/log/ltm:

err iAppsLX_save_pre: Failed to get task response within timeout for: /shared/iapp/build-package/a1724a94-fb6b-4b3e-af46-bc982567df8f
err iAppsLX_save_pre: Failed to get getRPM build response within timeout for f5-service-discovery

Conditions:
iControl LX extensions (e.g., AS3, Telemetry) are installed on the BIG-IP system.

Impact:
Saving the UCS file takes a longer time (e.g., ~1-to-2 minutes) than it does if iControl LX extensions are not installed (e.g., ~40 seconds).

/shared/tmp directory is filled with rpm-tmp* files.

Workaround:
The fix of another ID 929213 introduced a new database key iapplxrpm.timeout (default 60 seconds), which allows the RPM build timeout value to be increased.

sys db iapplxrpm.timeout {
    default-value "60"
    scf-config "true"
    value "60"
    value-range "integer min:30 max:600"
}

For example:

tmsh modify sys db iapplxrpm.timeout value 300
tmsh restart sys service restjavad

Increasing the db key and restarting restjavad should not be traffic impacting.

Fix:
Temp files under /shared/tmp is now cleaned up correctly.

Fixed Versions:
17.5.1, 17.5.0, 17.1.2, 16.1.5

975605-11 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

Links to More Info: K00409335

949509-11 : Eviction Policy UI Hardening

Component: TMOS

Symptoms:
In certain scenarios, Eviction Policy UI does not follow best security practices.

Conditions:
Eviction Policy in Use

Impact:
N/A

Workaround:
None

Fix:
Best security practices are now applied in Eviction Policy UI

Fixed Versions:
17.5.1

930625-6 : TMM crash is seen due to double free in SAML flow

Links to More Info: BT930625

Component: Access Policy Manager

Symptoms:
When this issue occurs the TMM will crash

Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
17.5.1

926917-4 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT926917

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None

Fix:
HTML entities in attribute values of HTML tags are no longer decoded by Portal Access

Fixed Versions:
17.5.1

921525-7 : CVE-2020-1752: glibc vulnerability using glob

Links to More Info: K49921213

881065-8 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

Fixed Versions:
17.5.1

867253-7 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.

Fixed Versions:
17.5.1

857045-6 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

Fixed Versions:
17.5.1, 16.1.5

811829-3 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active

Links to More Info: BT811829

Component: Access Policy Manager

Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details

Conditions:
-- Access tokens/Refresh tokens should be expired

Impact:
Misleading information regarding the token status

Workaround:
Uuse 'tmsh list apm oauth token-details' but this shows only the first 100 tokens

Fix:
Made GUI changes to match the tmsh functionality

Fixed Versions:
17.5.1

785209-6 : CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32

Links to More Info: K09092524

760895-13 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result

Links to More Info: K64119434

740258-2 : Support IPv6 connections to TACACS+ remote auth servers

Component: TMOS

Symptoms:
Pam_tacplus package 1.2.9 does not support IPv6 connections to TACACS+ remote auth server

Conditions:
IPv6 connections to TACACS+ remote auth server in system-auth methods

Impact:
On a pure IPv6 network, or a network where their TACACS server is only reachable via IPv6, will not be able to use TACACS for system-auth

Workaround:
None

Fix:
NA

Fixed Versions:
17.5.1

648946-4 : Oauth server is not registered in the map for HA addresses

Links to More Info: BT648946

Component: Access Policy Manager

Symptoms:
The same loopback address is assigned to two listeners.

Conditions:
-- AAA Servers with pool.
-- OAuth Server.

Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.

Workaround:
None

Fixed Versions:
17.5.1

641662-1 : Always connected exclusion list does not support more than 10 entries.

Component: Access Policy Manager

Symptoms:
In locked client mode, APM provides a way to configure destinations that can still be reached by client, even in locked client mode. Number of entries is limited to 10.

Conditions:
Locked client mode is enabled

Impact:
More than 10 exclusions cannot be added

Workaround:
None

Fixed Versions:
17.5.1

634576-6 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

Fixed Versions:
17.5.1, 16.1.5, 13.1.0

485387-2 : EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.

Component: Access Policy Manager

Symptoms:
An encrypted assertion from an external SAML Identity Provider (IdP) can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element.

BIG-IP configured as a Service Provider (SP) does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: "Cannot decrypt SAML Assertion" and "failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found".

Conditions:
External IdP uses RetrievalMethod to specify EncryptedKey element.

BIG-IP is configured as SP. BIG-IP requires received assertions to be encrypted.

Impact:
Authentication will fail due to inability to process assertion.

Workaround:
To work around the problem, reconfigure IdP to use embedded EncryptedKey instead of using RetrievalMethod.

Fixed Versions:
17.5.1

1936421-2 : Core generated for autodosd daemon when synchronization process is terminated

Links to More Info: BT1936421

Component: Advanced Firewall Manager

Symptoms:
Autodosd cores on SIGSEGV.

Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown

Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.

Workaround:
None

Fix:
Fixed an autodosd crash.

Fixed Versions:
17.5.1

1934865-1 : Remove multiple redundant entries for port-list objects in configuration file

Links to More Info: BT1934865

Component: Advanced Firewall Manager

Symptoms:
When a port-list object is created using one of the following TMSH CLIs (tmsh create net port-list, tmsh create security firewall port-list, or tmsh create security shared-objects port-list), redundant entries for the same object are generated in the configuration file under three contexts:

net port-list
security firewall port-list
security shared-objects port-list
For example, a port-list created using one CLI results in multiple entries referring to the same schema object, such as:
net port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

security shared-objects port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}


security firewall port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

This behaviour causes unnecessary duplication in the configuration file.

Conditions:
Redundant entries occur in the configuration file when:
A port-list object is created using any one of the following TMSH CLIs:
1. tmsh create net port-list
2. tmsh create security firewall port-list
3. tmsh create security shared-objects port-list
All three CLI commands point to the same object and record three separate entries in the configuration file.

Impact:
Redundant entries in the configuration file lead to:
1. Increased configuration file size unnecessarily.
2. Risk of user confusion during manual editing or review of configuration files.

This issue does not impact runtime functionality or object behaviour, but it introduces maintenance overhead when users interact with their configurations.

Workaround:
None

Fixed Versions:
17.5.1

1934493-2 : BIG-IP SFTP hardening

Component: TMOS

Symptoms:
Under certain conditions SFTP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SFTP file transfer

Impact:
BIG-IP does not follow best practices for sftp operations

Workaround:
N/A

Fix:
The SFTP file transfer now follows current best practices.

Fixed Versions:
17.5.1

1934401-1 : iSeries HSB v5.26.8.0 firmware

Links to More Info: BT1934401

Component: TMOS

Symptoms:
iSeries HSB v5.26.8.0 firmware

Conditions:
iSeries i11000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
17.5.1

1934393-1 : iSeries HSB v5.9.14.0 firmware

Links to More Info: BT1934393

Component: TMOS

Symptoms:
iSeries HSB v5.9.14.0 firmware

Conditions:
iSeries i5000, i7000, or i10000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
17.5.1

1934385-1 : iSeries HSB v4.3.5.0 firmware

Links to More Info: BT1934385

Component: TMOS

Symptoms:
iSeries HSB v4.3.5.0 firmware

Conditions:
iSeries i2000 or i4000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
17.5.1

1930945 : [APM][KERBEROS][NTLM FALLBACK] Kerberos Authentication fails post-upgrade to v17.5.0/v17.5.1 — “Profile '/Common/kerberos_auth_config_default' was not found” and ECA Crashes★

Links to More Info: BT1930945

Component: Access Policy Manager

Symptoms:
1.ECA process continuously restarts (SIGSEGV/crash).

2. /var/log/apm contains errors indicating missing Kerberos config and NTLM fallback.

Conditions:
1. kerberos usecase

Impact:
1. Kerberos authentication fails, leading to unsuccessful proxy access for domain-joined users.

Workaround:
None

Fixed Versions:
17.5.1

1928537-1 : Missing initial PKCS11d login state causes login failures on certain AWS CloudHSMs

Links to More Info: BT1928537

Component: Local Traffic Manager

Symptoms:
The PKCS11d daemon did not properly initialize the login state for each partition. It was previously assumed that a user was effectively “logged in” on startup, even though no explicit state indicated CKR_USER_NOT_LOGGED_IN.

This worked with older HSMs and earlier AWS CloudHSM SDK3 primarily because those libraries did not strictly require an explicit CKR_USER_NOT_LOGGED_IN state; they would either auto-login or return CKR_USER_ALREADY_LOGGED_IN in most cases.

However, newer AWS CloudHSM libraries (SDK5) and other current HSM vendors require a proper indication that the user is not logged in to handle re-login flows correctly.

Conditions:
Use SDK version 5 with BIG-IP.

Impact:
Key creation fails.

Workaround:
None

Fix:
- This fix is applied to all HSMs, not just AWS CloudHSM. Each partition starts in a well-defined, “not logged in” state. It only transitions to CKR_OK or CKR_USER_ALREADY_LOGGED_IN when the device confirms the user is authenticated.

- The change sets the hsm_partitions.array[slot].login_status = CKR_USER_NOT_LOGGED_IN during session/partition initialization.

Fixed Versions:
17.5.1

1926989-1 : BIG-IP Virtual Edition: kswapd running constantly and consuming most of the CPU cycles of a core★

Links to More Info: BT1926989

Component: TMOS

Symptoms:
After a new installation or after an upgrade to of a Virtual Edition to one of the affected versions, the 'kswapd' daemon runs constantly, consuming up to 100% of the cycles of a CPU core.

Conditions:
- installation of a new BIG-IP Virtual Edition

or

- upgrade of a BIG-IP Virtual Edition to one of the affected versions

Impact:
A CPU core constantly consuming most of its CPU cycles.
General slowness of the system.

Workaround:
If the problem is present after a TMOS upgrade:
- check what was the value of vm.min_free_kbytes before the upgrade by booting back in the previous volume
- set the same value in the new volume with the command:

# sysctl -w vm.min_free_kbytes=<VALUE>

No reboot or tmm restart is needed.




If the Virtual Edition is a fresh install:

- set the vm.min_free_kbytes value to 24141

# sysctl -w vm.min_free_kbytes=24141

No reboot or tmm restart is needed.

You may need to follow the "Additional Information" section in https://my.f5.com/manage/s/article/K000150960 to ensure that the changes persist after a reboot.

Fix:
Vm.min_free_kbytes is given the correct value.

Fixed Versions:
17.5.1

1926885 : [APM] URL DB mismatch error for Religion categories in the upgrade★

Links to More Info: BT1926885

Component: Access Policy Manager

Symptoms:
Error messages in /var/log/apm

"The requested URL Category (/Common/Lesser-Known_Religions) was not found."
"The requested URL Category (/Common/Widely-Known_Religions) was not found."

Conditions:
APM provisions and SWG database downloads enabled.

Impact:
Upgrades fails with below error:

There were warnings:
Category name changed from /Common/Lesser_Known_Religions to in allowed categories of url filter /Common/test_filter
Category name changed from /Common/Widely_Known_Religions to in allowed categories of url filter /Common/test_filter
Compliance '/Common/gtp_unknown_tunnel_id' is deprecated and removed from '/Common/protocol_inspection'.
Compliance '/Common/smtp_command_length_overflow' is deprecated and removed from '/Common/protocol_inspection'.
01070734:3: Configuration error: In url-filter (/Common/<filter>), allowed-category () does not exist. In url-filter (/Common/<filter>), allowed-category () does not exist.
Unexpected Error: Loading configuration process failed.

Workaround:
Edit the respective categories before upgrading to the latest version.

1. Edit bigip.conf
2. Look for the respective failure filter name and change the
Lesser_Known_Religions to Lesser-Known_Religions and
Widely_Known_Religions to Widely-Known_Religions
3. Save the file
4. Update the configuration using tmsh save/load sys config

Fix:
Corrected category names in the configuration to address upgrade failures from older versions to 17.5.x caused by mismatches. The handling is implemented in the fixup script, which is triggered when a URL Filter is configured.

Fixed Versions:
17.5.1

1922525-1 : BIG-IP SCP hardening

Component: TMOS

Symptoms:
Under certain conditions SCP does not follow current best practices.

Conditions:
- Authenticated high-privilege user
- SCP file transfer

Impact:
BIG-IP does not follow best practices for scp operations

Workaround:
N/A

Fix:
The SCP file transfer in BIG-IP now follows current best practices.

Fixed Versions:
17.5.1

1922501-1 : TMM crash loop due to missing kernel driver

Links to More Info: BT1922501

Component: TMOS

Symptoms:
TMM goes into a crash loop with following logs in 'tmm' logs

notice EAL: Driver cannot attach the device (<VMBus-ID>)
notice EAL: Failed to attach device on primary process
notice dpdk[<VMBus-ID>]: Error: rte_dev_probe failed: err=-95
notice xnet_lib [vmbus:eth2]: Error: Failed to initialize driver
notice xnet[00:e2.0]: Error: Unable to attach to xnet dev


This is due to missing uio_hv_generic kernel module which gets removed on TMM shutdown but fails to be re-inserted upon TMM post-crash restart.

Conditions:
1) BIG-IP on HyperV or Azure
2) Using xnet-DPDK driver
3) TMM crashes due to any other reason and restarts; can not repro directly using 'bigstart restart tmm' unless a 'bigstart restart' also reproduces the initial crash as well

Impact:
Traffic disrupted while tmm restarts.

Workaround:
(A)
1) Add 'modprobe uio_hv_generic' to '/usr/lib/bigstart/functions'
This will likely require remounting /usr to allow writing; this can be done via
  sudo mount -o remount,rw /usr

2) Within 'functions', search for 'vadc_restore_vmbus_nics()' and add 'modprobe uio_hv_generic' to bottom of function after 'done'

3) Afterwards, restart TMM with 'bigstart restart tmm'

(B)
1) Switch to 'sock' driver by adding following config

[root@BIGIP:Active:Standalone] config # cat /config/tmm_init.tcl
device driver vendor_dev f5f5:f550 sock

[root@BIGIP:Active:Standalone] config #

2) Restart TMM with 'bigstart restart tmm'

Fix:
Re-activate missing module after TMM crash

Fixed Versions:
17.5.1

1920341-1 : SSH Public Key authentication allows RSA and not ECDSA in ccmode

Links to More Info: BT1920341

Component: TMOS

Symptoms:
When a device is in common criteria mode, you cannot use ecdsa-sha2-nistp256 or ecdsa-sha2-nistp384 for SSH public key authentication. Additionally, you can use rsa key which you should not be able to according to common criteria guidelines.

Conditions:
-- Common Criteria mode is enabled

Impact:
You cannot ssh with ECDSA but can with RSA key

Workaround:
Workaround is in file /config/ssh/sshd_config, on line 34 replace:
HostKey /config/ssh/ssh_host_rsa_key

with:
HostKey /config/ssh/ssh_host_ecdsa_key
HostKey /config/ssh/ssh_host_ecdsa_p384_key

Note that this workaround must be applied after each reboot in ccmode, since the sshd_config file will revert after reboot.

Fix:
SSH public key authentication works as expected in ccmode.

Fixed Versions:
17.5.1

1920057-1 : Bd crashes

Component: Application Security Manager

Symptoms:
Bd crashes

Conditions:
Running TMOS version of 17.5.0.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
The crash no longer occurs.

Fixed Versions:
17.5.1

1917741-2 : [APM][TMM] memory growth in SAML SP while decoding assertion attributes

Links to More Info: BT1917741

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML traffic

Conditions:
-- SAML SP configured with assertion attributes.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1

1881373-2 : CVE-2024-3661 Tunnelvision Vulnerability

Links to More Info: K000139553

1880365-1 : Cannot log into Fs_v2 Azure BIG-IP with >= 32 vCPUs and >= 5 interfaces

Links to More Info: BT1880365

Component: TMOS

Symptoms:
No login prompt is available to access Azure Fs_v2 instances when attaching 5 or more instances. 8 is the max number of interfaces for F32_v2 or larger.

Conditions:
-- Use Azure F32_v2 instance size or larger.
-- Attach 5 or more interfaces to BIG-IP.

Impact:
No access to F32_v2 instances or larger when attaching 5 or more interfaces.

Workaround:
None

Fix:
Login prompt is available.

Fixed Versions:
17.5.1

1857413-2 : Malformed XML data or Malformed JSON data violation raised despite URL containing content-profile

Links to More Info: BT1857413

Component: Application Security Manager

Symptoms:
* XML/JSON traffic gets flagged or blocked with a Malformed XML data or Malformed JSON data violation despite the URL having a content-profile associated with it.

* When the violation gets raised, the violation details lists the profile as "N/A".

* The XML/JSON content profiles are visible when viewing the content profile configuration via WebUI. However, corresponding database tables lose integrity, which results false positive.

Conditions:
Any change followed by 'Apply Policy' on a policy can ruin the integrity of corresponding database that might affect other policies, and false positive would start after subsequent 'Apply Policy' or global configuration update.

Impact:
XML/JSON traffic gets flagged or, if enforced, blocked despite the content profile associated to the URL.

Workaround:
Make a spurious policy change to the affected XML or JSON profile (e.g., updating its Description), followed by applying policy changes via 'Apply Policy,'

This helps resolve the issue by populating a new entry in the database table for this policy.

Avoid making any change on any GraphQL profile to prevent it from re-occurring.

Fix:
Configuration change will not ruin the integrity of the database tables.

Fixed Versions:
17.5.1

1856289-2 : Virtual server, which is managed by remote LTM device, is shown as "offline/enabled" with "Monitor /Common/bigip : no reply from big3d: timed out" message (red diamond icon).

Links to More Info: BT1856289

Component: Global Traffic Manager (DNS)

Symptoms:
When a virtual server object, which is managed by a remote LTM device, is disabled, after gtmd is restarted (or GTM/DNS device reboot) and gtmd becomes online and iQuery communication is re-established with the remote LTM device, the bellow message is logged to /var/log/gtm and virtual server status becomes "offline/disabled" (black diamond icon).

gtmd[xxxx]: 011ae0f2:1: Monitor instance /Common/bigip 10.1.1.201:80 CHECKING --> DOWN from /Common/bigipdns (no reply from big3d: timed out)
gtmd[xxxx]: 011a6006:1: SNMP_TRAP: virtual server /Common/vs1 (ip:port=10.1.1.201:80) (Server /Common/bigipltm) state change blue --> red ( Monitor /Common/bigip : no reply from big3d: timed out: disabled directly)

Then, even after re-enabling the virtual server, which is managed by LTM, virtual server stays as "offline/enabled" (red diamond icon) with "Monitor /Common/bigip : no reply from big3d: timed out" message.

  ----------------------------------
  | Gtm::Virtual Server: vs1
  ----------------------------------
  | Status
  | Availability : offline
  | State : enabled
  | Reason : Monitor /Common/bigip : no reply from big3d: timed out
  | Destination : 10.1.1.201:80
  | Up Time : ---

Conditions:
All of the following conditions met.

- GTM/DNS device manages remote LTM device and its virtual server.
- Remote LTM virtual server is not directly monitored by GTM/DNS device monitor object. Instead, remote LTM virtual server is monitored by remote LTM device itself (e.g., on remote LTM device, virtual server pool is monitored by pool monitor).
- On GTM/DNS device, disable and re-enable virtual server, which is managed by remote LTM device.
- After virtual server is disabled on GTM/DNS device, gtmd restart on GTM/DNS device or GTM/DNS device reboots.
- GTM/DNS is running on a software versions 17.1.1 or 16.1.5 or later versions in which the ID 1133201 is fixed.

Impact:
Virtual server stays as unavailable despite the remote LTM device reporting virtual server status as 'up'. Hence, pool or wideIP, which uses the affected server object, may be unavailable too.

Workaround:
If issue had already occurred and virtual server stayed as "offline/enabled" (red diamond icon), restarting gtmd on GTM/DNS device will rescue the affected virtual server.

If issue does not yet occur but virtual server is going to be disabled and re-enabled, you can prevent issue by changing "DNS >> Settings : GSLB : General - Monitor Disabled Objects" setting (gtm global-settings general monitor-disabled-objects) to "yes" (default "no"). This needs to be done prior to disabling virtual server (prior to gtmd restart/reboot).

# tmsh modify gtm global-settings general monitor-disabled-objects yes
# tmsh save sys config gtm-only

Fixed Versions:
17.5.1

1826393-4 : TMM may restart when handling undisclosed traffic handled by IPS

Component: Traffic Classification Engine

Symptoms:
tmm crashes and restarts due to memory pressure

Conditions:
IPS configured on virtual.

Impact:
TMM restarts - traffic interruption.

Workaround:
N/A

Fix:
The undisclosed traffic scenario no longer causes TMM to restart.

Fixed Versions:
17.5.1

1825949-2 : [APM][Radius] Message-Authenticator value is incorrect for OTP request

Links to More Info: BT1825949

Component: Access Policy Manager

Symptoms:
When a OTP challenge is requested on RSA, the Message-Authenticator value in the second request is not corrected/alarmed by the RSA server.

Eventually the packet is dropped at the Radius Server.

Conditions:
The Message-Authenticator attribute radius.messageauthenticator is set to true.

Impact:
This causes authentication failures, disrupting the user’s access control process.

Workaround:
None

Fixed Versions:
17.5.1

1825513 : ClientSSL profile with PQC group may cause TMM to crash

Links to More Info: BT1825513

Component: Local Traffic Manager

Symptoms:
TMM or system services may restart unexpectedly due to memory pressure.

Conditions:
Cipher rule DH group X25519KYBER768 is enabled.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround, disable X25519KYBER768 to mitigate the issue.

Fix:
Fix memory issues.

Fixed Versions:
17.5.1

1825449-2 : Citrix Optimal Gateway Routing is not showing login username of session

Component: Access Policy Manager

Symptoms:
When an iRule-based solution for optimal gateway routing is used for Citrix VDI, the currently logged-in username will not be displayed on the GUI session details page.

Conditions:
- APM Citrix VDI OGR is implemented with an iRule workaround.
- When the user checks the last logged-in username in the GUI.

Impact:
Username column displays empty instead of username.

Workaround:
None

Fix:
The Username column should display the name of the user currently logged in for the session.

Fixed Versions:
17.5.1

1825241-4 : MCPD validation fails when non-existent cipher group is referenced by SSL profile

Links to More Info: BT1825241

Component: Local Traffic Manager

Symptoms:
When using "tmsh load sys config verify" or performing an MCPD forceload/reboot, no validation error is reported for a SSL profile referencing a non-existent cipher group. This is unexpected behavior.

However, when using "tmsh load sys config", the system correctly identifies and reports the missing cipher group as a validation error. This is the expected behavior.

Conditions:
The disk config file (/config/bigip.conf) is missing the cipher group configuration, while that cipher group continues to be referenced within a SSL profile.

Impact:
When a SSL profile references a non-existent cipher group, the configuration loads without validation errors under certain conditions. This can result in connection failures with error messages such as:

     Connection error: hud_ssl_handler:1315: alert(40) invalid profile unknown on VIP <VIP_NAME>

Workaround:
Ensure the disk config file (/config/bigip.conf) always has the cipher group present if it is being referenced by a Client or Server SSL profile.

Fixed Versions:
17.5.1

1821373-2 : SAML Assertion Handling issue in APM SSO

Component: Access Policy Manager

Symptoms:
When attributes with large encrypted values are present, the allocated memory may not be appropriately resized, leading to unexpected behavior.

Conditions:
This occurs specifically under configurations that utilize SAML with encrypted attributes containing large values.

Impact:
TMM core, partial traffic disruption

Workaround:
NA

Fix:
SAML Assertion Handling issue in APM SSO has been addressed.

Fixed Versions:
17.5.1

1821033-2 : Assertion "packet must already have an ethernet header" when using tcpdump

Links to More Info: BT1821033

Component: Local Traffic Manager

Symptoms:
Tmm crashes when running tcpdump.

Conditions:
1. A virtual server references another virtual server with an iRule
2. The destination virtual server has an iRule with reject inside FLOW_INIT
3. Use tcpdump while hitting the reject rule

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use either remote tcpdump or avoid using reject rule in FLOW_INIT.

Fix:
Tmm no longer crashes in this scenario.

Fixed Versions:
17.5.1

1819777-4 : In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash

Links to More Info: BT1819777

Component: In-tmm monitors

Symptoms:
In-tmm TCP monitor with no RCV and RCVdisable string might lead to a crash.

Conditions:
This happens when TCP in-tmm monitor is configured without any matching disable/enable string

ltm monitor tcp TCP {
    adaptive disabled
    defaults-from tcp
    interval 5
    ip-dscp 0
    recv none <<<< !
    recv-disable none <<<< !
    send "GET /check HTTP/1.0＼r＼n＼r＼n"
    time-until-up 0
    timeout 16
}

Bigd monitoring is not affected.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
- Disable in-tmm monitoring.
- OR, configure in-tmm TCP monitor with any string match.

Fixed Versions:
17.5.1

1818461-2 : [APM][VPN][WIN] Tunnel can't be established if endpoint inspection is Skipped. Machine Hash is not maching★

Links to More Info: BT1818461

Component: Access Policy Manager

Symptoms:
Because of selecting Skip Inspection button during EPI launch, it leads to in-correct machine hash and VPN connection is failed with below errors.

err tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64086, [0x2ff9084:34740] Machine Hash is not Valid

tmm1[18549]: 01230140:3: RST sent from 10.103.xx.xx:443 to 10.103.xx.xx:64123, [0x2ff9084:4239] Access encountered an error (Operation not supported)

Conditions:
-- Endpoint inspection is enabled in access policy, add Advanced resources assignment for fallback branch and end with allow
-- Launch endpoint inspection, select Skip Inspection instead of Start Inspection

If you are upgrading, this can be encountered after upgrading to version 17.1.2 and APM client (7250 or 7251).

Impact:
TCP connection reset is encountered and VPN connection fails.

Workaround:
Instead of Skip Inspection, select Start Inspection

(Or)
Don't configure any EPI check in Access policy

Fixed Versions:
17.5.1

1814821-3 : DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously

Links to More Info: BT1814821

Component: Local Traffic Manager

Symptoms:
You might observe CRIT-level logs of configuration issues in the TMM logs but there is no impact to the traffic. Example log message:

crit tmm4[17746]: 01260000:2: Profile /Common/serverssl-secure: DHE groups present in profile's cipherlist with TLS1.3 enabled and tmm.ssl.useffdhe set to false simultaneously.

Conditions:
1. The db variable tmm.ssl.useffdhe set to false
2. Virtual server configured to use DH groups

Impact:
Crit-level logs are logged to /var/log/tmm

Workaround:
Leave the tmm.ssl.useffdhe value to default which is true

Fixed Versions:
17.5.1

1814477-1 : AWS Performance Drop from BIG-IP v17.1.2.1 to v17.5.0

Links to More Info: BT1814477

Component: Performance

Symptoms:
A FastL4 throughput drop occurs when updating to BIG-IP version 17.5.0.

Conditions:
-- Using AWS BIG-IP v17.5.0

Impact:
Throughput is lower compared to v17.1.2.1.

Workaround:
None

Fix:
Performance is improved in v17.5.0 compared to v17.1.2.1.

Fixed Versions:
17.5.1

1813841-1 : Password Caching setting is not applied

Links to More Info: BT1813841

Component: Access Policy Manager

Symptoms:
In the Connectivity profile, "F5 Access for Mac OS" is removed and updated on "Desktop Client Settings".

The Allow password caching functionality which was used to work with "F5 Access for Mac OS" is not working after updating the UI to "Desktop Client Settings".

Conditions:
Allow Password Caching is enabled on BIG-IP UI for Mac F5 Access.

Impact:
Users will be prompted to password page even after Allow Password caching is enabled.

Workaround:
Enable the Allow password caching via TMSH:
 
For Memory Option to Enable on Allow Password Caching:
 
modify apm profile connectivity Connectivity_profile client-policy modify { Connectivity_profile_clientPolicy { macos-ec { save-password true save-password-method memory save-password-timeout 10 } } }
 
 
For Disk option to Enable on Allow Password Caching:

modify apm profile connectivity Connectivity_profile client-policy modify { Connectivity_profile_clientPolicy { macos-ec { save-password true save-password-method disk } } }

Fixed Versions:
17.5.1

1813209-1 : Password Cache Expiration field is hidden in Connectivity profile

Links to More Info: BT1813209

Component: Access Policy Manager

Symptoms:
Password Cache Expiration field is hidden in Connectivity profile under Desktop Client Settings

Conditions:
1. Access-> Connectivity/VPN -> Profiles ->add/edit
2. Desktop Client Settings -> enable "Allow Password Caching"
3. Select "memory" as the "Save Password Method"

Impact:
For Creating new Connectivity profile:
You will not be able to set Password Cache Expiration value and default value of 240 will be used

For Existing Connectivity Profile:
You will not be able to modify the Password Cache Expiration value (Existing value).
In case of upgrades the existing value will be used

Workaround:
To modify the Password Cache Expiration value run:

tmsh modify apm profile connectivity <profile_name> client-policy modify { <profile_name>_clientPolicy { ec { save-password-timeout <desired value> } } }

Fixed Versions:
17.5.1

1812201-4 : A specific unicode character issue a malformed json violation

Links to More Info: BT1812201

Component: Application Security Manager

Symptoms:
When JSON arrives with a specific character, a malformed json violation is issued.

Conditions:
A specific character arrives in a JSON payload

Impact:
A blocking violation occurs.

Workaround:
None

Fixed Versions:
17.5.1

1798961-2 : With CC/FIPS license installed, OpenSSL should raise fatal alert when client does not advertise EMS support

Links to More Info: BT1798961

Component: TMOS

Symptoms:
When FIPS license is installed, OpenSSL enforces Extended Master Secret (EMS) to its peer clients. If a legacy TLS/SSL client does not provide EMS in its ClientHello extension, OpenSSL server merely aborts the handshake without sending a Fatal Handshake Alert message to the client. As a result, the reason for handshake abort is not clear.

Conditions:
1. FIPS license is installed on the BIG-IP Device
2. HTTPD server running on the BIG-IP device is linked with libssl.{so, a}
3. An attempt is made to contact the WebUI from a legacy browser that did not have support for EMS (or alternatively, from a service that did not advertise EMS support)

Impact:
Absence of explicit log message results in some confusion as to what the error was when the handshake terminated.

Workaround:
None

Fix:
A log message indicating a Fatal Handshake Message alert will be added. Then, whenever a legacy TLS/SSL client failed to provide the Extended Master Secret in its ClientHello message to the BIG-IP device with FIPS license installed, an error will be logged as the handshake aborts. This will inform the user the reason for the handshake termination.

Fixed Versions:
17.5.1

1796609-3 : [APM][VDI]TCL error when upgrading to 17.x: can't read "tmm_apm_feed_login": no such variable★

Links to More Info: BT1796609

Component: Access Policy Manager

Symptoms:
After upgrading from BIG-IP version 15 to version 17 you may get a RST due to the below TCL error when requesting some application URLs:

TCL error: /Common/_sys_APM_VDI_Helper <HTTP_RESPONSE_RELEASE> - can't read "tmm_apm_feed_login": no such variable while executing "if { ($tmm_apm_client_type == "rdg-http" || $tmm_apm_feed_login) && $tmm_apm_is_nego_auth } { # Getting response header fo..."

Conditions:
-- VDI profile is attached
-- iRules are attached with custom priorities

Impact:
TCL errors observed in the LTM logs leading to connection reset

Workaround:
None

Fixed Versions:
17.5.1

1789529-3 : A crash of the bd daemon

Links to More Info: BT1789529

Component: Application Security Manager

Symptoms:
A crash happens on specific xml payloads

Conditions:
Very specific circumstances related to specific policy and traffic.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
A crash related to the XML parser was fixed.

Fixed Versions:
17.5.1

1789501-3 : [APM][Standard Customisation]Webtop is blank after upgrading APM version 17.1.2 with Edge Browser in Compatibility mode.★

Links to More Info: BT1789501

Component: Access Policy Manager

Symptoms:
The Webtop is blank, does not display any resources.

Conditions:
The issue occurs when all of the following conditions are met.

-Using Microsoft Edge browser in compatibility mode (IE mode)
-Access Profile is using standard customisation
-BIG-IP Version 17.1.2 or later, 16.1.5 or later (version with fix of ID504374)

Impact:
Unable to use legacy applications in Microsoft Edge's IE compatibility mode

Workaround:
Use modern customization for access profile.

Fixed Versions:
17.5.1

1789477-4 : Orphaned tmsh processes might eventually lead to an out-of-memory condition

Links to More Info: BT1789477

Component: TMOS

Symptoms:
Occasionally, tmsh processes are orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects.

An orphaned tmsh process will have a parent pid (PPID) of 1. You can check for orphaned tmsh processes using the following shell command:

/bin/ps -o pid,ppid,comm -C tmsh
PID PPID COMMAND
8255 1 tmsh

If this issue occurs often enough, it might cause the BIG-IP system to run out of memory.

Conditions:
-- Using tmsh to connect to the BIG-IP system via SSH.
-- Running commands.
-- Quitting the session or disconnecting.

Impact:
Orphaned tmsh processes are created, which might eventually lead to an out-of-memory condition, if it occurs often enough.

Workaround:
There are several workarounds for this issue:

-- Change the default shell to bash for users that are going to use the script.
-- Use iControl.
-- Kill orphaned tmsh processes.

Fix:
Tmsh processes are no longer orphaned when a user connects to the BIG-IP system via SSH, runs commands, and then quits the session or disconnects under these conditions.

Fixed Versions:
17.5.1

1787153-2 : CVE-2019-9740 python: CRLF injection via the query part of the url passed to urlopen()

Component: TMOS

Symptoms:
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with ＼r＼n followed by an HTTP header or a Redis command.

Conditions:
NA

Impact:
With arbitrary HTTP headers, there is a possibility of CRLF Injection.

Workaround:
NA

Fix:
Patched python to fix the vulnerability.

Fixed Versions:
17.5.1

1783081-3 : Removing conditional freeing for m_oauth instances in tmm

Links to More Info: BT1783081

Component: Access Policy Manager

Symptoms:
Increase in TMM memory with M_OAUTH instances

Conditions:
M_OAUTH instances are freed based on conditional checks.

Impact:
Memory leak in TMM.

Workaround:
None

Fix:
Remove conditional freeing.

Fixed Versions:
17.5.1

1782365-3 : Importing a policy creates default 'password' sensitive parameter when it is not present in the exported policy in full JSON format

Links to More Info: BT1782365

Component: Application Security Manager

Symptoms:
Importing a policy creates a default 'password' sensitive parameter when it is not present in the exported policy in full JSON mode

Conditions:
-- Create a policy with API security template.
-- Delete the default "password" sensitive parameter.
-- Export the policy in full JSON format.
-- Import the policy again.

Impact:
Unexpected sensitive parameter appears in imported policy

Workaround:
None

Fix:
The policy is imported without sensitive parameters that do not appear in the full JSON policy

Fixed Versions:
17.5.1

1782113-3 : Parameter 'redirectwebauthn:i:0' is crashing the RDP file with 'The RDP File is corrupted' error message

Links to More Info: BT1782113

Component: Access Policy Manager

Symptoms:
Currently, with the below Custom Parameters
redirectclipboard:i:0
redirectprinters:i:0
redirectsmartcards:i:0
redirectwebauthn:i:0

The issue is when adding 'redirectwebauthn:i:0' to RDP Custom Parameters, the user gets RDP connection error when the user opens the downloaded RDP file. The ‘The RDP File is corrupted. The remote connection cannot be started’ message is displayed.

Conditions:
The parameter 'redirectwebauthn:i:0' is added to RDP Custom Parameters.

Impact:
Displays the below error message while opening the RDP file:
‘The RDP File is corrupted. The remote connection cannot be started’

Workaround:
Launch the RDP without the "redirectwebauthn:i:0" parameter.

Fixed Versions:
17.5.1

1773161-2 : BIG-IP APM 17.1.2 VPN tunnels failed to establish at "GET /isession" stage

Links to More Info: BT1773161

Component: Access Policy Manager

Symptoms:
Windows Edgeclient (any other client) stuck at Initialisation.

You may observe a lot of below logs in f5tunnelserver.txt

2024-12-15,12:32:26:530, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:035, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:27:541, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

2024-12-15,12:32:28:046, 19084,19088,, 48, , 970, CUTunnelServerX::isReady(), server response , result=0

Conditions:
-- BIG-IP version with fix of ID 903501
-- "sys db ipv6.enabled" is set to FALSE
-- Any client attempting to establish a VPN tunnel

Impact:
VPN fails to establish

Workaround:
1. "sys db ipv6.enabled" is set to TRUE

OR

2. Perform below two operations

a) Disable the DB variable isession.ctrl.apm:

 tmsh modify sys db isession.ctrl.apm value disable
 
b) Perform 'Apply Access Policy' for the access policy attached to the virtual server.

Fixed Versions:
17.5.1

1772377-3 : libtiff CVE-2024-7006: NULL pointer dereference in tif_dirinfo.c

Component: TMOS

Symptoms:
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

Conditions:
Occurs when processing a crafted TIFF file with malformed directory metadata.

Impact:
This vulnerability leads to a NULL pointer dereference, causing a crash or denial of service.

Workaround:
NA

Fix:
Patched libtiff to fix the vulnerability

Fixed Versions:
17.5.1

1771985-3 : [APM] OAuth AS max claims data support upto 8kb dynamically

Component: Access Policy Manager

Symptoms:
The max claim data size is set to 8kb by default.

Conditions:
Oauth AS configured with multiple claims.

Impact:
The large claim size can lead to excessive memory consumption.

Workaround:
None

Fix:
Allocate the right amount of memory dynamically as required based on claims configuration

Fixed Versions:
17.5.1

1758181-2 : Optimal gateway routing issue with HTML5 client

Links to More Info: BT1758181

Component: Access Policy Manager

Symptoms:
When you configure APM VDI Citrix OGR using article https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727, the system fails to start ica connection to the backend desktop using HTML5 access.
Additionally, the iRule example is incorrect.

Conditions:
1. OGR is configured using https://community.f5.com/kb/technicalarticles/solution-for-citrix-optimal-gateway-routing/278727
2. Use HTML5 client access

Impact:
Could not connect to backend desktop using HTML5.

Workaround:
None

Fix:
It should connect to backend desktop using HTML5 along with native client.

Fixed Versions:
17.5.1

1758153-5 : Configuring a Data Guard URL longer than 1024 characters triggers a restart loop

Component: Application Security Manager

Symptoms:
Data Guard URLs are expected to be shorter than 1024 characters. If you configure a longer Data Guard URL, the configuration will cause the enforcer to crash and cause a restart loop.

Conditions:
A Data Guard URL longer than 1024 characters is configured and the policy is applied.

Impact:
The enforcer crashes and causes a restart loop.

Workaround:
Wildcards (*) should be utilized for any URL that is exceedingly long.

Fixed Versions:
17.5.1

1758029-2 : [APM][NA]VPN tunnels fail to establish when a virtual server is on a non-default route domain★

Links to More Info: K000150565

Component: Access Policy Manager

Symptoms:
Observe VPN fails with below error in /var/log/ltm

err tmm[20501]: 01470000:3: iSession: Connection error: isession_handle_syn:3737: No peer:4

Conditions:
-- VPN configured across multiple route domains
-- Route domains are not related
-- BIG-IP v17.1.x (this can be encountered while upgrading to v17.1.x)

Impact:
VPN fails to establish

Workaround:
Make sure the default route domain is a parent of the non-default route domain.

Fixed Versions:
17.5.1

1756525-2 : ixlv driver could have failed hardware offload with TSO off

Links to More Info: BT1756525

Component: Local Traffic Manager

Symptoms:
IPv4 packets for TLS alerts contain empty IP checksums.

Conditions:
-- The ixlv driver is used by tmm
-- TSO is disabled

Impact:
Empty checksums will cause TLS clients to reject TLS alert messages.

Workaround:
Change driver type to use xnet in tmm_init.tcl by inputting `device driver pci vendor_dev 8086:1889 xnet` or for a specific PCI device with `device driver pci XX:XX.X xnet`

Fix:
Removed offloading IPv4 header checksum to the hardware unless TSO is on and so use what BIG-IP calculates instead.

Fixed Versions:
17.5.1

1756397-3 : BIG-IP is not forwarding the Extended DNS Error (EDE) Codes to Clients

Component: Global Traffic Manager (DNS)

Symptoms:
When BIG-IP processes responses from upstream name servers, it strips the Extended DNS Error (EDE) information, which provides additional details about the cause of DNS errors.

Conditions:
-- BIG-IP is configured with a listener that has a DNS profile to process DNS queries.
-- DNS requests from clients include the EDNS (Extension Mechanisms for DNS) flag.

Impact:
DNS clients will not receive additional information about the cause of DNS errors.

Workaround:
None

Fix:
With the fix, BIG-IP is now able to process and respond to clients with Extended DNS Errors (EDE) information that it receives from upstream name servers.

We have exposed the fix through a Db variable called dns.forwardextendeddnserrorcode. By default, the Extended DNS Errors(EDE) support is disabled. If you want to enable EDE support you can change the Db variable value to enable.
sys db dns.forwardextendeddnserrorcode {
    value "enable"
}
To avoid truncation due to lengthy extra text that is part of the EDE, we have limited it to 64 bytes.

Fixed Versions:
17.5.1

1753933-4 : CVE-2020-14393 perl-dbi: Buffer overflow on an overlong DBD class name

Component: TMOS

Symptoms:
A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local attacker who is able to supply a string longer than 300 characters could cause an out-of-bounds write, affecting the availability of the service or integrity of data.

Conditions:
Triggered when loading a DBD module with an excessively long class name.

Impact:
This vulnerability may cause a heap-based buffer overflow, potentially leading to a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched Perl-DBI to fix the vulnerability.

Fixed Versions:
17.5.1

1737465-3 : Port number being used for verifying server certificate CN field

Links to More Info: BT1737465

Component: Access Policy Manager

Symptoms:
TMM reports a SSL certificate error:

warning tmm1[18695]: 01260022:4: Peer cert verification: The common name (10.1.1.1) is invalid or does not match the authenticate name (10.1.1.1:4430). The subject alternative name also does not match the authenticate name.

Conditions:
-- The ssl server certificate is set to "require"
-- The URI includes the port number

Impact:
SSL server certificate validation fails

Workaround:
Set server certificate requirement to "ignore"

Fixed Versions:
17.5.1

1709557-2 : Header value length greater than 1023 in alternate response file headers causing ASM restart loop

Links to More Info: BT1709557

Component: Application Security Manager

Symptoms:
Bd goes into a restart loop with the following error messages:

ECARD_POLICY|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:1471|handle_table_dynamic CONFIG_TYPE_ACCOUNT_ALTERNATE_RESPONSE_FILE_HEADERS res:[0]
BD_MISC|ERR |Oct 25 02:01:27.939|21735|temp_func.c:2295|CONFIG_TYPE_PROTOBUF_FILENAMES message had parsing error: could not parse protobuf message
BD_MISC|ERR |Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|CONFIG_TYPE_PROTOBUF_FILENAMES message had errors in block_index: 22. status=-1
BD_MISC|NOTICE|Oct 25 02:01:27.939|21735|table_funcs.cpp:2734|{"component":"BD","datetime":"1969-12-31T16:00:00Z","jobId":"","jobStartDatetime":"1969-12-31T16:00:00Z","jobStatus":"failed"}
BD_MISC|ERR |Oct 25 02:01:27.940|21735|temp_func.c:2288|CONFIG_TYPE_MANIFEST message had parsing error: could not parse protobuf message

Conditions:
A header in the blocking page is configured to be more than 1023 bytes.

Impact:
Endless restart loop

Workaround:
Change the blocking page header size.

Fixed Versions:
17.5.1

1692917-5 : CVE-2024-6232 CPython Tarfile vulnerability

Links to More Info: K000148252

1673161-4 : CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6

Links to More Info: K000149884

1672997-3 : Apmd memory grows over time in AD/LDAP auth scenarios

Links to More Info: BT1672997

Component: Access Policy Manager

Symptoms:
Apmd memory grows over time. It is mainly due to memory fragmentation due to memory sharing among apmd threads.

Conditions:
The access policy in use has AD/LDAP auth as one of the agents

Impact:
Apmd memory grows over time. After it grows beyond a limit, oom killer might kill apmd thereby leading to traffic disruption.

Workaround:
None

Fixed Versions:
17.5.1

1672313-5 : CVE-2016-9841 zlib: Out-of-bounds pointer arithmetic in inffast.c

Links to More Info: K000149915

1672249-5 : CVE-2016-9840 zlib: Out-of-bounds pointer arithmetic in inftrees.c

Links to More Info: K000149905

1636077-2 : Adding an operationally DOWN interface to existing LAG causes traffic disruption on r2k/r4k

Links to More Info: BT1636077

Component: Local Traffic Manager

Symptoms:
When an operationally DOWN interface is added to an existing LAG interface, traffic flow to the tenant stops on r2k/r4k based appliances.

Conditions:
-- Interface is marked down
-- Interface is added to an existing LAG interface

Impact:
Traffic flow gets impacted and the system misses the packets routed onto the LACP trunk to where the LAG member was added.

Workaround:
Restart tmm on all tenants that are associated with the trunk.

Fixed Versions:
17.5.1

1629701-2 : Attack signature is not shown in local event log for staged entity when not in learn/staging

Links to More Info: BT1629701

Component: Application Security Manager

Symptoms:
Attack signature is not shown in local event log for staged entity when the attack signatures are not in learning/staging.

Conditions:
- Security policy with staged URL, parameter or cookie;
- Attack signatures are not in learning or staging;
- Attack is detected by signature in request.

Impact:
Detected attack signature is not shown in local event log.

Workaround:
Possible workarounds:
- enable learning for attack signatures;
- examine detected signatures via remote log (if enabled).

Fix:
Detected attack signatures are now shown also for staged entities.

Fixed Versions:
17.5.1

1628001-4 : TMM core when ACL operation is performed on a deleted session

Links to More Info: BT1628001

Component: Access Policy Manager

Symptoms:
TMM core

Conditions:
A session was deleted while performing an ACL iRule action.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
The TMM crash caused when performing iRule command
"[ACCESS::acl matched]" for a deleted session, this can be mitigated by adding a check for session existence like below

==================
set sessionid [ACCESS::session data get {session.user.sessionid}]

if {[ACCESS::session exists -sid $sessionid]} {
    if {[ACCESS::acl matched] eq <ACL NAME>}
    {
    ///Logic
    }
  } else {
        log local0. "Session does not exist"
  }
=============

Fixed Versions:
17.5.1

1626337-4 : RPMS not being included in the generated UCS with fix of ID985329 incorporated★

Links to More Info: K81310610, BT1626337

Component: Device Management

Symptoms:
While saving the UCS file after installing iAppLX RPMs, iAppLX RPMs are not included in the UCS file. The issue is observed in BIG-IP running software release that includes fix of ID985329.

Some possible symptoms:
-- AS3 replies with a "404 not found" error after upgrading
-- iAppLX applications that have a GUI, such as SSL Orchestrator, display a "Not Found" or "Access forbidden" error after upggrading

Conditions:
- Saving UCS using either CLI (Command Line Interface) or GUI
- BIG-IP running software release that includes fix of ID985329 (starting with verison 16.1.5, 17.1.2, 17.5.0)

Impact:
iAppLX RPMs and iAppLX declarations will be missing if UCS restore is performed. This can cause issues such as "NotFound" or "Access Forbidden" when trying to access the iAppLX.

This can be encountered following an upgrade from verison 16.1.5, 17.1.2, 17.5.0 to a later version.

Workaround:
Mitigation depends on the iAppLX package you are using because uninstall/reinstall approach is sometimes different.

SSL Orchestrator
Follow the recovery steps in K81310610: SSL Orchestrator Configuration: Access forbidden or Not Found or show wizard of new topology
https://my.f5.com/manage/s/article/K81310610

Access Guided Configuration
Follow the recovery steps in K55177400: Guided configuration displays: Not found - The requested URL was not found on this server
https://my.f5.com/manage/s/article/K55177400.

AS3 or any other manually-installed iAppLX
Follow the recovery steps in K000132348: AS3 declaration failure: mgmt shared service-discovery task update response=404 body
https://my.f5.com/manage/s/article/K000132348

Impact of workaround: uninstalling and reinstalling an iAppLX RPM should not impact the configuration data that the iAppLX was managing; for example uninstalling and reinstalling AS3 will not cause the previously-loaded AS3 declaration to be lost.

Fixed Versions:
17.5.1

1623941-4 : [AD] BIG-IP APM AD Auth agent sometimes prompts for new password (every login) after upgrade★

Links to More Info: BT1623941

Component: Access Policy Manager

Symptoms:
AD Auth agent always prompts for a new password after upgrading from v15.x to v17.1.x The user password is *NOT* expired in Active Directory. The user account does not have the "User must change password at next logon" option checked.
This can be seen any in any version upgrades.

Conditions:
Active Directory auth is configured

Impact:
After the upgrade to v17.1.x, v16.1.x, v15.1.x change password prompt appears every time you log in.

Workaround:
None

Fix:
Added the Client constructer as a part of the Client Initialisation

Fixed Versions:
17.5.1

1623597-3 : Nat46/64 hardware connection re-offload is not optimal.

Links to More Info: BT1623597

Component: TMOS

Symptoms:
Nat46/64 hardware connection re-offload is not optimal.

Conditions:
Nat46/64 configuration with hardware offload (fastl4).

Impact:
Not optimal resource usage.

Workaround:
None

Fixed Versions:
17.5.1

1623197-5 : CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects

Links to More Info: K000140711

1622789-3 : Traffic levels for NAT64/46 traffic might be different after an upgrade

Links to More Info: BT1622789

Component: TMOS

Symptoms:
Starting from version 16.X BIG-IP supports hardware acceleration of NAT64/46 traffic. Due to a software defect part of accelerated traffic might not be reported properly in connection statistics.

Conditions:
Nat64/46 virtual server with fastL4 PVA acceleration enabled.

Impact:
Part of accelerated traffic might not be reported properly in connection statistics.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.2

1621269-1 : TMM restart loop when attaching large number of interfaces.

Links to More Info: BT1621269

Component: TMOS

Symptoms:
TMM is unable to finish initialization when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Conditions:
-- Using 9 or more Intel 710/E810 SR-IOV VFs

Impact:
BIG-IP is unable to go into the Active state because TMM restart loop is present.

Workaround:
Update Mcpd.KeepAliveCount DB variable to 127 and reboot the BIG-IP.

Fix:
DB variable Mcpd.KeepAliveCount was introduced to keep network connections between TMOS proccesses alive longer. Therefore, TMM would have enough time to finish initializing when attaching 9 or more Intel 710/E810 SR-IOV interfaces.

Fixed Versions:
17.5.1

1621185-2 : A BD crash on a specific scenario, even after ID1553989

Links to More Info: BT1621185

Component: Application Security Manager

Symptoms:
A BD crash, failover.

Conditions:
Specific requests under specific conditions.

Impact:
Traffic disrupted while bd restarts.

Workaround:
None

Fix:
Fixed a bd crash while passing traffic.

Fixed Versions:
17.5.1

1620785-4 : F5 cache mechanism relies only on Last-Modified/If-Modified-Since headers and ignores the etag/If-None-Match headers

Links to More Info: BT1620785

Component: Local Traffic Manager

Symptoms:
-- Server has a document x with etag - AAAA
-- When the client requests for x through BIG-IP, BIG-IP caches it and responds with 200 OK.
-- Document on Server changes; new etag is BBBB and cache in BIG-IP is expired
-- Clients sending requests with If None-Match: BBBB, should receive 304 with BBBB response but receiving 200 OK with AAAA.

Conditions:
-- Client having access to the server directly and through BIG-IP with cache enabled.
(Or)
-- Deployment containing two BIG-IPs with caching enabled one at a time.

Impact:
BIG-IP serves old documents when requested with etag of the latest document

Workaround:
When HTTP_REQUEST_RELEASE {

 if { [HTTP::header exists If-None-Match] && [HTTP::header exists ETag] }{

   HTTP::header remove If-None-Match

 }

}

Fixed Versions:
17.5.1

1612885-3 : [PORTAL] Handle error in get_frameElement()

Links to More Info: BT1612885

Component: Access Policy Manager

Symptoms:
You may see get_frameElement() related errors in Devtools Console:
cache-fm-Modern.js:1494 Uncaught TypeError: Cannot read properties of undefined (reading 'document')

Conditions:
Portal Access configured on APM

Impact:
Failure in loading application through Portal Access.

Workaround:
None

Fixed Versions:
17.5.1, 17.1.2

1591813-12 : [APM][SAML] SP automation fails with error message 'cannot update (cert_type)'

Links to More Info: BT1591813

Component: Access Policy Manager

Symptoms:
Whenever a certificate is updated while fetching the metadata from the metadata URL in SAML automation for creating SP connector, an error occurs:

err mcpd[8894]: 01070712:3: Caught configuration exception (0), file:(/Common/sp_cert.crt) cannot update (cert_type).

Conditions:
- Configure BIG-IP as IDP with SP automation objects (metadata URL as internal virtual server URL)
- Configure a internal virtual server and attach an iRule to get the iFile based on the URI.
   (https://1.1.1.1/PS0028JP)
-. Update the iFiles that returns metadata and wait till the SP-automation to update its sp-connector objects
 PS0028JP -> ifile that returns metadata of SP with different cert ( self signed to CA and viceversa)

Impact:
Connector automation fails to create SP Connectors with new certificates.

Workaround:
None

Fixed Versions:
17.5.1

1591249-5 : CVE-2018-6913 perl: heap buffer overflow in pp_pack.c

Links to More Info: K000141301

1589661-5 : CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets

Links to More Info: K000149288

1585277-4 : Libexpat through 2.6.1 allows an XML Entity Expansion attack: CVE-2024-28757

Links to More Info: K000139637, BT1585277

1583261-3 : Saml traffic can rarely cause tmm cores

Links to More Info: BT1583261

Component: Access Policy Manager

Symptoms:
Tmm seg faults in saml_sp_crypto_ctx_init.

Conditions:
This was seen when there was a permissions error loading the service provider key.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1

1582781-6 : CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target

Links to More Info: K000140961

1580357-2 : CVE-2016-2037 CVE-2015-1197 cpio: out of bounds write

Component: TMOS

Symptoms:
The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file.

Conditions:
Extraction of a crafted archive using the cpio utility.

Impact:
The Vulnerability may lead to out-of-bounds write, potentially causing a crash or arbitrary code execution.

Workaround:
NA

Fix:
Patched cpio to fix the vulnerability.

Fixed Versions:
17.5.1

1579533-3 : Jitterentropy read is restricted to FIPS mode or TMM usage only, for performance reasons★

Links to More Info: BT1579533

Component: Local Traffic Manager

Symptoms:
If jitterentropy-read from CPU jitter is used in all cases, a big performance problem is seen for most cases where BIG-IP works in non-FIPS mode. This can be encountered after upgrading to version 17.x from an earlier BIG-IP version.

Conditions:
The issues occur when BIG-IP operates in non-FIPS or FIPS mode and use jitterentropy to generate seed.

Impact:
Very high CPU utilization is seen when BIG-IP handles traffic while in non-FIPS mode.

Workaround:
None

Fix:
Jitterentropy-read of CPU jitter is now invoked in any one of these situations,
- Either BIG-IP operates in FIPS mode,
- TMM is processing traffic in non-FIPS and FIPS modes. In this case, none of the other components perform the stated jitter read operations and improves performance.

Fixed Versions:
17.5.1

1576897-4 : CVECVE-2016-9063 firefox: Possible integer overflow to fix inside XML_Parse in Expat

Links to More Info: K000139691

1576125-4 : Node.js vulnerability CVE-2024-27983

Links to More Info: K000139532, BT1576125

1572145-5 : CVE-2023-29469 libxml2: Hashing of empty dict strings isn't deterministic

Links to More Info: K000139592

1567761-3 : [APM] AccessProfile name is missing in log User '<username>' belongs to domain '<domain_name>'

Component: Access Policy Manager

Symptoms:
When a user logs in using the VPN using an alternate alias for the domain name, a log message is logged to the apm debug logs. But it does not include the access profile name in the log:

debug apmd[13866]: 0149017b:7: ::c9b6820d: AD module: User 'testuser@mysite.com' belongs to domain 'mysite.net'

Conditions:
User logged in using AD Auth with alternate alias for domain name.

Impact:
The debug log message is ambiguous.

Workaround:
None

Fixed Versions:
17.5.1

1566533-7 : CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code

Links to More Info: K000139901

1555525-4 : WCCP traffic may have its source port changed

Links to More Info: BT1555525

Component: Local Traffic Manager

Symptoms:
WCCP traffic may have its source port changed as it leaves the Linux host. This could cause WCCP sessions to not be established.

Conditions:
-- WCCP configured
-- BIG-IP Virtual Edition platform or r2000 or r4000 tenants.

Impact:
WCCP messages may not be successfully processed by the peer because the source port is not 2048.

Workaround:
Cat >> /config/tmm_init.tcl << EOF

proxy BIGSELF {
   listen 0.0.0.0%＼${rtdom_any} 2048 netmask 0.0.0.0 {
     proto ＼$ipproto(udp)
     srcport strict
     idle_timeout 30
     transparent
     no_translate
     no_arp
     l2forward
     tap enable all
     protect
   }
   profile _bigself
 }
EOF

bigstart restart tmm

Fixed Versions:
17.5.1, 17.1.2

1552705-6 : New subsession reads access_token from per-session policy instead of per-request policy.

Links to More Info: BT1552705

Component: Access Policy Manager

Symptoms:
When BIG-IP is configured with OAuth Agents both in per-session policy and per-request policy, OAuth Flow fails to execute successfully.

Conditions:
When new subsessions are created TMM fails to read the access token from subsession variables. Therefore, gets the old token from the main session, i.e. per-session policy.

Impact:
BIG-IP Administrator will not be able to configure BIG-IP as OAuth Client & RS with both per-session policy and per-request policy.

Workaround:
Use OAuth Agents only in the per-request policy, configure per-session policy with just empty allow.

Fixed Versions:
17.5.1

1550869-4 : Tmm leak on request-logging or response logging on FTP virtual server

Links to More Info: BT1550869

Component: Local Traffic Manager

Symptoms:
Tmm memory leak is observed.

Conditions:
Either of these conditions:

-- An LTM profile with request-logging enabled
-- response-logging enabled on a virtual server supporting FTP

Impact:
A tmm memory leak occurs.

Workaround:
Disable request/response logging on the FTP virtual server.

Fixed Versions:
17.5.1

1550785-4 : HSB lock up in Syn-Ack generator module

Component: TMOS

Symptoms:
Datapath flow control in HSB RX and TX directions. Datapath lockup detected by BIG-IP.

Conditions:
Syn Cookie feature is enabled.

Impact:
Datapath lockup. Requires reboot.

Workaround:
This has been fixed in all iSeries platforms for BIG-IP versions 15.1.x, 16.1.x, 17.1.x, 15.5.x.

Fixed in these bitfiles and all bitfiles newer than these.

v15.1.x:

ID1757053: HSB v2.10.8.0 bitstream release for VIPRION B2250 blades
ID1759517: HSB v3.8.98.0 bitstream release for VIPRION B44x0 blades
ID1593933: HSB v5.6.10.0 bitstream release for i5000 / i7000 / i10000-series appliances
ID1593929: HSB v5.23.10.0 bitstream release for i11000-series appliances

v16.1.x:

ID1554997: HSB v2.12.6.0 bitsteam release for VIPRION B2250 blades
ID1564281: HSB v3.10.5.0 bitstream release for VIPRION B44x0 blades
ID1572961: HSB v5.8.5.0 bitstream release for i5000 / i7000 / i10000-series appliances
ID1574653: HSB v5.25.4.0 bitstream release for i11000-series appliances

v17.1.x / v17.5.x:

ID1587357: HSB v2.13.5.0 bitsteam release for VIPRION B2250 blades
ID1582633: HSB v3.11.6.0 bitstream release for VIPRION B44x0 blades
ID1587341: HSB v5.9.9.0 bitstream release to AFM for i5000 / i7000 / i10000-series appliances
ID1587349: HSB v5.26.5.0 bitstream release for i11000-series appliances

Fix:
Bug was found and fixed in the Syn-Ack generator module in the FPGA.

First bitfiles with the fix are listed in the Mitigation / Workaround section.

Fixed Versions:
17.5.1

1517561-5 : CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType

Links to More Info: K000139641

1505649-3 : SSL Handshake fall back to full handshake during session resumption, if SNI string is more than 32 characters in length

Links to More Info: BT1505649

Component: Local Traffic Manager

Symptoms:
When the SNI string is longer than 32 characters, the SSL handshake switches to the full handshake when session resumption is attempted.

Conditions:
- SSL resumption should be enabled in the client's SSL profile of their BIG-IP.
- SNI string should be more than 32 characters in length of the SSL client Hello packet received from the user.

Impact:
SSL resumption would fail if the SNI string is more than 32 characters in length.

Workaround:
using strings lesser than 32 characters for SNI

Fixed Versions:
17.5.1, 17.1.2

1495381-3 : TMM core with SWG explicit forward proxy configuration

Links to More Info: BT1495381

Component: Access Policy Manager

Symptoms:
TMM core.

Conditions:
SWG explicit forward proxy with NTLM or Kerberos credentials identification method.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
17.5.1

1494229-5 : CVE-2023-2953 openldap: null pointer dereference in ber_memalloc_x function

Links to More Info: K000138814

1492337-4 : TMM fails to start up using Xnet-DPDK-virtio due to out of bounds MTU

Links to More Info: BT1492337

Component: TMOS

Symptoms:
TMM goes into a restart loop and fails to start with an error message that the MTU is out of bounds

Log message:
   notice virtio_mtu_set(): MTU should be between 68 and 1500

Conditions:
- Using Xnet-DPDK-virtio driver
- NIC is configured to have an MTU less than NDAL's configured MTU. By default, this is an MTU < 9198

Impact:
TMM goes into a restart loop and fails to start

Workaround:
Create /config/tmm_init.tcl with the following entry
ndal mtu <value> 1af4:1041

Replacing <value> with the corresponding value in the following log line in /var/log/tmm
  notice virtio_mtu_set(): MTU should be between 68 and <value>

Fix:
Refactored code to not restart TMM if set MTU operation fails.

Fixed Versions:
17.5.1

1469393-2 : Browser extension can cause Bot-Defense profile screen to misfunction

Links to More Info: BT1469393

Component: Application Security Manager

Symptoms:
One of the ad-blocker browser extensions is reported to cause bot-defense GUI not working properly.

Conditions:
Ad-blocker extension installed in browser

Impact:
Bot-defense screen might not work properly

Workaround:
Disable ad-blocker extension or use private/incognito mode.

Fixed Versions:
17.5.1

1441577-6 : CVE-2023-42795 tomcat: improper cleaning of recycled objects could lead to information leak

Links to More Info: K000138178

1401961-4 : A blade with a non-functional backplane may override the dag context for the whole system

Links to More Info: BT1401961

Component: TMOS

Symptoms:
A blade with a non-functional backplane may override the dag context for the whole system.

Conditions:
- a blade has backplane problems, as evidenced by "shared random" not being ready in `tmctl -d blade tmm/ready_for_world_stat`.

Impact:
The traffic is black-holed into a non-functional blade.

Workaround:
Depending on the nature of the blade fault, a workaround is to either disable or just reboot the non-functional blade.

Fix:
A blade with a non-functional backplane cannot override the dag context for the whole system anymore.

Fixed Versions:
17.5.1

1400533-5 : TMM core dump include SIGABRT multiple times, on the Standby device.

Links to More Info: BT1400533

Component: Access Policy Manager

Symptoms:
The tmm running on the Standby device is repeatedly killed by sod. There are number of SessionDB ERROR messages on the tmm log.

/var/log/tmm1:
notice session_ha_context_callback: SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- BIG-IP configured for high availability (HA)
-- Mirroring enabled
-- APM enabled
-- Traffic is being passed on the active device

Impact:
Tmm restarts on the standby device. If a failover occurs while the tmm is restarting, traffic is disrupted.

Workaround:
None

Fix:
Persisting sub-session information only in the active device, after the expiry.

Fixed Versions:
17.5.1

1393733-8 : CVE-2022-43750 kernel: memory corruption in usbmon driver

Links to More Info: K000139700

1382313-5 : TMM might crash under certain conditions

Component: TMOS

Symptoms:
In select scenarios, specific configurations related to DDoS may inadvertently elevate the likelihood of instability within the tmm process.

Conditions:
DDoS configured.

Impact:
Elevated likelihood of instability within the tmm process.

Workaround:
Disable sPVA feature, use the following commands:

tmsh -c 'modify sys db dos.forceswdos value true'
tmsh -c 'list sys db dos.forceswdos'
# this should print "true"

sys db dos.forceswdos {
    value "true"
}

Note: This has a performance impact, as all DDoS function is handled in software.

Fix:
tmm does not crash.

Fixed Versions:
17.5.1

1382181-2 : BIG-IP resets only server-side on idle timeout when used FastL4 profile with loose-* settings enabled★

Links to More Info: BT1382181

Component: Local Traffic Manager

Symptoms:
After upgrading to BIG-IP 17.1.0, observed that some of the client sessions are orphaned, this has caused multiple intermittent connection failures when connecting through BIG-IP.
When the FastL4 profile with loose-* settings enabled is used and an idle timeout of 300 seconds, after idle time of 300 seconds, the server-side connection resets but no reset is sent towards client.

Conditions:
- Use BIG-IP version 17.1.0 and above
- Use Fastl4 profile with loose-* settings enabled.
- Configure idle timeout values.

Impact:
Some client sessions will be orphaned and cause intermittent connection failures when trying to connect through BIG-IP.

Workaround:
If not required for a particular use case, then disable loose-close settings in Fastl4 profile.

Fixed Versions:
17.5.1

1353609-8 : ZebOS BGP vulnerability CVE-2023-45886

Links to More Info: K000137315

1352649-4 : The trailing semicolon at the end of [HTTP::path] in the iRule is being omitted.

Links to More Info: BT1352649

Component: Local Traffic Manager

Symptoms:
When a http request with URL containing only one semi-colon at the end, it is omitted with HTTP::PATH

Conditions:
Basic http Virtual Server and request URL with ';' at the end

Impact:
[HTTP::PATH] incorrectly omits ';'

Workaround:
None

Fix:
Count on semicolon for HTTP::PATH even when there is no host-extension

Fixed Versions:
17.5.1

1336185-6 : NodeJS Vulnerability - CVE-2018-12122

Links to More Info: K000137090

1330801-8 : NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122

Links to More Info: K000137090

1327169-7 : CVE-2023-24329 python: urllib.parse url blocklisting bypass

Links to More Info: K000135921

1309637-5 : Mac masquerade not working after VLAN movement on host interfaces

Links to More Info: BT1309637

Component: Local Traffic Manager

Symptoms:
Connectivity to the floating IP via the masquerade MAC fails when the VLAN is moved across interfaces.

Conditions:
-- BIG-IP is configured with a floating IP on a traffic group
-- MAC masquerade is enabled
-- The VLAN is assigned to a different interface

Impact:
Connectivity to the floating IP address fails following a failover.

Workaround:
After the VLAN movement, delete and reconfigure the MAC masquerade.

Fixed Versions:
17.5.1

1306309-4 : CVE-2023-28709 Apache tomcat: Fix for CVE-2023-24998 was incomplete

Links to More Info: K000135262

1304081-7 : CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers

Links to More Info: K000135178

1301545-7 : CVE-2023-0568 php: 1-byte array overrun in common path resolve code

Links to More Info: K000134747

1292605-4 : Uncaught ReferenceError: ReferenceError: REquest is not defined

Links to More Info: BT1292605

Component: Access Policy Manager

Symptoms:
The Cache-fm-Modern.js file has a typo.

Conditions:
This issue occurs when using Modern JS support EHF.

Impact:
A Javascript error occurs: "Uncaught ReferenceError: ReferenceError: REquest is not defined".

Workaround:
Correct the typo and give the iRule with iFile workaround.

Fix:
The word "REquest" should be "Request" at all the places where there is a typo error.

Fixed Versions:
17.5.1

1282837-4 : DTLS1.2 Handshakes are causing tmm crash with mTLS connection

Component: Local Traffic Manager

Symptoms:
TMM crash will be observed during the DTLS1.2 handshake.

Conditions:
ServerSSL profile configured with,
 - key and certificate.
 - ssl-sign-hash value is Any

A backend server configured with DTLS1.2 protocol and enabled client authentication.

Impact:
TMM will crash for each DTLS1.2 handshake.

Workaround:
In serverSSL profile, select the ssl-sign-hash to SHA-256.

Fix:
DTLS1.2 handshakes perform as expected.

Fixed Versions:
17.5.1

1270257-8 : CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Links to More Info: K000133753

1269709-5 : GUI should throw the error when the VS is configured with both vdi and HTTP/2 profiles

Links to More Info: BT1269709

Component: Access Policy Manager

Symptoms:
As the VDI profile is currently not supported in the HTTP/2 environment for which there is no warning message on the BIG-IP GUI about this limitation.

Conditions:
When both VDI Profile and HTTP/2 Profile is attached to the VS.

Impact:
The customer wants this error to be displayed on the BIGIP GUI if vdi and http/2 profiles both are attached to the VS together.

Workaround:
None

Fix:
Display the warning message on the BIG-IP GUI for the Configuration error: "Virtual server cannot have vdi and http/2 profiles at the same time" when both vdi and http/2 profiles are attached on the VS.

Fixed Versions:
17.5.1, 17.1.2, 16.1.5

1267221-5 : When TMM starts, Hyper-V shows no RX packets on the ethX interface★

Links to More Info: BT1267221

Component: Local Traffic Manager

Symptoms:
BIG-IP Virtual Edition (VE) running on a Hyper-V host, when TMM starts, it sets the NIC queue count. When this happens, due to a bug in Hyper-V, ingress packets are no longer received on the data plane interfaces.

Packets egressed from TMM are being correctly sent to peer devices on the network.

Conditions:
- After upgrading from BIG-IP version 12, none of the data plane interfaces show ingress counters incrementing and no traffic is seen on the interface. The Management interface works properly.

Impact:
The data plane interfaces does not show ingress counters incrementing and no traffic is seen on the interface.

Workaround:
In Hyper-V manager, save the machine state and then start it back up or use a legacy network adapter.

Fix:
This change provides a workaround to not set the NIC queue counts if they are already set properly. To utilize this workaround the amount of memory should be verified so that the number of TMMs equals the number of CPUs on the VM.

A new log message in /var/log/tmm will log whether or not TMM changed the queue count.

Fixed Versions:
17.5.1

1144673-5 : Persistent Connection Issue in SSO v2 Plugin

Component: Access Policy Manager

Symptoms:
After a SAML flow is completed and sessions are removed following Single Logout (SLO), some connections may stay active in the flow table if the client does not initiate a reset (RST). The SSO plugin fails to properly manage shutdown events, causing these connections to remain open instead of being closed.

Conditions:
BIG-IP is configured as both a SAML Service Provider (SP) and Identity Provider (IDP), with Single Logout (SLO) enabled, and users remain on the browser after logging out.

Impact:
Persistent connections could lead to resource strain and may affect system performance.

Workaround:
NA

Fix:
No more idle connections in flow table.

Fixed Versions:
17.5.1

1144421-3 : CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation

Component: TMOS

Symptoms:
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.

Conditions:
Occurs when creating tar archives with unvalidated or specially crafted input filenames.

Impact:
This vulnerability may generate malformed tar files, leading to interoperability issues or unexpected behavior in downstream tools.

Workaround:
NA

Fix:
Patched python to fix the vulnerability.

Fixed Versions:
17.5.1

1132449-6 : Incomplete or missing IPv6 IP Intelligence database results to connection reset and/or high TMM CPU usage

Links to More Info: BT1132449

Component: Advanced Firewall Manager

Symptoms:
The following IPv4 database load message is present in /var/log/ltm:
015c0010:5: Initial load of IPv4 Reputation database has been completed

Note the absence of the IPv6 version of the same message:

015c0010:5: Initial load of IPv6 Reputation database has been completed

Some scenarios can result in elevated TMM CPU utilization, for example, when using IPI in global policy.

The message "Scheduling priority: normal. Nice level: -19" is seen at a rate of about 100 lines per second, per tmm, in the /var/log/tmm* logs:

Conditions:
Failure to download IPv6 database from localdb-ipv6-daily.brightcloud.com.

Impact:
Any of the following:

- TCL error results when IPI is used in an iRule resulting in connection being reset.

- When using IPI in global policy, increased TMM CPU utilization may occur which leads to idle enforcer being triggered, TMM clock advanced messages appearing in LTM logs, or TMM restarting without core when MCPD is unable to communicate with TMM.

Workaround:
Ensure that BIG-IP is able to communicate using https with BrightCloud servers, including localdb-ipv6-daily.brightcloud.com. For more detailed troubleshooting steps, see K03011490 at https://my.f5.com/manage/s/article/K03011490.

Once the IPv6 reputation database has been retrieved and loaded issues should stop.

This line in ltm log shows load has completed:
015c0010:5: Initial load of IPv6 Reputation database has been completed

Fix:
None

Fixed Versions:
17.5.1

1121517-5 : Interrupts on Hyper-V are pinned on CPU 0

Links to More Info: BT1121517

Component: TMOS

Symptoms:
CPU 0 utilization is much higher relative to other CPUs due to high amount of softirq.

Conditions:
BIG-IP is deployed on a Hyper-V platform.

Impact:
Performance is degraded.

Fix:
Interrupts are balanced across all CPUs.

Fixed Versions:
17.5.1, 16.1.4, 15.1.10

1093685-8 : CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it

Links to More Info: K52379673

1081245-3 : [APM] SSO OAuth Bearer passthrough inserts an old access token instead of the latest one.

Links to More Info: BT1081245

Component: Access Policy Manager

Symptoms:
SSO Bearer authorization fails.

Conditions:
APM PRP is configured with just an OAuth Scope and SSO Bearer attached to PSP.

Impact:
Fails to read new token from request and forwards old token in session variables to backend pool after validation.

Workaround:
1. Configure a PSP of type 'OAuth-RS'
   a. Add OAuth Scope
   b. Add Variable assign with following expression
apm policy agent variable-assign /Common/RStype_AP_act_variable_assign_ag {
    variables {
        {
            expression "mcget {session.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

2. Configure PRP with Gating Criteria (As per your setup)
   a. Add a Variable-Assign inside SBR (subroutine)
apm policy agent variable-assign /Common/empty_act_variable_assign_ag {
    variables {
        {
            expression "mcget -secure {subsession.oauth.client.last.access_token}"
            secure true
            varname session.oauth.client./Common/oauth-aad-server.access_token
        }
    }
}

Fix:
N/A

Fixed Versions:
17.5.1

1078713-1 : Windows 11 not included in client OS check and Windows Info agent.

Links to More Info: BT1078713

Component: Access Policy Manager

Symptoms:
Branches/rules are not available for Windows 11 in the access policy.

Conditions:
-- Client OS check.
-- Windows Info agent.

Impact:
Unable to use client OS check and Windows Info agent for Windows 11.

Workaround:
Windows 10 and 11 share the same major and minor version and Windows 11 is differentiated by its build number, 22000.

Adding a "Windows Registry" agent such as this before the "Windows Info" agent do branch off Windows 11 machines.
"HKEY_LOCAL_MACHINE＼SOFTWARE＼Microsoft＼Windows NT＼CurrentVersion"."CurrentBuildNumber">="22000"

Fix:
N/A

Fixed Versions:
17.5.1

1069949-8 : CVE-2018-1000007 curl: HTTP authentication leak in redirects

Component: TMOS

Symptoms:
libcurl might accidentally leak authentication data to third parties.

When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.

Sending the same set of headers to subsequent hosts is, in particular, a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy-sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Conditions:
NA

Impact:
Sensitive information could be disclosed to an unauthorised user

Workaround:
NA

Fix:
Patched curl to fix the vulnerability.

Fixed Versions:
17.5.1

1057141-7 : CVE-2018-14647 python: Missing salt initialization in _elementtree.c module

Component: TMOS

Symptoms:
A flaw was found in python's _elementtree.c module, a wrapper for libexpat XML parser. xml.etree C accelerator don't call XML_SetHashSalt(), failing to properly initiate the random hash seed from a good CSPRNG source and making hash collision attacks with carefully crafted XML data easier.

Conditions:
NA

Impact:
potential service disruptions.

Workaround:
NA

Fix:
Patched python to fix the vulnerability.

Fixed Versions:
17.5.1

1052249-8 : CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function

Component: TMOS

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.

Conditions:
NA

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
Limit physical or local access to the system

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1

1052217-8 : CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with forged USB device with a physical access to a system (needed to connect such a device) can cause a system crash and a denial-of-service.

Conditions:
NA

Impact:
The primary impact of this vulnerability is a denial-of-service (DoS) due to the kernel crash

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
17.5.1

1047789-1 : [APM] MCP err msg seen when editing/applying resource assign in VPE

Links to More Info: BT1047789

Component: TMOS

Symptoms:
An error message is found in /var/log/apm

MCP message handling failed in 0xb0ad80 (16973840): Sep 3 09:56:22 on 2 - MCP Message:

Conditions:
When VPE (or via CLI) "Advanced Resource Assign" agent is re-configured

Impact:
No functional impact.

Workaround:
None

Fixed Versions:
17.5.1

1041141-3 : CVE-2021-35942 glibc: Arbitrary read in wordexp()

Links to More Info: K98121587

1028701-12 : CVE-2019-9947 python: CRLF injection via the path part of the url passed to urlopen()

Links to More Info: K000151516

1001369-9 : D-Bus vulnerability CVE-2020-12049

Links to More Info: K16729408, BT1001369