BIG-IP 21.0.0.1 Fixes and Known Issues

935633-4 : VCMP guests or F5OS tenants may experience constant clusterd restart after host upgrade★

Links to More Info: BT935633

Component: TMOS

Symptoms:
Sometimes, when vCMP guests or F5OS tenants are started after the host has been upgraded, the guests or tenants may enter an unhealthy state due to clusterd constantly restarting.

Conditions:
-- vCMP guest or F5OS tenant has Mirroring IP configured.
-- vCMP guest or F5OS tenant is powered on after vCMP host upgrade.
-- vCMP guest or F5OS tenant is powered on and receives a new license file from the host during startup.

Impact:
-- This issue might prevent the guest or tenant from servicing traffic if the system fails to load the config and clusterd keeps restarting.
-- During startup of the guest or tenant, the following message is logged to /var/log/ltm:

 err mcpd[6519]: 0107146f:3: Self-device state mirroring address cannot reference the non-existent Self IP ([IP address]); Create it in the /Common folder first.

-- /var/log/ltm shows clusterd constantly restarting.
-- One or more slots are in INOPERATIVE state, while the host shows slots as RUN/Healthy.

Workaround:
-- To avoid the issue before it occurs:
1. Prior to shutting down vCMP guests or F5OS tenants before host upgrade, ensure guests or tenants have free space in the /var partition.
2. Ensure any license updates (e.g., reactivation) are applied before shutting down the vCMP guest or F5OS tenant.
3. Issue 'tmsh save sys config' on the vCMP guest or F5OS tenant.
4. Issue 'ls /var/db/mcp*' and confirm the presence of mcpdb.bin and mcpdb.info in the /var/db directory.
5. Proceed with vCMP guest or F5OS tenant shutdown and host upgrade as per standard F5 recommended process.


-- To mitigate after the issue has been experienced on a vCMP guest or F5OS tenant:
1. Set the vCMP guest or F5OS tenant to the Configured state and wait for it to complete transition to Configured.
2. Set vCMP guest or F5OS tenant to Deployed state.
3. Review startup logs and confirm 'Self-device state mirroring address cannot reference the non-existent Self IP' message is no longer present.
4. Review /var/log/ltm and confirm clusterd is no longer restarting.
5. If issue persists, delete and recreate the vCMP guest or F5OS tenant.

Fixed Versions:
21.0.0.1

931149-5 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Links to More Info: BT931149

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.0.2.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.0.2.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr

Fixed Versions:
21.0.0.1

912797-15 : NTP Vulnerability: CVE-2020-11868

Links to More Info: K44305703, BT912797

901989-11 : Corruption detected in /var/log/btmp

Links to More Info: BT901989

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

warning <process>[10901]: pam_lastlog(<process>:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
This issue is triggered following a reboot of the BIG-IP system. Subsequently, you may observe the log message appearing in relation to various administrative activities, such as logging in through the console or restarting the tomcat service.

Impact:
Since this file is unknowingly corrupt after each boot, any potential investigation needing this data may be compromised.

Workaround:
Option 1; After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp
This will remove any instances of failed logins from the file.

--or--

Option 2; this will stop boot_markers from logging to /var/log/btmp:
CAVEATS:
- If the system has FIPS enabled, do not use this workaround! Modifying this file will cause FIPS validation to fail the next time it runs, and the system will halt on next boot.
- This workaround will not persist on software upgrades.
- Familiarity with vi is required to perform this.

Backup:
cp /etc/sysconfig/sysinit/01bootlogmarker.sysinit /var/tmp/01bootlogmarker.sysinit.bak

Open in vi:
vi /etc/sysconfig/sysinit/01bootlogmarker.sysinit

Change the following line to include "btmp":
old: excludeFiles=( "lastlog" "wtmp" "tmm*tech.out" "*.json" )
new: excludeFiles=( "lastlog" "wtmp" "btmp" "tmm*tech.out" "*.json" )

Force save and quit with (required since file is RO):
:wq!

Truncate the "/var/log/btmp" file:
truncate --size 0 /var/log/btmp

Reboot

Fixed Versions:
21.0.0.1

901569-8 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Links to More Info: BT901569

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.

Fixed Versions:
21.0.0.1

887681-5 : Tmm SIGSEGV in rrset_array_lock,services/cache/rrset.c

Links to More Info: BT887681

Component: Global Traffic Manager (DNS)

Symptoms:
TMM Cored with SIGSEGV.

Conditions:
N/A.

Impact:
Traffic disrupted while tmm restarts.

Fixed Versions:
21.0.0.1

857973-5 : GUI sets FQDN Pool Member "Auto Populate" value Enabled by default

Links to More Info: BT857973

Component: TMOS

Symptoms:
In the GUI, the "autopopulate" value is Enabled by default when creating an FQDN template Pool Member, but Disabled by default when creating an FQDN template Node.

Conditions:
This is observed when using FQDN names to configure Pool Members and/or Nodes in the GUI.

Impact:
Differing default "autopopulate" values displayed in the GUI are confusing.
The "autopopulate" value for an FQDN Pool Member cannot be set to "enabled" if the "autopopulate" value of the corresponding FQDN Node is set to the default value of "disabled".
Attempting to do so via tmsh will generate an error similar to:
01070734:3: Configuration error: Cannot enable pool member to autopopulate: node (<fqdn node name>) has autopopulate set to disabled

Workaround:
Be careful to select the appropriate option for the "Auto Populate" parameter when configuring FQDN Pool Members using the GUI.

Fixed Versions:
21.0.0.1

761853-1 : Send HOST header in OCSP responder request

Component: TMOS

Symptoms:
As per the Digicert documentation, the OCSP/CRL connections require either HTTP1.1 or HTTP1.0 with host header. (Digicert).
LTM uses HTTP1.1 without the host header in OCSP responder request

Conditions:
OCSP and CRL Authentication uses HTTP1.0 for OCSP responder requests

Impact:
OCSP in the current BIG-IP relies on OpenSSL for its operations and current version of OpenSSL that is available in BIG-IP is 1.0.2za
OpenSSL 1.0.2 is only capable of generating HTTP/1.0 requests for OCSP and CRL fetches; it does not support HTTP/1.1.
This limitation prevents clients from communicating with OCSP/CRL endpoints that require HTTP/1.1, resulting in failures for revocation checks in environments where modern protocols are mandated.

Workaround:
Add either of these iRules to the Virtual Server

Modify HTTP 1.0 to HTTP1.1

when HTTP_REQUEST {
    HTTP::version "1.1"
}

Add Host header
 
when HTTP_REQUEST {
    HTTP::host "[HTTP::host]”
}

Fix:
Support for HTTP1.1 is added. The OCSP requests for auth should now use HTTP1.1 version

Fixed Versions:
21.0.0.1

745334-15 : CVE-2016-7099 NodeJS Vulnerability

Component: Local Traffic Manager

Symptoms:
tls.checkServerIdentity does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Conditions:
The server runs Node.js 0.12.16 or earlier that has tls.checkServerIdentity function that does not handle wildcards in name fields of X.509 certificates.

Impact:
This allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Fix:
Upgrade to Node.js 0.12.16 or later, where tls.checkServerIdentity function can handle wildcards in name fields of X.509 certificates.

Fixed Versions:
21.0.0.1

714238-12 : CVE-2018-1301: Apache Vulnerability

Links to More Info: K78131906

658943-9 : Errors when platform migration process is loading UCS using trunks on vCMP guest/F5OS Tenants

Links to More Info: BT658943

Component: TMOS

Symptoms:
During the platform migration from a physical BIG-IP system to a BIG-IP vCMP guest/F5OS Tenant, the load fails with one of the following messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest/F5OS Tenant.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use one of the following workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- Before loading the UCS archive onto the target BIG-IP, edit the archive and remove the trunk configuration from ./config/bigip_base.conf, and then repack the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.

-- K50152613

Fixed Versions:
21.0.0.1, 14.1.4.1

551462-12 : CVE-2014-9730 - Linux Kernel UDF Filesystem Denial of Service Vulnerability

Links to More Info: K17447

423304-6 : Sync issues with certain objects' parameters.

Component: TMOS

Symptoms:
Synchronized configuration objects may contain invalid parameters after you delete an object and create a different object type with the same name.

Conditions:
This issue occurs when all of the following conditions are met: --
The BIG-IP systems are configured as part of a Device Group. -- You delete a configuration object of one type and then create a different type of object that uses the same name. -- The new object's configuration is synchronized to the other systems of the Device Group.

Impact:
An invalid configuration on the box that is synced to, and no obvious warning signs.

Workaround:
Use either of the following methods: -- Synchronize the configuration after you delete the original object and before you create the new object. -- Use a different name for the new configuration object.

Fixed Versions:
21.0.0.1

2197173-1 : Insufficient sanitization in SNMP configuration

Component: TMOS

Symptoms:
SNMP configuration is not sanitizing input properly.

Conditions:
NA

Impact:
It can lead to unexpected behaviour.

Workaround:
Restrict SNMP access to localhost.

Fix:
SNMP configuration is now properly sanitizing the inputs.

Fixed Versions:
21.0.0.1

2187529-3 : CVE-2025-12818: postgresql: libpq undersizes allocations, via integer wraparound

Component: TMOS

Symptoms:
A vulnerability has been identified in PostgreSQL’s libpq client library, where integer wraparound in several allocation-size calculations allows a peer or input provider to cause an undersized buffer and then write out-of-bounds by hundreds of megabytes. This can lead to a client application segmentation fault or crash when using libpq to connect to a PostgreSQL server.

Conditions:
A client application using a vulnerable libpq version connects to a malicious or compromised PostgreSQL server that sends crafted responses triggering integer wraparound during memory allocation.

Impact:
It can cause out-of-bounds memory writes, leading to a client application crash or segmentation fault (denial of service).

Workaround:
Upgrade to a patched libpq/PostgreSQL client version and avoid connecting to untrusted or compromised PostgreSQL servers.

Fix:
Upgrade to a patched libpq/PostgreSQL client version and avoid connections to untrusted or compromised PostgreSQL servers.

Fixed Versions:
21.0.0.1

2187365 : In V21.0 BIG-IP VE remains INOPERATIVE after cold boot due to MCPD failure.

Links to More Info: BT2187365

Component: TMOS

Symptoms:
- BIG-IP VE system fails to reach an operational state after cold boot.
- MCPD starts but throws an error and never becomes ready.
- ecmd process drives CPU utilization above 100%.

Conditions:
- cold boot (power-off followed by power-on).
- BIG-IP VE systems running v21.0.0.

Impact:
The BIG-IP VE system fails to become active after a cold boot.

Configuration management and control-plane services are unavailable due to MCPD not becoming ready.

High CPU utilization by ecmd can impact overall system stability and resource availability.

Workaround:
Manual Recovery:

Delete the /var/db/mcpdb.bin file.
Reboot the system.
MCPD will regenerate a clean state and the system will return to operation.

Fixed Versions:
21.0.0.1

2186897-3 : TMM core SIGSEVG upon replacing L7 DOS policy

Links to More Info: BT2186897

Component: Anomaly Detection Services

Symptoms:
On rare cases of expired connection, tmm can crash.

Conditions:
BADOS L7 configured
Replacing DOS policy under traffic

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM does not crash upon replacing L7 DOS policy.

Fixed Versions:
21.0.0.1

2186153-6 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile

Component: TMOS

Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.

Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.

Impact:
It can cause an infinite loop leading to application hang or denial of service.

Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction

Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.

Fixed Versions:
21.0.0.1

2184897-2 : Tenant disk size modification is ineffective for var/log folder

Links to More Info: BT2184897

Component: TMOS

Symptoms:
Due to insufficient free disk space on the VM, the /var/log resize operation could not be applied on reboot.

Conditions:
When available disk space on the VM is insufficient for the requested directory resizing.

Impact:
You will not know if resizing will succeed/fail ahead of time.

Workaround:
Manually calculate and allocate disk space within the range of available disk space.

Fix:
Improved validation has been added for directory resize operations. If the available disk space is less than the requested size, the command now fails immediately with a clear error message, allowing users to identify resize issues at the time of requesting.

Fixed Versions:
21.0.0.1

2183705-1 : Improper access control on SMTP

Component: Application Visibility and Reporting

Symptoms:
Security best practices are not being followed for SMTP in BIGIP.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are being followed.

Fixed Versions:
21.0.0.1

2179729-1 : MCPD memory leaks during repetitive configuration create/modify/delete cycles combined with ongoing config-sync activity.

Links to More Info: BT2179729

Component: TMOS

Symptoms:
The eXtremeDB configuration database grows continuously over time in long‑duration testing, even when objects are deleted.

Conditions:
-- Long duration run with create, modify, delete configuration objects.
-- High Availability (HA) enabled

Impact:
MCPD memory becomes very large on lab HA devices.

Workaround:
None

Fixed Versions:
21.0.0.1

2162937 : TMM crash when AFM is enabled

Links to More Info: BT2162937

Component: Advanced Firewall Manager

Symptoms:
The BIG-IP system experiences repeated TMM crashes when handling DNS DoS traffic.

Conditions:
This issue occurs on BIG-IP AFM version 21.0.0 with DNS DoS

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Handled malformed packets.

Fixed Versions:
21.0.0.1

2162905-2 : AFM GUI does not display Port List members in Properties panel

Links to More Info: BT2162905

Component: Advanced Firewall Manager

Symptoms:
AFM GUI fails to display port-list members in the Properties pane

Conditions:
Occurs when viewing any Port List object in the AFM Policy Editor GUI

Impact:
Administrators cannot visually verify port-list contents in the GUI

Workaround:
Tmsh list security firewall port-list <port_list_name>

Fixed Versions:
21.0.0.1

2162849-2 : Removing the active controller does not trigger an immediate tenant failover

Links to More Info: BT2162849

Component: TMOS

Symptoms:
On a setup where BIG-IP tenant is active for a traffic group and is running on a VELOS chassis, and HA score configured with a weightage for F5OS_INTERNAL_TRUNK , pullinf out the active controller does not trigger an immediate failover

Conditions:
1)Tenant is active for a traffic group and is running on a controller that is active for the partition on which the tenant is running
2) Active system controller is removed or powered off using AOM

Impact:
Tenant failover is delayed upto 4min when an active controller of the active tenant is pulled out .

Workaround:
None

Fixed Versions:
21.0.0.1

2162705-2 : Tmm restarting on multi-NUMA AWS instances with ENA interfaces★

Links to More Info: BT2162705

Component: Local Traffic Manager

Symptoms:
Tmm is in the restart loop because dpdk driver is failing to attach with the error message in tmm log:

notice dpdk: [0000:00:06.0]: Multiple NUMA nodes usage is unsupported.

Conditions:
- BIG-IP VE large instance deployed on AWS cloud.
- NUMA node count more than 1 (check "lscpu | grep NUMA").

Impact:
Unable to use dpdk driver on some large AWS instances.

Workaround:
Switch to sock driver: https://my.f5.com/manage/s/article/K10142141

Fix:
DPDK correctly initializes the memory on multi-NUMA AWS instances.

Fixed Versions:
21.0.0.1

2162589-1 : BD crash with a specific configuration

Component: Application Security Manager

Symptoms:
BD daemon crash and restart

Conditions:
Navigation parameter is configured

Impact:
traffic disturbance, failover.

Workaround:
Remove navigation parameter from the configuration.

Fix:
BD working properly.

Fixed Versions:
21.0.0.1

2161077-2 : Bot profile properties page does not load when there are large number of SSL certs (> 1000)

Links to More Info: BT2161077

Component: TMOS

Symptoms:
When a large number of SSL certs are present, the Bot Defense profile properties page (Security > Bot Defense > Bot Profile Properties) does not load correctly

Conditions:
- ASM is provisioned
- SSL cert count > 1000

Impact:
Bot Defense profile properties page does not load

Workaround:
Use tmsh to manage the Bot profiles.

Fix:
Increase restjavad memory to 1.3GB after applying the fix and restart restjavad

> tmsh modify sys db provision.restjavad.extramb value 1280
> bigstart restart restjavad

Fixed Versions:
21.0.0.1

2153893-4 : With DNS64 configured, resolution aborts early on the first error response without trying other name servers.

Links to More Info: BT2153893

Component: Global Traffic Manager (DNS)

Symptoms:
When multiple name servers for a zone are known, as soon as one name server responds with an error rcode, resolution is aborted and other name server are not tried.

Conditions:
-- DNS64 is configured.
-- More than one name server is configured for a zone.
-- One name server responds with an error rcode.

Impact:
DNS resolution will intermittently fail. DNS resolution will succeed only if the cache randomly selects a working name server to contact first.

Workaround:
Disable DNS64.

Fixed Versions:
21.0.0.1

2153489-1 : MCPD crash in FolderMgr::validate_deleted_folder_queue due to race condition clearing folder_delete_queue mid-iteration (v21)

Links to More Info: BT2153489

Component: TMOS

Symptoms:
-- System crashes with a segmentation fault during folder deletion operations.

-- Core dump observed in FolderMgr::validate_deleted_folder_queue.

Conditions:
Concurrent Operations

Thread 1 is performing a folder deletion and iterating over folder_delete_queue in FolderMgr::validate_deleted_folder_queue.

Thread 2 is processing a virtual server query and calls AuthZ::current_context (setter), which invokes FolderMgr::reset_deleted_folder_queue().

Impact:
Traffic and management disrupted while mcpd restarts.

Workaround:
None

Fixed Versions:
21.0.0.1

2152785-1 : TMM may crash under certain conditions.

Component: Local Traffic Manager

Symptoms:
TMM crashes when HTTP/2 traffic

Conditions:
When HTTP/2 profile is configured on TMM.

Impact:
Traffic is disrupted

Workaround:
Add http router to the virtual, converting to HTTP/2 Full Proxy mode from HTTP/2 Gateway mode.

Fix:
TMM handling HTTP/2 traffic properly

Fixed Versions:
21.0.0.1

2152689-3 : ASM GUI "Failed to load requests" pop-up

Links to More Info: BT2152689

Component: Application Security Manager

Symptoms:
A "Failed to load requests" pop-up appears on the page.

REST framework responds with:
{"code":400,"message":"A valid filename must be supplied"}
This is visible in the log of the web browser's interaction with the BIG-IP UI (.har file).

Conditions:
A user with username that contains a slash i.e. "my＼name"
clicking
on Security -> Event Logs -> Application -> Requests
or Security -> Event Logs -> Bot Defense -> Bot Requests

Impact:
Can't view request details

Workaround:
Do not use '/' in the username

Fixed Versions:
21.0.0.1

2152601 : Repeated restarts of the MCPD service result in a continuous restart loop accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events

Component: TMOS

Symptoms:
Continuous restart of MCPD accompanied by error messages: An unexpected failure has occurred, MCO_ERR_EV_SYN - Synchronous events.

Conditions:
This occurs after 10 restarts of MCPD service.

Impact:
BIGIP services are impacted as MCPD is down.

Workaround:
Reboot device.

Fix:
This issue is fixed by cleaning up the resource during every MCPD restart.

Fixed Versions:
21.0.0.1

2152269-8 : Low reputation URIs are found in the URL DB binary

Links to More Info: BT2152269

Component: Access Policy Manager

Symptoms:
Publishing BIG-IQ image to Azure cloud is blocked due to malware scan detecting these low reputed URLs.

Conditions:
When uploading the image on Azure Cloud and these low reputed URLs are detected in malware scanners.

Impact:
No impact on the functionality

Workaround:
None.

Fix:
Low reputation URIs such as che168, cssplay, newliveplayer, tinypic.info referring test code are removed from the product.

Fixed Versions:
21.0.0.1, 21.0.0

2150525-1 : Improvements in iControl SOAP

Component: TMOS

Symptoms:
Security best practices were not being followed in iControl SOAP.

Conditions:
NA

Impact:
Can lead to unexpected behaviour.

Workaround:
NA

Fix:
iControl SOAP now has security best practices.

Fixed Versions:
21.0.0.1

2149253-2 : QUIC connection stalls with early data

Links to More Info: BT2149253

Component: Local Traffic Manager

Symptoms:
When QUIC client connect with early data, connection stalled.

Conditions:
Configure virtual server with quic + client-ssl with Data 0-RTT enabled (w/ anti-replay).

QUIC client connects with existing session and early data.

Impact:
Failed QUIC/HTTP3 connections.

Workaround:
Disable client-ssl Data 0-RTT.

Fix:
Release SSL egress data.

Fixed Versions:
21.0.0.1

2149233-3 : TMM crashes when using SSL

Component: Local Traffic Manager

Symptoms:
Under certain SSL condition, TMM crashes.

Conditions:
When SSL is configured

Impact:
Traffic is disrupted.

Fix:
TMM working properly now.

Fixed Versions:
21.0.0.1

2144521-1 : WAF plugin gets incorrect response body when SSE profile is configured on virtual server

Links to More Info: BT2144521

Component: Local Traffic Manager

Symptoms:
When the SSE plugin is enabled, the WAF plugin receives a partial response body.

Conditions:
SSE Profile (Server Sent Events) and WAF plugin enabled on a Virtual Server.

Impact:
WAF plugin sees only part of the ingress stream.

Workaround:
Disable SSE profile on virtual server when WAF plugin is configured.

Fix:
The HUDFILTER order on server side was adjusted to ensure both WAF plugin and SSE HUDFILTER receive the complete response body.

Fixed Versions:
21.0.0.1

2144513-1 : Cannot install any BIG-IP version with ISO signature verification enabled★

Links to More Info: BT2144513

Component: TMOS

Symptoms:
On affected versions of BIG-IP, if the BIG-IP software ISO file signature checking feature is enabled, attempting to install any BIG-IP version will fail.

Attempting to install the BIG-IP image using either tmsh or the GUI will result in the following error messages (as shown by the "tmsh show /sys software status" command, or hovering a mouse over the "Failed" Install Status message in the GUI):

failed (Signature verification failed - no sig file found)

Conditions:
This occurs on affected versions if the BIG-IP software ISO file signature checking feature is enabled, as described in the following article:
K15225: Enabling signature verification for BIG-IP and BIG-IQ ISO image files
https://my.f5.com/manage/s/article/K15225

Impact:
It is not possible to install any BIG-IP version with the BIG-IP software ISO file signature checking feature enabled.

Workaround:
To successfully install the desired BIG-IP version in such cases:
1. Disable ISO Signature Verification
2. Install the desired BIG-IP version
3. Re-enable ISO Signature Verification

Fix:
BIG-IP versions released on or after October 2025 can be successfully installed with the BIG-IP software ISO file signature checking feature enabled.

Fixed Versions:
21.0.0.1

2144497-2 : Mellanox driver timeouts and packet drops on Azure instances with high NIC count

Links to More Info: BT2144497

Component: TMOS

Symptoms:
On Azure instances with high interface count (6 or more) Mellanox linux kernel driver mlx5_core may fail to initialize the interface or attach it very slow. Another symptom of this problem: packets drops because of timeouts in Mellanox device queue processing.
mlx_core will report multiple errors in the kernel logs (run "dmesg | grep mlx5_core" to display it).

Conditions:
- BIG-IP VE instance deployed in Azure with 6 or more interfaces
- Accelerated networking is enabled

Impact:
- Azure instance starting time may be significant
- SSH access may be unavailable
- Packets drops on dataplane Mellanox interfaces

Workaround:
None

Fix:
Device interrupts are assigned on correct vCPUs in Azure/HyperV environments to prevent Mellanox device timeouts.

Fixed Versions:
21.0.0.1

2144445-1 : Insufficient sanitization in TMSH

Component: TMOS

Symptoms:
TMSH is not sanitizing input properly

Conditions:
NA

Impact:
Can cause unexpected behaviour in TMSH

Fix:
TMSH is now properly sanitizing the input.

Fixed Versions:
21.0.0.1

2144353-4 : BIND upgrade to stable version 9.18.41

Links to More Info: BT2144353

Component: Global Traffic Manager (DNS)

Symptoms:
BIND upgrade to stable version 9.18.41.

Conditions:
Using local BIND.

Impact:
BIND upgrade to stable version 9.18.41.

Workaround:
None.

Fix:
BIND upgrade to stable version 9.18.41.

Fixed Versions:
21.0.0.1

2143305-5 : Tmm crash

Component: Application Security Manager

Symptoms:
TMM may crash when a policy dynamically disables and re-enables L7 DoS through multiple rules.

Conditions:
-- A policy containing multiple rules that disable and then re-enable L7 DoS is attached to a virtual server.
-- An L7 DoS profile is attached to the same virtual server.
-- The policy rule that re-enables L7 DoS does not specify the from-profile attribute.
-- Traffic passes through tmm.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Modify the policy rules that enable L7 DoS to explicitly include the from-profile attribute referencing the attached DoS profile.

Fix:
Handle policy rules that enable L7 DoS without the from-profile attribute in cases where L7 DoS was previously disabled.

Fixed Versions:
21.0.0.1

2143165-3 : Oauth tokens are not shown in UI

Component: Access Policy Manager

Symptoms:
Oauth tokens are not shown in UI

Conditions:
Access >> Overview >> OAuth Reports >> Tokens

Impact:
Oauth tokens are not visible

Workaround:
Use tmsh to see the Oauth Tokens:
"tmsh list / apm oauth token-details db-instance oauthdb"

Fixed Versions:
21.0.0.1

2143101-3 : SNMP Malfunctioning for IPI BL: Incorrect Statistics Reported

Links to More Info: BT2143101

Component: Advanced Firewall Manager

Symptoms:
The statistics counters retrieved via SNMP and tmctl do not reflect any increments for the corresponding blacklist category, despite packets being dropped and logged as expected.

Conditions:
Blacklist categories populated dynamically via feed lists or automatic updates.

Impact:
Inaccurate stats due to missing statistics.

Workaround:
None.

Fix:
When an IP address is dynamically blacklisted by IP Intelligence (IPI), packets from that source are dropped and logged as expected. The statistics counters for the relevant blacklist category viewed via SNMP or tmctl are also incremented.

Fixed Versions:
21.0.0.1

2141305-2 : SSH Proxy Profile Properties page does not render

Links to More Info: BT2141305

Component: TMOS

Symptoms:
The 'Properties' button of a ssh proxy security profile does not correctly render the profile's page

Conditions:
- AFM provisioned
- Security ›› Protocol Security : Security Profiles : SSH Proxy : SSH
- Right-click on 'Properties' and open in new tab.

Impact:
You are unable to view the SSH Proxy security profile properties.

Workaround:
None

Fix:
SSH Proxy Profile Properties Page Rendering issue is fixed

Fixed Versions:
21.0.0.1

2141245-3 : Undisclosed traffic to TMM can lead to resource exhaustion

Component: Global Traffic Manager (DNS)

Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.

Conditions:
Undisclosed conditions

Impact:
TMM Resource exhaustion

Fix:
DNS LDNS API correction.

Fixed Versions:
21.0.0.1

2141233-2 : Client authentication profile as "Request" in FIPS-CC mode causes connection termination without certificate★

Links to More Info: BT2141233

Component: Local Traffic Manager

Symptoms:
SSL handshakes timeout instead of finishing.

Conditions:
1. Clientssl profile configured with Client Authentication enabled with "Request" option
2. BIG-IP is in FIPS-CC mode
3. Client does not provide a certificate

or

1. Clientssl profile configured with Client Authentication enabled with "Ignore" option
2. BIG-IP is in FIPS-CC mode
3. Access Policy applied to the Virtual Server contains an OnDemand Cert Auth agent.
4. Client does not provide a certificate

Impact:
SSL handshakes do not finish but instead timeout.

Workaround:
Workaround 1:
Disable Client authentication.

Workaround 2:
Configure CRL on the Client SSL profile

Workaround 3:
Enable Client Certificate Constrained Delegation (c3d) feature on the SSL profiles(requires Server-SSL profile and this feature forges client cert to server upon cert request from app-server).

Fixed Versions:
21.0.0.1

2140621-4 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling

Links to More Info: K000157317, BT2140621

2139901-6 : Server-ssl profile "do-not-remove-without-replacement" is recreated

Links to More Info: BT2139901

Component: Application Security Manager

Symptoms:
A required profile for a deprecated service is recreated on restart, but not saved to bigip.conf

Conditions:
The "do-not-remove-without-replacement" profile is deleted and the bewaf daemon is restarted

Impact:
The profile is recreated, but not saved to bigip.conf without another user action.

Workaround:
"tmsh save sys config" can be run to save the active config to bigip.conf

Fixed Versions:
21.0.0.1

2138077-3 : SAML redirect signature validation fails when RelayState is present with want-detached-signature=true in BIG-IP APM 17.1.x

Links to More Info: BT2138077

Component: Access Policy Manager

Symptoms:
SAML authentication fails with errors such as “Invalid signature” or “Signature verification failed”

Conditions:
SAML SP is configured with:

is-authn-request-signed = true

sso-binding = http-redirect

want-detached-signature = true

A RelayState parameter is included in the SAML AuthnRequest.

Occurs on BIG-IP APM versions 17.1.x and above.

Impact:
End users are unable to log in using SSO due to authentication errors

Workaround:
Remove the RelayState parameter from the SAML AuthnRequest configuration, if possible.

This restores successful signature validation.

Example: remove relay-state from the SP AAA SAML object configuration.

Alternatively, use HTTP-POST binding instead of HTTP-Redirect.

There is no configuration-based workaround if RelayState is required and Redirect binding must be used.

Fixed Versions:
21.0.0.1

2137977-3 : Clicking on a policy in a virtual server's resource page navigates to the full policy list, instead of the specific policy★

Links to More Info: BT2137977

Component: TMOS

Symptoms:
The hyperlink for the policy on virtual server's resource page navigates to the incorrect location.

Conditions:
Virtual server with an ltm policy attached.

Impact:
The hyperlink navigates to the full policy list, so the specific policy would still need to be found in the full list to navigate to it.

Workaround:
None

Fixed Versions:
21.0.0.1

2130485-4 : Warning: the current license is not valid - Fault code: 51133

Links to More Info: BT2130485

Component: TMOS

Symptoms:
License activation may fail on specific platforms.

root@(localhost)(cfg-sync Standalone)(NO LICENSE)(/Common)(tmos)# install sys license registration-key D1234-12345-12345-12345-1234567
Warning: the current license is not valid
License server has returned an exception.
   Fault code: 51133
   Fault text: Error 51133, F5 registration key is not compatible with the detected platform - This platform, "", cannot be activated with this registration key "I123456-1234567".

Conditions:
- DEV or Evaluation license
- KVM on HP AMD server
- IBM Bare Metal

Impact:
Unable to license BIG-IP.

Workaround:
None

Fix:
License activation is successful.

Fixed Versions:
21.0.0.1

2125953-5 : Insufficient access control to REST endpoint and TMSH for some CLI versions.

Component: TMOS

Symptoms:
Security best practices are not followed for some CLI versions.

Conditions:
Not specified.

Impact:
Unexpected behaviour

Fix:
Security best practices are being followed.

Fixed Versions:
21.0.0.1

2106789-1 : BIGIP LTM Monitors Hardening

Component: Global Traffic Manager (DNS)

Symptoms:
BIG-IP LTM External Monitors are not following the best security practices

Conditions:
When external montiors is configured

Impact:
Unexpected behaviour

Fix:
Best security practices are now applied

Fixed Versions:
21.0.0.1

2099441-2 : Garbled character in warning message when HA peer is added

Links to More Info: BT2099441

Component: TMOS

Symptoms:
Garbled character in warning message

Conditions:
When adding HA peer

Impact:
Unexpected behavior

Workaround:
None

Fixed Versions:
21.0.0.1

2086097-4 : PEM iRules causing traffic disruption

Component: Policy Enforcement Manager

Symptoms:
In some scenario, there is improper termination of connection and it is leading to TMM core

Conditions:
PEM iRules configured.

Impact:
TMM core. Service disruption.

Fix:
Connection is properly terminating and TMM is not coring.

Fixed Versions:
21.0.0.1

2078297-4 : Unexpected PVA traffic spike

Component: TMOS

Symptoms:
In rare circumstances, traffic may spike on the graphs inside the tenant without corresponding graphs on the external interfaces.

Conditions:
VELOS tenant
epva traffic

Impact:
Loss of connectivity,
extremely high PVA traffic spike
tcpdump on the appliance ceases to function

Workaround:
Disabling PVA acceleration on affected virtual servers

Fix:
PVA traffic not spiking.

Fixed Versions:
21.0.0.1

2077525-4 : Incomplete or missing IP Intelligence databases result in connection reset, high TMM CPU usage and/or TMM crash

Links to More Info: BT2077525

Component: Advanced Firewall Manager

Symptoms:
Both of the following messages are frequently (several times per second) logged to /var/log/tmm*:
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpRep.dat
  <13> Sep 24 09:55:01 bigip1 notice Failed to open /var/IpRep/F5IpV6Rep.dat

Heavy log file writing can result in a possible tmm SIGABRT due to a heartbeat failure.

Conditions:
ip-intelligence is configured, and both the IPv4 and IPv6 intelligence databases are missing. IP intelligence is a optional subscription feature that can be configured in various BIG-IP modules, such as AFM, ASM, and APM, and irules.

Impact:
A frequent log message might slow TMM.

This might result in TMM missing a heartbeat, which will trigger a tmm SIGABRT and resulting core. Traffic disrupted while tmm restarts.

Workaround:
Unconfigure ip-intelligence and remove any configuration that refers to IP reputation, or ensure that the ip-intelligence databases are available.

Fixed Versions:
21.0.0.1

2047429-4 : PostgreSQL should dump a corefile when not exiting

Links to More Info: BT2047429

Component: TMOS

Symptoms:
When PostgreSQL does not exit gracefully, it does not create a core file.

Conditions:
PostgreSQL crashes.

Impact:
Diagnostic data missing.

Workaround:
None

Fixed Versions:
21.0.0.1

2035641-5 : APMd resource exhaustion

Component: TMOS

Symptoms:
Under certain conditions, APMd is exhausting resources leading to core.

Conditions:
Access sessions create, and sessions are processed

Impact:
APMd core may cause temporary traffic disruption.

Fix:
APMd not coring.

Fixed Versions:
21.0.0.1

2034753-3 : Domain name validation does not align with the error message on GUI

Links to More Info: BT2034753

Component: Access Policy Manager

Symptoms:
Domain names which include hyphens are not accepted, an error message is shown on GUI.

Conditions:
Domain names with hyphens or forward slashes will cause this issue.

Impact:
BIG-IP administrator will not be able to update DNS Exclude/Include Fields in Network Access settings if they include hyphens/dashes.

Workaround:
None

Fix:
Update the mcp validation regex to allow hyphens and forward slashes.

Fixed Versions:
21.0.0.1

2017137-5 : Pkcs11d Crash Risk Due to Unbounded Label/Password Length from MCPd

Links to More Info: BT2017137

Component: Local Traffic Manager

Symptoms:
Unexpected behaviour or even a crash of pkcs11d

Conditions:
Configure the label/password values more than or equal to 32 characters.

Impact:
Configuring the label or password exceeding the allowed length, it could lead to memory corruption, unexpected behavior, or even a crash of the pkcs11d daemon.

Workaround:
Configure the values with 31 or fewer characters.

Fix:
The daemon now gracefully rejects inputs that exceed the length limit, logs an appropriate error, and exits the operation safely.

Fixed Versions:
21.0.0.1, 17.5.1.2, 17.1.3

2008409-4 : MAC masquerade does not work on an F5OS tenant if there are no floating self-ips configured on the VLAN

Links to More Info: BT2008409

Component: F5OS Messaging Agent

Symptoms:
Network traffic fails on a VLAN that is shared by multiple tenants.

Conditions:
-- F5OS tenants sharing a VLAN
-- MAC masquerade enabled on both tenants
-- No floating self-ips configured

Impact:
MAC masquerade may not work properly causing traffic failures such as packets not arriving on the tenant. Or excessive DLFs on the network.

Workaround:
Add floating self-ips to all traffic VLANs that are using MAC masquerade.

Fixed Versions:
21.0.0.1

1991297-3 : [APD][SAML-SSO]high memory due to SAML SSO leak

Links to More Info: BT1991297

Component: Access Policy Manager

Symptoms:
Tmm crashes due to out of memory while passing SAML-SSO traffic

Conditions:
SAML SSO configured with saml artifact sign.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fixed Versions:
21.0.0.1

1988993-4 : CVE-2024-42516 Apache HTTP Server vulnerability

Links to More Info: K000153074

1987309-4 : Bigd may get stuck in legacy mode

Links to More Info: BT1987309

Component: Local Traffic Manager

Symptoms:
Https monitors may spuriously mark a pool member as down and it will fail to mark the pool member back up.

The monitor remains in legacy mode, and probes are sent using TLS 1.0.

Conditions:
-- Server supports version TLSv1.2 and above.
-- bigd is configured to monitor the server with SSL.
-- The monitor flips into legacy mode.

Impact:
Bigd is stuck in legacy mode.

Workaround:
Bigd can be brought out of legacy mode by detaching and re-attaching monitor to the pool.

Fixed Versions:
21.0.0.1

1983349-4 : CVE-2023-2454, CVE-2023-39417, CVE-2023-39418, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870 PostgreSQL vulnerabilities

Links to More Info: K000152931

1974701-3 : PVA stats may be double incremented when pva mode is dedicated

Links to More Info: BT1974701

Component: TMOS

Symptoms:
Offloaded connections may be double counted for dedicated PVA flows.

Conditions:
PVA mode is set to dedicated in fastl4 profile.

Impact:
Incorrect stats.

Workaround:
None

Fix:
Offloaded dedicated PVA flows are counted once.

Fixed Versions:
21.0.0.1

1966633-3 : Non-eth0 management interface unbound after tmm restart on 17.5.0 in AWS★

Links to More Info: BT1966633

Component: TMOS

Symptoms:
Management connectivity is lost after licensing BIG-IP 17.5.0 on AWS. The parameter provision.managementeth was changed to non-eth0 interface during deployment with cloud-init. When the issue occurs, the mgmt bridge loses the associated interface ethX.

Conditions:
1. Deploy an instance on AWS.
2. Change provision.managementeth to non-eth0 device and reboot.
3. After boot up, any operation that restart tmm (i.e. licensing BIG-IP) will cause the issue.

Impact:
Management connectivity is lost to BIG-IP instance.

Workaround:
Reboot the device twice after licensing the device. One reboot will not resolve the issue.

Fixed Versions:
21.0.0.1

1966405-1 : Changes to DNS cache resolver may cause service disruption on BIG-IP DNS v17.1.2.1★

Links to More Info: BT1966405

Component: Global Traffic Manager (DNS)

Symptoms:
All DNS PTR queries are forwarded to the configured forward zone. If any change is made to the local zones, such as adding a new local zone; the system begins responding to PTR queries with NXDOMAIN.

Conditions:
Occurs on BIG-IP DNS version 17.1.2 and above
Triggered when changes are made to local zones

Impact:
Queries respond with NXDOMAIN.

Workaround:
Restart tmm:
bigstart restart tmm

Fixed Versions:
21.0.0.1

1959361-2 : When running a tenant with more than 72 VCPUs / cores, adminstall crashes

Links to More Info: BT1959361

Component: Anomaly Detection Services

Symptoms:
When running a tenant with more than 72 VCPUs / cores, adminstall crashes.

Conditions:
When ASM provisioned and running a Tenant with more than 72 VCPUs / cores per blade.

Impact:
DOSL7 (BADOS) is not functioning. Core created.

Workaround:
None

Fix:
Now adminstall donot crash, when ASM provisioned and Tenant with more than 72 VCPUs / cores per blade.

Fixed Versions:
21.0.0.1

1943269-1 : GTM Server can be deleted while referenced by GTM Pools

Component: Global Traffic Manager (DNS)

Symptoms:
A GTM server object can be deleted even when it was referenced by GTM pools. Deleting the server will also remove it from the associated pool members without any warning.

Conditions:
Occurs when a GTM virtual server is referenced in one or more GTM pools.

Impact:
This may cause unexpected behavior or service disruption if the server is deleted while still in use.

Workaround:
None.

Fix:
A validation check has been added to prevent deletion of a GTM server that is referenced by GTM pools, and a warning is now displayed to the user.

Fixed Versions:
21.0.0.1

1934073-5 : PEM policy rule incorrectly matching when using a flow condition

Links to More Info: BT1934073

Component: Policy Enforcement Manager

Symptoms:
When a PEM policy rule is configured to match the destination IP address and port, the message might match the source IP and port instead.

Conditions:
PEM policy rule is using flow conditions to match IP address and port

Impact:
An incorrect policy rule might be matched

Workaround:
None

Fix:
The PEM policy rule now correctly matches the source and destination IP addresses and ports when the flow condition is used.

Fixed Versions:
21.0.0.1, 17.5.1.3, 17.1.3, 16.1.6.1

1933357-3 : DNS64 stats between cache resolver and TMM non-cache have inconsistent behavior.

Links to More Info: BT1933357

Component: Global Traffic Manager (DNS)

Symptoms:
DNS64 stats (tmstat table profile_dns_stat) in the TMM behave as follows:

dns64reqs - A queries to the server after the AAAA queries fail. Does not include the AAAA queries.
dns64fails - Failed AAAA queries to the server. Does not include the subsequent A queries.

DNS64 stats (tmstat table dns_cache_resolver_stat) in the cache behave as follows:

mesh.dns64reqs - Includes both A and AAAA queries to the server. Includes both successful and failed AAAA queries.
mesh.dns64nodata - Includes both A and AAAA query nodata responses (rcode=0 and no records).
mesh.dns64error - Includes both A and AAAA query error rcode responses.
mesh.dns64timeout - Includes both A and AAAA query timed-out responses.

Conditions:
-- A DNS resolver cache is enabled on a DNS profile.
-- The DNS profile has DNS64 configured.

Impact:
The current cache resolver stats makes it difficult to diagnose backend DNS64 performance.

Workaround:
None

Fix:
Mesh.dns64reqs behaves like the TMM's dns64reqs (counts only DNS64 A queries to the server.) Additionally, a new stat mesh.dns64fails sums all failures (mesh.dns64nodata, mesh.dns64error, mesh.dns64timeout) and, like the TMM, only counts DNS64 AAAA failures to the server.

Fixed Versions:
21.0.0.1

1925485 : CVE-2020-12655 kernel: sync of excessive duration via an XFS v5 image with crafted metadata

Component: TMOS

Symptoms:
A flaw was discovered in the XFS source in the Linux kernel. This flaw allows an attacker with the ability to mount an XFS filesystem, to trigger a denial of service while attempting to sync a file located on an XFS v5 image with crafted metadata.

Conditions:
An attacker can mount a crafted XFS v5 filesystem image on a vulnerable Linux kernel and trigger the issue during file sync operations.

Impact:
It can cause a kernel crash or hang, resulting in a denial of service.

Workaround:
Upgrade to a Linux kernel version that includes the XFS fix and avoid mounting untrusted or crafted XFS filesystem images.

Fix:
Upgrade to a Linux kernel version that includes the XFS crafted-metadata sync fix.

Fixed Versions:
21.0.0.1

1925369 : CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service

Component: TMOS

Symptoms:
The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel can cause a NULL pointer dereference in xfs_ilock_attr_map_shared function. An attacker could trick a legitimate user or a privileged attacker could exploit this by mounting a crafted xfs filesystem image to cause a kernel panic and thus a denial of service.

Conditions:
A vulnerable Linux kernel mounts a crafted or malicious XFS filesystem image, triggering a NULL pointer dereference during inode verification.

Impact:
It can trigger a kernel panic, resulting in a denial of service.

Workaround:
Upgrade to a Linux kernel version that includes the XFS fix and avoid mounting untrusted or crafted XFS filesystem images.

Fix:
Upgrade to a Linux kernel version that includes the XFS NULL pointer dereference fix.

Fixed Versions:
21.0.0.1

1925045 : Linux Kernel Btrfs Information Leak Vulnerability (CVE-2024-35849)

Component: TMOS

Symptoms:
An information leak in the Btrfs btrfs_ioctl_logical_to_ino() ioctl allowed uninitialized kernel memory to be copied to user space, potentially exposing sensitive data.

Conditions:
A system running a vulnerable Linux kernel with Btrfs enabled, where a local user invokes the btrfs_ioctl_logical_to_ino() ioctl.

Impact:
It can leak uninitialized kernel memory to user space, potentially exposing sensitive information.

Workaround:
Upgrade to a Linux kernel version that includes the Btrfs fix (uses kvzalloc() to zero memory) or apply the relevant kernel patch.

Fix:
Upgrade to a Linux kernel version that includes the Btrfs btrfs_ioctl_logical_to_ino() memory initialization fix.

Fixed Versions:
21.0.0.1

1925029 : CVE-2023-1611 - Linux Kernel btrfs Use-After-Free Vulnerability Leading to System Crash and Information Leak

Component: TMOS

Symptoms:
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea

Conditions:
A system running a vulnerable Linux kernel with Btrfs enabled, where an attacker triggers the btrfs_search_slot() code path via crafted filesystem operations or images.

Impact:
It can cause a kernel crash (denial of service) and may lead to a kernel information leak.

Workaround:
Upgrade to a Linux kernel version that includes the Btrfs use-after-free fix and avoid using or mounting untrusted Btrfs filesystems.

Fix:
Upgrade to a Linux kernel version that includes the Btrfs btrfs_search_slot() use-after-free fix.

Fixed Versions:
21.0.0.1

1923997 : CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling

Component: TMOS

Symptoms:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

Conditions:
Open vSwitch is running a vulnerable version and processes an IP packet with protocol value 0, causing an incorrect datapath flow to be installed with wildcarded nw_proto.

Impact:
It can cause incorrect handling or misrouting of other IP packets, potentially leading to traffic disruption or denial of service.

Workaround:
Upgrade to a patched Open vSwitch version and avoid processing or allowing malformed IP packets with protocol value 0.

Fix:
Upgrade to a patched Open vSwitch version that correctly handles IP packets with protocol value 0.

Fixed Versions:
21.0.0.1

1923817 : CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)

Component: Local Traffic Manager

Symptoms:
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

Conditions:
The application runs a vulnerable Node.js version and processes attacker-controlled inputs that result in many hash collisions (e.g., crafted object keys), allowing hash flooding.

Impact:
It can cause high CPU usage and event loop blocking, leading to a remote denial of service.

Workaround:
Upgrade to a fixed Node.js version, or rebuild Node.js without V8 snapshots and limit or validate untrusted input sizes.

Fix:
Upgrade to a Node.js version where the HashTable seed is properly randomized at startup.

Fixed Versions:
21.0.0.1

1923793-10 : CVE-2019-5739: DoS with keep-alive HTTP connection

Component: Local Traffic Manager

Symptoms:
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

Conditions:
The server runs Node.js 6.16.0 or earlier and accepts keep-alive HTTP/HTTPS connections, allowing attackers to keep many idle connections open.

Impact:
It can exhaust server connections and resources, leading to a denial of service.

Workaround:
Upgrade to Node.js 6.17.0 or later and configure a low server.keepAliveTimeout to limit idle connections.

Fix:
Upgrade to Node.js 6.17.0 or later, where server.keepAliveTimeout is available and defaults to 5 seconds.

Fixed Versions:
21.0.0.1

1893905-3 : Python vulnerability CVE-2023-40217

Links to More Info: K000139685

1893473-3 : Apache vulnerability CVE-2021-40438

Links to More Info: K01552024

1893369-3 : CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c

Component: TMOS

Symptoms:
A flaw use-after-free in the Linux kernel CIPSO network packet labeling protocol functionality was found in the way user open local network connection with the usage of the security labeling that is IP option number 134. A local user could use this flaw to crash the system or possibly escalate their privileges on the system.

Conditions:
A vulnerable Linux kernel with CIPSO/IP option 134 enabled, where a local user opens a network connection using CIPSO security labeling.

Impact:
It can cause a kernel crash (denial of service) and may allow local privilege escalation.

Workaround:
Upgrade to a Linux kernel version that includes the CIPSO use-after-free fix or disable CIPSO/IP option 134 if not required.

Fix:
patch has been applied

Fixed Versions:
21.0.0.1

1893309-5 : CVE-2021-23337 on HostOS: Command Injection via template function.＼n' 'Link:https://sn

Links to More Info: K12492858

1889845-3 : Improvements in Radius Monitor

Component: Local Traffic Manager

Symptoms:
Certain headers were missing from radius monitor packet.

Conditions:
When radius monitors is configured

Impact:
Can lead to unexpected behaviour

Fix:
Missing headers are now included in the packets.

Fixed Versions:
21.0.0.1

1849029-5 : Debug TMM crashes in FIPS/CC mode

Links to More Info: BT1849029

Component: Local Traffic Manager

Symptoms:
A TMM in debug mode crash occurs in FIPS/CC mode when using ClientSSL or ServerSSL profile.

Conditions:
-- Debug tmm is running
-- FIPS/CC mode enabled

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Switch to non debug tmm.

Fix:
Fix memory issue.

Fixed Versions:
21.0.0.1, 17.1.3, 16.1.6.1

1824985-4 : In rare cases the Nitrox hardware compression queue may stop servicing requests.

Links to More Info: BT1824985

Component: Local Traffic Manager

Symptoms:
In rare cases, the Nitrox hardware may stop servicing requests.

When this issue occurs the tmctl compress table shows a high number of cur_enqueued entries and the number of requests handled in software (zlib) will be growing.

Conditions:
-- Nitrox compression hardware.
-- HTTP compression in use.

Impact:
Some connections may fail, and higher than expected CPU usage will be observed since requests will be handled in software.

Workaround:
Remove traffic from the device, or disable compression until the queues are completely drained.

Fixed Versions:
21.0.0.1

1818949-3 : [APM] BIG-IP as OAuth AS sending invalid grant error when refresh token expired.

Links to More Info: BT1818949

Component: Access Policy Manager

Symptoms:
As per RFC states that, the provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client then should send a 400 Bad Request status code and a error json response
{"error": "invalid_grant", ...}

currently BIG-IP sending as {"error": "access_denied", ...}
with 400 status code.

Conditions:
OAuth configured.
using the refresh token to get the access token, when refresh token is expired. (ex: using postman)

Impact:
Returns Invalid error

Workaround:
None

Fix:
Corrected the logging as per Rfc.

Fixed Versions:
21.0.0.1

1818137-3 : Tmm IPv4 fragmentation handling distribution

Links to More Info: BT1818137

Component: Local Traffic Manager

Symptoms:
BIG-IP VE handles fragmented IPv4 traffic on the first tmm thread/tmm0. With this change the ability to spread the fragmented IPv4 traffic is introduced.

Conditions:
Handling of fragmented IPv4 traffic.

Impact:
Handling of fragmented IPv4 traffics distribution.

Workaround:
None

Fix:
With this fix the Handling of fragmented IPv4 traffic can be distributed.

Fixed Versions:
21.0.0.1

1788105-3 : TLS1.3 connections between BIG-IP and server hangs with an APM policy that is invoked after the server's SSL handshake finishes★

Links to More Info: BT1788105

Component: Local Traffic Manager

Symptoms:
A TLS1.3 connection between the BIG-IP system and the server hangs.

Other reported symptoms:
-- SSL decryption fails
-- SSL handshake failure
-- SSL Orchestrator explicit proxy stops responding

This can be encountered after an upgrade to an affected version.

Conditions:
A virtual server that uses
1. TLS1.3 in the serverSSL profile
2. An APM policy that uses events that trigger after the SSL handshake on the server has completed

In an SSL Orchestrator setting, inline HTTP and ICAP services make use of APM policies that use L7 protocol lookup. Server Certificate and L7 protocol lookup conditions also make use of events that trigger the APM policy after the SSL handshake has completed.

Impact:
The connection hangs and the client is unable to connect to the server.

Workaround:
Apply either of these workarounds

1. Disable TLS1.3 on the serverSSL profile
2. Avoid using events that trigger the policy after the SSL handshake on the server has completed (for example avoid Event Wait and L7 protocol Lookup)

Fix:
The TLS1.3 connection between the BIG-IP and server no longer hangs if the APM policy is invoked after the SSL handshake.

Fixed Versions:
21.0.0.1, 17.1.3

1772317-4 : [APM][SAML SP] sp fails authentication with error "SAML assertion is invalid, error: NameID is missing"

Links to More Info: BT1772317

Component: Access Policy Manager

Symptoms:
SAML authentication fails and following log is seen on BIG-IP as sp: "SAML Agent: /Common/web_auth_act_saml_auth_subsession_ag SAML assertion is invalid, error: NameID is missing, but idp-connector's identity location is set to subject"

Conditions:
-- SAML auth is configured as SP on BIG-IP as part of per-request policy
-- assertion has an encrypted subject "<saml2:Subject><saml2:EncryptedID><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"...."

Impact:
Authentication fails

Workaround:
Disable "encrypt-subject " in idp config

Fixed Versions:
21.0.0.1

1752873-3 : [APM][SAML SP] Order of SAML attribute values saml.last.attr.name is reversed★

Links to More Info: BT1752873

Component: Access Policy Manager

Symptoms:
After upgrading, the order of SAML attribute values parsed from assertion are stored in reverse order.

Conditions:
-- BIG-IP as SAML SP,
-- Upgrade to 17.1.0

Impact:
The SAML assertion values are parsed in reverse order, which can cause iRules or policies to fail if they expect the values to arrive in a certain order.

Workaround:
None

Fixed Versions:
21.0.0.1

1624701-5 : Security improvement in BIGIP GUI

Component: TMOS

Symptoms:
BIGIP GUI was not following best security practices.

Conditions:
NA

Impact:
Unexpected behaviour

Fix:
Security best practices are now being followed.

Fixed Versions:
21.0.0.1

1505813-7 : CVE-2018-16487 lodash: Prototype pollution in utilities

Component: iApp Technology

Symptoms:
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Conditions:
NA

Impact:
An attacker can use Function inside of vulnerable versions of lodash to execute malicious code using the Traffic Management User Interface (TMUI) or iControl REST API .it can impact confidentiality,integrity and availability of application.

Workaround:
NA

Fix:
Updated lodash version to 4.17.21

Fixed Versions:
21.0.0.1

1505309-3 : CVE-2021-23337 nodejs-lodash: command injection via template

Links to More Info: K12492858

1505297-5 : CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function

Component: iApp Technology

Symptoms:
A flaw was found in nodejs-lodash in versions 4.17.15 and earlier. A prototype pollution attack is possible which can lead to arbitrary code execution. The primary threat from this vulnerability is to data integrity and system availability.

Conditions:
The vulnerability can be exploited when a vulnerable lodash version (≤ 4.17.15) processes attacker-controlled input using prototype-modifying functions (e.g., merge, defaultsDeep) with malicious keys like __proto__ or constructor.

Impact:
It can allow prototype pollution, leading to data integrity issues, application crashes (DoS), or potentially arbitrary code execution.

Workaround:
Upgrade lodash to a fixed version (≥ 4.17.16), avoid using prototype-modifying functions on untrusted input, and validate or sanitize user-controlled data.

Fix:
Update nodejs-lodash to version 4.17.16 or later

Fixed Versions:
21.0.0.1

1505257-3 : False positive with "illegal base64 value" for Authorization header

Links to More Info: BT1505257

Component: Application Security Manager

Symptoms:
False positive "illegal base64 value" is detected

Conditions:
The given base64 encoded value is legal base64 but the decoded auth-param is unparsable. Such request triggers "HTTP Protocol Compliance" violation when configured to do so and it is indeed triggering, but such request should not trigger "illegal base64 value".

Impact:
A false positive is detected.

Workaround:
None

Fixed Versions:
21.0.0.1

1498949-1 : CVE-2023-2283 libssh: authorization bypass in pki_verify_data_signature

Links to More Info: K000138682

1473189-1 : Offending IP is not logged when rate limiting is triggered

Component: Global Traffic Manager (DNS)

Symptoms:
The log only contains the rate limit message without the offending IP address.

Conditions:
The number of requests exceeds the server's configured maximum rate limit.

Impact:
You are unable to determine which IP address exceeded the threshold.

Workaround:
None

Fix:
The system now logs the offending IP address when the rate limit is triggered.

Fixed Versions:
21.0.0.1

1450481-6 : TMSH hardening

Component: TMOS

Symptoms:
TMSH is not following security best practices.

Conditions:
NA

Impact:
Unexpected behaviour

Workaround:
NA

Fix:
TMSH is now following security best practices.

Fixed Versions:
21.0.0.1

1429861-9 : CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)

Component: Local Traffic Manager

Symptoms:
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.

Conditions:
The server runs a vulnerable Node.js HTTP implementation and accepts persistent connections where an attacker can send two specially crafted HTTP requests on the same connection to bypass headersTimeout.

Impact:
An attacker can bypass Slowloris protections and cause a denial of service by exhausting server connections.

Workaround:
Upgrade to a Node.js version that includes the corrected Slowloris fix and enforce strict request timeouts and connection limits.

Fix:
Upgrade to a Node.js version with the updated Slowloris fix and enforce strict request timeout and connection limits.

Fixed Versions:
21.0.0.1

1379649-6 : GTM iRule not verifying WideIP type while getting pool from TCL command

Links to More Info: BT1379649

Component: Global Traffic Manager (DNS)

Symptoms:
When the pool name is same for different pool types, the GTM iRule cannot segregate the pool types thus giving a wrong DNS response.

Conditions:
-- Both A/AAAA same name WideIP and pools.
-- GTM iRule with pool command pointing to common pool name in different WideIP types.

Impact:
Traffic impact as a non-existent pool member address in DNS response.

Workaround:
None

Fixed Versions:
21.0.0.1

1359817-4 : The setting of DB variable tm.macmasqaddr_per_vlan does not function correctly

Links to More Info: BT1359817

Component: F5OS Messaging Agent

Symptoms:
TMM is not configuring L2 listener entry for a new MASQUEREDE MAC created from a base MAC and VLAN ID when the DB variable tm.macmasqaddr_per_vlan is true.

Conditions:
- F5OS Tenant
- MAC MASQUEREDE is configured
- DB variable tm.macmasqaddr_per_vlan is true

Impact:
Connectivity issues may occur, pinging a self-IP will fail.

Workaround:
None

Fixed Versions:
21.0.0.1, 21.0.0

1352213-1 : Handshake fails with FFDHE key share extension

Links to More Info: BT1352213

Component: Local Traffic Manager

Symptoms:
SSL handshake fails to complete and various errors show in the LTM logs


01010025:2: Device error: crypto codec Couldn't create an OpenSSL EC group object OpenSSL error:00000000:lib(0):func(0):reason(0)
01010282:3: Crypto codec error: sw_crypto-1 Couldn't initialize the elliptic curve parameters.
01010025:2: Device error: crypto codec No codec available to initialize request context.

Conditions:
An SSL profile uses TLS1.3, and a TLS Client Hello attempts to use FFDHE as part of the key share extension.

Impact:
SSL handshake fails and results in connection failure.

Workaround:
Set the SSL profile to disallow using FFDHE groups.

Fixed Versions:
21.0.0.1, 17.1.3

1271341-6 : Unable to use DTLS without TMM crashing

Component: Local Traffic Manager

Symptoms:
The TMM crashes when DTLS is used.

Conditions:
- Using DTLS.

Impact:
TMM core is observed, traffic is disrupted while TMM restarts.

Workaround:
Disable 'allow-dynamic-record-sizing' in the client-ssl profile.


Following is an example:

ltm profile client-ssl /Common/otters-ssl {
    allow-dynamic-record-sizing disabled

Fixed Versions:
21.0.0.1

1148185-8 : getdb insufficient sanitisation

Links to More Info: K05403841

Component: TMOS

Symptoms:
https://support.f5.com/csp/article/K05403841

Conditions:
https://support.f5.com/csp/article/K05403841

Impact:
https://support.f5.com/csp/article/K05403841

Fix:
https://support.f5.com/csp/article/K05403841

Fixed Versions:
21.0.0.1

1137269-8 : MCPD fails to reply if a request is proxied to another daemon and the connection to that daemon closes

Links to More Info: BT1137269

Component: TMOS

Symptoms:
MCPD does not reply to the request if the publisher's connection closes or fails. In this case, when bcm56xxd
is restarted, the perceivable signs of failure are:
- The snmpwalk failing with a timeout and
- The "MCPD query response exceeding" log messages.

Conditions:
1) Configure SNMP on the BIG-IP to run snmpwalk locally on the BIG-IP.
2) From the first session on the BIG-IP, run a snmpwalk in the while loop.
    
while true;do date; snmpwalk -v2c -c public 127.0.0.1 sysDot1dbaseStat;sleep 2;done
Sample output:
Sat Aug 21 00:57:23 PDT 2021
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatResetStats.0 = INTEGER: 0
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatMacAddr.0 = STRING: 0:23:e9:e3:8b:41
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatNumPorts.0 = INTEGER: 12
F5-BIGIP-SYSTEM-MIB::sysDot1dbaseStatType.0 = INTEGER: transparentonly(2)

3) From a second session on the BIG-IP restart bcm56xxd

bigstart restart bcm56xxd

4) The snmpwalk will continually report the following:

Timeout: No Response from 127.0.0.1

      And snmpd will continually log "MCPD query response exceeding" every 30 seconds in /var/log/ltm.

Impact:
SNMP stopped responding to queries after upgrade.

Workaround:
Restart SNMP.

Fixed Versions:
21.0.0.1

1086325-8 : CVE-2016-4658 libxml2 vulnerability

Links to More Info: K49419538

1052477 : CVE-2020-10751 kernel: SELinux netlink permission check bypass

Component: TMOS

Symptoms:
A flaw was found in the Linux kernel SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Conditions:
NA

Impact:
A local attacker could bypass SELinux restrictions, potentially leading to unauthorized access, privilege escalation, or, in some scenarios, a system crash (denial of service).

Workaround:
NA

Fix:
Applied patch to fix the CVE

Fixed Versions:
21.0.0.1

1036221-4 : "Illegal parameter value length" is reported with parsing product length.

Links to More Info: BT1036221

Component: Application Security Manager

Symptoms:
"Illegal parameter value length" violation is reported with wrong parameter length.

Conditions:
A JSON parameter is encoded.

Impact:
The decoded value length of the parameter in the JSON payload will be reported instead of its original length.

Workaround:
None

Fix:
The original parameters value length is reported with "Illegal parameter value length" violation.

Fixed Versions:
21.0.0.1

1001429-10 : HTTP header Sanitization

Component: Device Management

Symptoms:
Some HTTP headers were improperly sanitised.

Conditions:
NA

Impact:
It could lead to unexpected behaviour

Fix:
Headers are now properly sanitised.

Fixed Versions:
21.0.0.1