997169-3 : AFM rule not triggered

Links to More Info: BT997169

Component: Advanced Firewall Manager

Symptoms:
An AFM rule is not triggered when it should be.

Conditions:
-- Source and destination zone configured
-- A gateway pool is used in the route

Impact:
A firewall rule is not triggered and the default deny rule is used.

Workaround:
Alter the route to use an IP address and not a pool.

Fix:
Firewall rules are now triggered when gateway pools are used.

Fixed Versions:
21.0.0, 17.5.1, 17.1.2, 16.1.6, 15.1.4.1

993681 : CVE-2019-18282 Kernel: Device Tracking Vulnerability

Links to More Info: K32380005

990173 : Dynconfd repeatedly sends the same mcp message to mcpd

Links to More Info: BT990173

Component: Local Traffic Manager

Symptoms:
If dynconfd sends a single message to mcpd containing two or more operations, and one of the operations fails mcpd validation, dynconfd repeatedly sends same message to mcpd.

An example of two operations in one mcp message would be an ephemeral node creation and an ephemeral pool member creation in a single mcp message.

Once one such message fails, dynconfd repeatedly attempts to resend the same message. In addition, at the next DNS query interval, dynconfd may create one or more new instances of such messages, which may each be retried if they fail. The result can cause an increasing accumulation of MCP messages sent by dynconfd which must be processed by mcpd.

Conditions:
This can occur when:

-- Using FQDN nodes and FQDN pool members.

-- There is an additional issue where the message from dynconfd fails validation within mcpd (e.g., a misconfiguration in which the monitor assigned to the pool is configured with a wildcard destination and the pool member is added to the pool with a port of '0' or 'any'.

Impact:
MCP messages from dynconfd which fail due to an error might cause the population of ephemeral nodes and pool members to fail and become out of sync with what the DNS server is resolving.

By repeatedly resending the same messages, which fail repeatedly, dynconfd causes increased mcpd CPU utilization.
Eventually, the load caused by processing an increasing accumulation of MCP messages may cause increasing and excessive memory usage by mcpd and a possible mcpd core, or may cause mcpd to become busy and unresponsive and be killed/restarted by SOD.

Workaround:
Examine the LTM logs for mcpd error messages indicating failed attempts to create ephemeral nodes or ephemeral pool members, and resolve the cause of the failed node or pool-member creation.

Fix:
Dynconfd no longer repeatedly resends MCP messages that have failed due to an error.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8

988589 : CVE-2019-25013 glibc vulnerability: buffer over-read in iconv

Links to More Info: K68251873, BT988589

987813 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

Links to More Info: K65234135, BT987813

981885-7 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

Links to More Info: K61186963

975605 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

Links to More Info: K00409335, BT975605

966785 : Rate Shaping stops TCP retransmission

Links to More Info: BT966785

Component: Local Traffic Manager

Symptoms:
When rate shaping is applied to a virtual server, the BIG-IP system does not retransmit unacknowledged data segments, even when the BIG-IP system receives a duplicate ACK.

Conditions:
This issue occurs when both of the following conditions are met:

-- Virtual server configured with a rate shaping.
-- Standard type of virtual server.

Impact:
The BIG-IP system does not retransmit unacknowledged data segments.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

965545 : CVE-2020-27617 : QEMU Vulnerability

Links to More Info: K41142448, BT965545

949509 : Eviction Policy UI Hardening

Links to More Info: K000151308, BT949509

945421 : CVE-2020-1968: Raccoon vulnerability

Links to More Info: K92451315, BT945421

944817 : Improper IP based access access restrictions via HTTPD

Component: TMOS

Symptoms:
Under certain conditions HTTPD IP based access restriction may work improperly.

Conditions:
When using HTTPD IP based access restriction.

Impact:
Improper restriction based on IP address

Fix:
IP Access restrictions for HTTPD now works properly

Fixed Versions:
21.0.0

937433 : SCP vulnerability CVE-2020-15778

Links to More Info: K04305530, BT937433

936829 : TMUI Dashboard Hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best security practices.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Best security practices are now applied.

Fixed Versions:
21.0.0

936713 : REST UI interface enhancements

Links to More Info: K90301300, BT936713

936417 : DNS/GTM daemon big3d does not accept ECDHE or DHE ciphers

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS/GTM big3d daemon does not accept ECDHE or DHE ciphers.

Conditions:
Connections to big3d with ECDHE or DHE ciphers.

Impact:
ECDHE/DHE ciphers do not work with big3d.

Workaround:
Configure ciphers with RSA key exchange.

Fixed Versions:
21.0.0, 17.1.3, 16.1.6.1

935769-7 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time★

Links to More Info: BT935769

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Configuration loading (e.g. Post upgrade, running tmsh load sys config, modification of the configuration and subsequent full load as in full config sync)

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.

3) Upgrading to a release or EHF that contains the fix for 1209409. 1209409 does not eliminate the issue but it does reduce the time it takes to validate certain address lists.

Fixed Versions:
21.0.0, 17.5.1.2

932461 : Certificate update on the SSL profile server for the HTTPS monitor: BIG-IP does not use the updated certificate.

Links to More Info: BT932461

Component: Local Traffic Manager

Symptoms:
When you overwrite the certificate that is configured on the SSL profile server and is used with the HTTPS monitor, the BIG-IP system neither uses a client certificate nor continues to use the old certificate.

After you update the certificate, the stored certificate is incremented. However, the monitor log indicates that it is using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with a certificate and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate through GUI or TMSH.

Impact:
The monitor tries to use the old certificate or does not present a client certificate after the update.

Workaround:
Use one of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile certificate key. Set it to ‘none’, and switch back to the original certificate key name.

The bigd utility successfully loads the new certificate file.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3

930625 : TMM crash is seen due to double free in SAML flow

Links to More Info: BT930625

Component: Access Policy Manager

Symptoms:
When this issue occurs the TMM will crash

Conditions:
Exact reproduction steps are not known but it occurs during SAML transactions

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
N/A

Fixed Versions:
21.0.0, 17.5.1, 17.1.3

926917 : Portal Access: unwanted decoding html entities in attribute values of HTML tags

Links to More Info: BT926917

Component: Access Policy Manager

Symptoms:
HTML Entities in Attribute values in HTML tags are decoded when they shouldn't be.

Conditions:
Portal Access is enabled

Impact:
Unwanted Application errors

Workaround:
None

Fix:
HTML entities in attribute values of HTML tags are no longer decoded by Portal Access

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8

921525 : CVE-2020-1752: glibc vulnerability using glob

Links to More Info: K49921213, BT921525

884801 : TMM may crash while processing ILX::call commands

Links to More Info: K44517780, BT884801

881065 : Adding port-list to Virtual Server changes the route domain to 0

Links to More Info: BT881065

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8

874521 : OpenSSL vulnerability: CVE-2019-1551

Links to More Info: K43798238, BT874521

872109 : CVE-2019-17563: Tomcat Vulnerability

Links to More Info: K24551552, BT872109

867253 : Systemd not deleting user journals

Links to More Info: BT867253

Component: TMOS

Symptoms:
When setting 'SystemMaxUse' to any value, systemd does not honor this limit, and the specified size is exceeded.

Conditions:
Using a non-TMOS user account with external authentication permission.

Note: Systemd-journald is configured to create a user journal for every remote user that logs into the BIG-IP system.

Impact:
Journald filling up the file system. These journals are allocated with a minimum size of 4MiB and are not removed when the log entries age-out.

Workaround:
Option 1:
To immediately free up space, manually remove per-user journal logs from the following location:
  /var/log/journal/*/user-*

Option 2:
To prevent the system from creating these journal files going forward:

1. Edit /etc/systemd/journald.conf and add the following at the bottom of the file:
  SplitMode=none

2. Restart systemd-journal service
  # systemctl restart systemd-journald

3. Delete the existing user journal files from /var/log
  # rm /var/log/journal/*/user-*

Note:
-- You must apply this workaround separately to each blade of a VIPRION or vCMP guest running on a VIPRION.
-- You must reapply this workaround after performing software installations.

Fixed Versions:
21.0.0, 17.5.1

857045 : LDAP system authentication may stop working

Links to More Info: BT857045

Component: TMOS

Symptoms:
If the system daemon responsible for LDAP authentication crashes, the system will not automatically restart it, and remote LDAP authentication may stop working.

In /var/log/daemon.log, you may see the following:

warning systemd[1]: nslcd.service failed

Conditions:
Nslcd daemon crashed, and it fails to restart.

Impact:
System authentication stops working until nslcd is restarted.

Workaround:
Manually restart nslcd daemon:

systemctl start nslcd



nslcd can be reconfigured to restart automatically and create core files when it crashes, though these changes will be lost across software installs (and is not backed up as part of a UCS archive):

1. Run "systemctl edit nslcd", which will open a text editor (by default, nano).

2. In the text editor, add these contents:

[Service]

# Allow core files
LimitCORE=infinity
# Try to keep auth daemon running, even if it crashes
Restart=always

3. Exit the text editor and save the file

4. Check the output of "systemctl status nslcd" for any warnings/errors from systemd as a result of editing the file; there should not be any.

5. Restart nslcd:
   systemctl restart nslcd

Fixed Versions:
21.0.0, 17.5.1, 16.1.5

811829-1 : BIG-IP as Authorization server: OAuth Report GUI display expired token as active

Links to More Info: BT811829

Component: Access Policy Manager

Symptoms:
Expired tokens status is shown as ACTIVE in the GUI whereas it is shown AS EXPIRED in the CLI via tmsh list apm oauth token-details

Conditions:
-- Access tokens/Refresh tokens should be expired

Impact:
Misleading information regarding the token status

Workaround:
Uuse 'tmsh list apm oauth token-details' but this shows only the first 100 tokens

Fix:
Made GUI changes to match the tmsh functionality

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1, 15.1.10.8

798889 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free

Links to More Info: K11225249, BT798889

795993 : vim vulnerability: CVE-2019-12735

Links to More Info: K93144355, BT795993

785209 : CVE-2019-9074 binutils: out-of-bound read in function bfd_getl32

Links to More Info: K09092524, BT785209

765053 : OpenSSL vulnerability CVE-2019-1559

Links to More Info: K18549143, BT765053

760895 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result

Links to More Info: K64119434, BT760895

753498 : CVE-2018-16869: Nettle vulnerability

Links to More Info: K45616155, BT753498

740258 : Support IPv6 connections to TACACS+ remote auth servers

Links to More Info: BT740258

Component: TMOS

Symptoms:
Pam_tacplus package 1.2.9 does not support IPv6 connections to TACACS+ remote auth server

Conditions:
IPv6 connections to TACACS+ remote auth server in system-auth methods

Impact:
On a pure IPv6 network, or a network where their TACACS server is only reachable via IPv6, will not be able to use TACACS for system-auth

Workaround:
None

Fix:
NA

Fixed Versions:
21.0.0, 17.5.1

685626-13 : iControl REST improper sanitisation of data

Component: TMOS

Symptoms:
A few values are not properly being sanitised by iControl REST.

Conditions:
When using iControl REST APIs

Impact:
Improper sanitisation of data

Workaround:
Limit access to management and self-ips to trusted networks and users to limit the exposure.

Fix:
iControl REST is now properly sanitising data.

Fixed Versions:
21.0.0

673060 : SSL handshake failure with Session Ticket enabled on the backend server

Links to More Info: BT673060

Component: Local Traffic Manager

Symptoms:
SSL handshake failure occurs as a certificate is not issued (no certificate).

Conditions:
- Server SSL profile is enabled with the Session Ticket feature
- Backend server also supports Session Ticket

Impact:
- Service is disrupted because of a handshake failure.
- SSL handshake fails with no certificate issue.

Workaround:
Disable the Session Ticket feature on the Server SSL Profile or the backend server.

Fixed Versions:
21.0.0

648946-2 : Oauth server is not registered in the map for HA addresses

Links to More Info: BT648946

Component: Access Policy Manager

Symptoms:
The same loopback address is assigned to two listeners.

Conditions:
-- AAA Servers with pool.
-- OAuth Server.

Impact:
Traffic issues due loopback address that is assigned to OAuth Server, can be assigned to some other AAA Server that also uses pool.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1, 17.1.3, 16.1.6.1

641662 : Always connected exclusion list does not support more than 10 entries.

Links to More Info: BT641662

Component: Access Policy Manager

Symptoms:
In locked client mode, APM provides a way to configure destinations that can still be reached by client, even in locked client mode. Number of entries is limited to 10.

Conditions:
Locked client mode is enabled

Impact:
More than 10 exclusions cannot be added

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1

634576-5 : TMM core in per-request policy

Links to More Info: K48181045, BT634576

Component: Access Policy Manager

Symptoms:
TMM might core in cases when per-request policy encounters a reject ending and the server-side flow is not available.

Conditions:
APM or SWG per-request policy with reject ending.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
TMM no longer cores when per-request policy encounters reject ending.

Fixed Versions:
21.0.0, 17.5.1, 16.1.5, 13.1.0

608745 : Send HOST header in OCSP responder request

Links to More Info: BT608745

Component: Access Policy Manager

Symptoms:
HOST header not sent in OCSP responder request. APM OCSP responder object uses HTTP/1.0 to send a request to the OCSP responder and HTTP/1.0 does not have a host header.

Conditions:
OCSP configuration

Impact:
APM receives an invalid response because the OCSP Server didn't know which site to send the request to due to no HOST header.

Workaround:
Create a layer virtual server listening on the IP of the ocsp server and having an irule insert the host header.
ltm rule ocsp_insert_http_host {
    when HTTP_REQUEST {
        HTTP::header insert Host <e.g. IP address>
    }
}

Fix:
HOST header added in OCSP responder request for HTTP/1.1.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1

485387 : EncryptedAssertion may not be processed by BIG-IP as SP when EncryptedKey element is specified by RetrievalMethod Element by external IdP.

Links to More Info: BT485387

Component: Access Policy Manager

Symptoms:
An encrypted assertion from an external SAML Identity Provider (IdP) can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element.

BIG-IP configured as a Service Provider (SP) does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: "Cannot decrypt SAML Assertion" and "failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found".

Conditions:
External IdP uses RetrievalMethod to specify EncryptedKey element.

BIG-IP is configured as SP. BIG-IP requires received assertions to be encrypted.

Impact:
Authentication will fail due to inability to process assertion.

Workaround:
To work around the problem, reconfigure IdP to use embedded EncryptedKey instead of using RetrievalMethod.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3

2137773 : Table content in FPS/DataSafe webUI page not shown correctly★

Links to More Info: BT2137773

Component: Application Security Manager

Symptoms:
When the user navigates either to
Security ›› Fraud Protection Service : Anti-Fraud Profiles
or
Security ›› Data Protection : BIG-IP DataSafe

The table content is not shown.

Conditions:
Navigate to
Security ›› Fraud Protection Service : Anti-Fraud Profiles
or
Security ›› Data Protection : BIG-IP DataSafe

Impact:
User cannot see or access the profile contents via GUI.

Workaround:
None

Fix:
User can see the profiles table.

Fixed Versions:
21.0.0

2137653-2 : Unable to upload files that contain a colon in the filename

Links to More Info: BT2137653

Component: TMOS

Symptoms:
You are unable to upload files where the filename contains a colon.
The BIG-IP returns a 400 HTTP error with the following error message: "A valid filename must be supplied".

Conditions:
Trying to upload a file to the BIG-IP where the filename uses one or more colons.

Impact:
Files that contain colons in the filename are unable to me uploaded.

Workaround:
The only option is to use a filename that does not use a colon.

Fixed Versions:
21.0.0

2137581 : TMM core may occur under certain conditions

Component: Local Traffic Manager

Symptoms:
Under certain SSL conditions, TMM could encounter a core.

Conditions:
NA

Impact:
Traffic is disrupted while the TMM process restarts.

Workaround:
Set the 'Alert Timeout' value to a specific value, say 5 seconds, instead of the default 'indefinite' value, in ALL client-ssl AND server-ssl profiles.

Configuration Steps
-------------------

GUI Path:
Local Traffic ›› Profiles : SSL : Client ›› clientssl → Alert Timeout = 5 seconds
Local Traffic ›› Profiles : SSL : Server ›› serverssl → Alert Timeout = 5 seconds

TMSH Command:
(tmos)# modify ltm profile client-ssl clientssl alert-timeout 5
(tmos)# modify ltm profile server-ssl serverssl alert-timeout 5

Fix:
TMM able to work properly.

Fixed Versions:
21.0.0

213618 : Resetting DB variable to default does not always work

Component: TMOS

Symptoms:
When using the 'reset-to-default' option to set a DB variable to its default value, the DB variable may appear to be reconfigured for its default value, but the new value may not have any functional effect.

For example, if the DB variable 'log.mcpd.level' is configured with a value of 'debug', then the command 'tmsh mod sys db log.mcpd.level reset-to-default', the DB variable 'log.mcpd.level' will display a value of 'notice', but mcpd will continue logging at 'debug' level.

Conditions:
This may occur when:
-- A system DB variable is configured with a non-default value.
-- A command is issued to reset that DB variable to its default value using the following syntax:
  -- from a tmsh prompt:
     'modify /sys db <variable.name> reset-to-default'
  -- from a bash prompt:
     'tmsh modify sys db <variable.name> reset-to-default'

Impact:
The intended change in the system DB variable value does not have the desired effect.
For example, if system DB variable controlling logging levels is changed from 'debug' (or other verbose logging level) to its default (non-debug) value, debug logging continues, which may fill the file system unexpectedly and result in system failures.

Workaround:
To ensure that:
-- BIG-IP daemons implement the behavior expected by changing the system DB variable to its default value, and
-- The saved BIG-IP configuration reflects that the system DB variable is no longer configured with a non-default value,

Issue two commands to (1) explicitly configure the system DB variable to the desired value, and (2) make system DB variable as being configured with its default value, using the following format:
  -- from a tmsh prompt:
     'modify /sys db <variable.name> value <desired_value>'
     'modify /sys db <variable.name> reset-to-default'
  -- from a bash prompt:
     'tmsh modify sys db <variable.name> value <desired_value>'
     'tmsh modify sys db <variable.name> reset-to-default'

Fixed Versions:
21.0.0

2132165 : TCP connection fail when tm.tcpstopblindinjection is enabled

Links to More Info: BT2132165

Component: Local Traffic Manager

Symptoms:
Connections fail through virtual servers as the server's initial data is dropped.

Conditions:
- DB key tm.tcpstopblindinjection is enabled
- Virtual server for protocol where server speaks first (e.g. SMTP, SSH/SFTP, FTP)

Impact:
Connections fail.

Workaround:
Disable the DB key sys db tm.tcpstopblindinjection

Fix:
Improved handling of sys db tm.tcpstopblindinjection

Fixed Versions:
21.0.0

2132125 : Unable to upload QKView to iHealth

Component: TMOS

Symptoms:
Message displayed after attempting to upload a QKview:
Failed to upload the QKView file to iHealth

Conditions:
Unable to upload QKView.

Impact:
Can't upload.

Workaround:
The customer can download the qkview from the BIG-IP and then upload it through the ihealth webui.

Fix:
Can upload.

Fixed Versions:
21.0.0

2130729 : HTTP::respond not working properly with HTTP3/quic - content not sent

Links to More Info: BT2130729

Component: Local Traffic Manager

Symptoms:
irule for http/3 virtual server with
HTTP::respond that includes content will not send the content

Conditions:
The header sent to the client does indicate content with a content-length above 0
* Request completely sent off
< HTTP/3 200
< content-type: text/html
< server: BIG-IP
< content-length: 179

But no content is sent and the connection is terminated abnormally.

Impact:
Not able to use HTTP::respond with content

Workaround:
None

Fixed Versions:
21.0.0

2130601 : TMUI Request Processing Improvement

Component: TMOS

Symptoms:
TMUI may not properly process certain requests in specific scenarios.

Conditions:
NA

Impact:
Unexpected behavior

Workaround:
NA

Fix:
TMUI now processes requests as expected.

Fixed Versions:
21.0.0

2119173 : The Active or Standby buttons in the webUI are not working

Links to More Info: BT2119173

Component: TMOS

Symptoms:
The blank page is displayed when the Active or StandBy button in the top left corner of the webUI is clicked.

Conditions:
1) HA Group is configured
2) Click the Active or the Standby button in the top left corner of the webUI.

Impact:
Blank page is displayed.

Workaround:
Navigate to Device Management >> Traffic Groups and select the desired traffic group.

Fixed Versions:
21.0.0

2099689 : AFM Security Policy checkboxes for Auto Generate UUID and Logging for rules listed doesn't work via GUI

Component: Advanced Firewall Manager

Symptoms:
The "Logging" and "Auto Generate UUID" checkboxes for firewall rules do not respond in the GUI but work correctly via tmsh CLI.

Conditions:
The issue occurs when editing firewall rules in the BIG-IP AFM GUI

Impact:
Users are unable to enable or disable "Logging" and "Auto Generate UUID" for firewall rules via the BIG-IP AFM GUI

Workaround:
Use tmsh:
tmsh modify security firewall rule-list SELF-IP-WEB rules modify { new3 { log yes } }

Fixed Versions:
21.0.0

2099609 : TMM might core with SIGSEGV with certain network traffic

Links to More Info: K000156912, BT2099609

2098861 : Single-NIC not supported on Azure Standard_Ds_v5 Series.

Links to More Info: BT2098861

Component: TMOS

Symptoms:
In Azure/HyperV single NIC VMs, tmm fails to attach to the 1.0 interface.

Conditions:
- HyperV or Azure VM that has a single SR-IOV NIC attached to the VM.

- Affected instances show `getdb provision.1nic` value as "disable". For 1nic instances, this dbvar should have "enable" value to correctly configure tmm and mgmt networking.

- This problem does not happen with 1nic instances using only a synthetic netvsc nic.

Impact:
As tmm can't successfully attach to the 1nic instance, no data traffic passes.

Workaround:
Configure "provision.1nic" dbar value to "forced_enable" to override the automation behavior:
 setdb provision.1nic "forced_enable"

Fix:
Both data connectivity through TMM works in Single-NIC instances deployed in Azure/HyperV.

Fixed Versions:
21.0.0

2083217 : Updates to BIG-IP Image Signing and Verification Process - October 2025★

Links to More Info: BT2083217

Component: TMOS

Symptoms:
A key update in October 2025 impacts image signature verification for certain BIG-IP and F5OS releases, potentially blocking installations or validations on older systems.

Conditions:
This change is implemented in BIG-IP versions released October 2025 or later, and all BIG-IP Engineering Hotfixes created on or after October 13, 2025.

Impact:
As a result, BIG-IP images signed with new keys may not be automatically verified by earlier BIG-IP and F5OS releases.
In addition, earlier BIG-IP releases may not be automatically verified by BIG-IP versions released October 2025 or later.

Workaround:
BIG-IP ISO Images:

Signature verification (as documented in K15225) will block installation of this release on systems running earlier BIG-IP versions.
To install this release:
1.Temporarily disable BIG-IP ISO signature verification.
2.Install this BIG-IP release.
3.Re-enable BIG-IP ISO signature verification.

Signature verification (as documented in K15225) will also block installation of older BIG-IP versions (released before October 2025) on systems running this BIG-IP release.
To install older versions:
1.Temporarily disable BIG-IP ISO signature verification.
2.Install the desired older BIG-IP version.
3.Re-enable BIG-IP ISO signature verification.

F5OS Tenant Images:
For this BIG-IP release, ".qcow2.zip.bundle" tenant images cannot be validated on F5OS host systems (VELOS chassis or rSeries appliances) running F5OS versions released prior to October 2025. This is due to differences in signing and verification methods.

To install F5OS tenant images:
Where possible, use the ".tar.bundle" image type, which is compatible with all supported F5OS releases other than F5OS-A 1.5.x. For F5OS-A 1.5.x, upgrade the host to F5OS-A 1.5.4 or later, and then use the ".qcow2.zip.bundle" tenant image.

For more information, see:
K15225: Enabling signature verification for BIG-IP ISO image files
https://my.f5.com/manage/s/article/K15225
K24341140: Verifying BIG-IP software images using SIG and PEM files
https://my.f5.com/manage/s/article/K24341140
K000157005: F5 signing certificate and key rotation, October 2025
https://my.f5.com/manage/s/article/K000157005

Fix:
This BIG-IP release has been signed with cryptographic keys updated as of October 2025.

Behavior Change:
As the result of rotation of the keys used to sign BIG-IP images, verification of images for this BIG-IP release may not behave as historically expected.

- For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of this release on systems running earlier releases of BIG-IP.
To successfully install this BIG-IP release:
1. Disable BIG-IP ISO signature verification
2. Install this BIG-IP release
3. Re-enable BIG-IP ISO signature verification

- For BIG-IP ISO images, ISO image signature verification documented in K15225 will block installation of BIG-IP versions released prior to October 2025.
To successfully install older BIG-IP versions while running this BIG-IP release:
1. Disable BIG-IP ISO signature verification
2. Install the desired BIG-IP release
3. Re-enable BIG-IP ISO signature verification

- For F5OS tenant images for this BIG-IP release, F5OS tenant images of the ".qcow2.zip.bundle" type cannot be validated when imported into an F5OS host system (VELOS partition or rSeries appliance) for F5OS versions released prior to October 2025. This is due to different signing and verification methods for ".qcow2.zip.bundle" image types.

To successfully install an F5OS tenant image for this BIG-IP release:

- For F5OS-A 1.5.x, upgrade the system to at least F5OS-A 1.5.4 and then import an ".qcow2.zip.bundle" image.
- For all other supported F5OS versions, import an F5OS tenant image of the ".tar.bundle" type. This image type uses a different signing and verification method which is recognized as valid on both newer and older F5OS host software versions.

It is highly recommended that all F5-provided software images be manually verified using the procedures described in:
K24341140: Verifying BIG-IP software images using SIG and PEM files
https://my.f5.com/manage/s/article/K24341140

See also:
K15225: Enabling signature verification for BIG-IP ISO image files
https://my.f5.com/manage/s/article/K15225

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8

2078797 : LTM Policy actions fail to render in configuration utility (web UI)★

Links to More Info: K000156885, BT2078797

Component: TMOS

Symptoms:
Upon going to Local Traffic >> Policies : Policy List and selecting a policy that has actions defined, the following error is logged via the browser developer console.

TypeError: can't access property "action", i.action is undefined
  t app.min.js:20
  ActionTextController app.min.js:20
  Angular 44
  jQuery 5
angular.js:15717:16

Conditions:
- LTM Policies and actions are configured.
- The LTM Policies are viewed in the configuration utility (web UI)

Impact:
- This issue prevents the BIG-IP administrator from being able to view detailed information about the LTM Policies via the configuration utility.
- BIG-IP administrator is also unable to edit pools or virtual servers from the drop-down list when selecting an action to forward traffic for the LTM policy rule.

Workaround:
Use TMSH to view or edit LTM Policies.

Open a case with F5 Support (K2633) and request an engineering hotfix with the fix for ID 2078797.

Fix:
The LTM Policies correctly render in the configuration utility.

Fixed Versions:
21.0.0

2078793-6 : Security weakness in 3rd party library used in AGC

Links to More Info: K000134507, BT2078793

2077601 : The guest or manager role users getting error on reading virtual server config

Component: TMOS

Symptoms:
When the user selects any created virtual server to see the read-only details, the error
"General database error retrieving information." is displayed on the screen.

Conditions:
Create a user with guest or manager role and try to read the virtual server configs

Impact:
The guest or manager role users were restricted to read or create a new virtual server configuration

Workaround:
None

Fix:
Added the json profile to the known list during validation of non admin user

Fixed Versions:
21.0.0

2077297 : HA Group List page in webUI shows a blank page

Links to More Info: BT2077297

Component: TMOS

Symptoms:
HA Group List page shows a blank page with no information on the screen

Conditions:
The system is configured for High Availability (HA)
1) Go to System > High Availability > HA Group List
2) Click the Create button or an existing entry in the list

Impact:
No information is visible in HA Group List page in webUI

Workaround:
None

Fixed Versions:
21.0.0

2077209-4 : File Import Handler Enhancement

Links to More Info: K000156801, BT2077209

2077201-4 : TMUI File Import Handler Enhancement

Links to More Info: K000156800, BT2077201

2064569 : BIND upgrade to version 9.18.37

Links to More Info: BT2064569

Component: Global Traffic Manager (DNS)

Symptoms:
BIND version 9.18.28 was published on 23 July 2024

Conditions:
New security fixes were made available in the last 9.18.37 BIND version: CVE-2025-40775, CVE-2025-40776.

Impact:
NA

Workaround:
None

Fix:
BIND was upgraded to the last 9.18.37 version

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8

2064505 : TLS 1.2 handshake failure with cipher rule configured using hybrid KEM algorithms first

Component: Local Traffic Manager

Symptoms:
When a TLS 1.2 connection is initiated with https virtual server using a cipher rule with hybrid KEM algorithms listed first, the connection handshake fails.

Conditions:
Cipher rule is configured with hybrid KEM algorithms before their related classic DH-group algorithms. Issue does not occur if classic DH-group algorithms precede hybrid KEM algorithms in the cipher rule.

Fail:
ltm cipher rule group1 {
    cipher rule1
    dh-groups X25519MLKEM768:X25519
}

Works:
ltm cipher rule group1 {
    cipher rule1
    dh-groups X25519:X25519MLKEM768
}

Impact:
TLS 1.2 connections secure key exchange fail when hybrid KEM algorithms listed first in the cipher rule configurations.

Workaround:
Issue does not occur if classic DH-group algorithms precede hybrid KEM algorithms in the cipher rule.

ltm cipher rule group1 {
    cipher rule1
    dh-groups X25519:X25519MLKEM768
}

Fix:
Ensure hybrid PQC KEM and classic DH-group algorithms can coexist in any order within cipher rule configurations without handshake failures.

Fixed Versions:
21.0.0

2064413-1 : UCS File Download Failure via REST API Due to Byte-Range Handling Bug in BIG-IP

Links to More Info: BT2064413

Component: TMOS

Symptoms:
When downloading UCS files using the BIG-IP REST API with clients such as PowerShell 7, downloaded files are larger than expected and contain duplicate or corrupted data. The MD5 checksum of the downloaded file does not match the source UCS file on the BIG-IP system. This is due to the REST service returning the same portion of the file for every chunk request, resulting in failed or unusable UCS restore attempts

Conditions:
Affected when downloading UCS files over the REST API (using HTTP Range headers) from BIG-IP.
Most commonly seen with PowerShell 7 and other clients that download files in chunks.
Not observed with PowerShell 5 or when using SCP/SFTP.
Occurs on affected TMOS versions before the implementation of the fix.

Impact:
UCS file downloads via REST API are incomplete and corrupted.
MD5 checksum mismatch prevents UCS archive validation or restore.
Automated backups or migrations using REST API may fail.
Potential risk of data loss if corrupted UCS files are used for restore.

Workaround:
Use alternate file transfer methods such as SCP or SFTP to download UCS files directly from /var/local/ucs/ on the BIG-IP system.

Fixed Versions:
21.0.0

2058989 : TMUI hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best security practices.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Best security practices are now applied.

Fixed Versions:
21.0.0

2058977 : TMUI hardening

Component: TMOS

Symptoms:
In certain scenarios, TMUI does not follow best security practices.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Best security practices are now applied.

Fixed Versions:
21.0.0

2058853 : SMTP validation improvements

Component: Application Visibility and Reporting

Symptoms:
SMTP validation did not follow expected behavior.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
SMTP validation follows expected behaviour.

Fixed Versions:
21.0.0

2053705-1 : TMM memory is not cleared after handshake failure

Links to More Info: K000156733, BT2053705

2053613 : Core dump found during stability testing

Component: TMOS

Symptoms:
Core dump found during the stability testing in the control plane

Conditions:
Configure the BIG-IP and send the continous traffic

Impact:
Core dump found in the control plane and it will impact the confifiguration of BIG-IP.

Workaround:
None

Fix:
Fixed by not sending the invalid configuration to main thread, which worker thread can not handle.

Fixed Versions:
21.0.0

2050321 : PHP Vulnerabilities: CVE-2014-9425

Links to More Info: K16339, BT2050321

2047593-1 : Blade upgrade fails with the "HAL unexpected init failure (continuing) : Unknown slot for ChassisBase" error message★

Links to More Info: BT2047593

Component: TMOS

Symptoms:
C4800 chassis blades at slot positions 5 - 8 fails to join cluster after upgrading to BIG-IP TMOS 17.5.0 with error "Unknown slot for ChassisBase".

Conditions:
C4800 chassis that supports 8 blades with blades at slots 5 to 8 and running with BIG-IP v17.5.0.

Impact:
Reduced capacity due to fewer blades joining cluster for traffic handling.

Workaround:
None

Fixed Versions:
21.0.0

2047569 : TMM may crash during the startup with SR-IOV Intel E810 NIC on VMWare environments

Links to More Info: BT2047569

Component: Local Traffic Manager

Symptoms:
During the TMM restart, the Intel E810 SR-IOV interface may remain in an invalid state. It will prevent the initialisation of the interface on the next TMM start, and TMM will generate the core file in this case.

Conditions:
BIG-IP VE is deployed on VMWare ESXi environment with E810 SR-IOV interface attached.

Impact:
TMM may crash during startup.

Workaround:
To clean invalid SR-IOV interface state, a complete reboot of the BIG-IP VM or VMware hypervisor is required.

Fix:
TMM correctly shut down Intel E810 SR-IOV interfaces during the service restart.

Fixed Versions:
21.0.0

2047445-1 : A VPN connection may fail when an Access policy or a Virtual Server is configured in a route domain

Links to More Info: BT2047445

Component: Access Policy Manager

Symptoms:
When the Access policy is configured in a route domain using the "Route Domain and SNAT Selection" agent, or when a virtual server is configured in any route domain, a VPN connection may fail with the error: "iSession: Connection error: isession_handle_syn:3740: No peer:4". This issue is applicable only to Windows-based Edge clients and Browser clients.

Conditions:
1. Windows client is used
2. Access policy is configured in route domain or Route domain is configured on VS
3. User tries to establish VPN connection

Impact:
VPN connection may fail

Workaround:
Any of the following workarounds can be applied:

-- Configure route domain with parent as default route domain. In some cases we may need to disable "strict isolation", In addition to parent as default route domain.
-- Disable ipv6 using "tmsh modify sys db ipv6.enabled value false"
-- tmsh modify sys db isession.ctrl.apm value disable

Fix:
VPN connection should be established when the APM access policy is configured with route domain.

Fixed Versions:
21.0.0

2047293 : TMM NULL dereference in Dyn-TCAM after multiple failures

Links to More Info: BT2047293

Component: TMOS

Symptoms:
TMM SIGSEGV crash.

Conditions:
Triggered by HW offload of a security feature.

Impact:
TMM restart, HA failover.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

2047069-2 : Issue observed in Checkmarx scan

Links to More Info: BT2047069

Component: TMOS

Symptoms:
Some special characters are included in the file name on the dashboard page.

Conditions:
When the user gives special characters for file names in the dashboard page.

Impact:
The user will not be able to retrieve the files if they are saved incorrectly.

Workaround:
None

Fixed Versions:
21.0.0, 17.1.3

2046885 : iHealth configuration improvement

Links to More Info: K000156642, BT2046885

2044565 : Add support for tcp & clientssl default profiles to enhance S3 workload performance

Component: Local Traffic Manager

Symptoms:
The default tcp and clientssl profiles are not optimized for handling S3 traffic

Conditions:
When LTM is configured in BIG-IP and S3 traffic is received.

Impact:
S3 workload performance could be suboptimal.

Workaround:
Manually configuring the tcp and clientssl profiles with recommended values can improve S3 traffic performance with BIG-IP acting as a proxy.

Fix:
The new s3-tcp and s3-default-clientssl profile are optimized to handle S3 traffic and improve GET, PUT, STAT and througput performance for S3 flows.

Fixed Versions:
21.0.0

2044417 : Connectivity problems and eal-intr-thread cores on Azure using >= 6 interfaces

Links to More Info: BT2044417

Component: TMOS

Symptoms:
With Hyper-V platforms, VMBus devices are present due to the virtualization architecture. These devices make use of VMBus channels in the /sys/bus directories. Hyper-V has a reported supported limit of 128 monitored VMBus channels. Patches for non-monitored (low-speed) VMBus channels have caused connectivity problems and eal-intr-thread cores.

Conditions:
-- Use Hyper-V platform
-- Use 16 vCPUs and attach >= 7 interfaces
-- Use 24 vCPUs and attach >= 6 interfaces

Impact:
Traffic interrupts and eal-intr-thread cores can occur.

Workaround:
Deploy instances with <= 3 interfaces on Hyper-V platforms.

Fix:
Regardless of combinations of vCPU and interface counts, traffic can be passed and eal-intr-thread cores are limited. VMBus channels correspond with device queues so the 128 monitored VMBus channel limit forces queue-sharing and impacts performance. To avoid losing performance, deploy instances with fewer interfaces.

Fixed Versions:
21.0.0

2044381 : Gtmd SIGSEGV core due to monitor status change

Links to More Info: BT2044381

Component: Global Traffic Manager (DNS)

Symptoms:
Gtm cored

Conditions:
-- Three GTMs in a sync group
-- A GTM pool has a monitor with "require 1 from 2 probes" configured
-- Resources are marked down due to iQuery traffic disruption between two of the GTMs, then come back up

Impact:
GSLB traffic disrupted while gtmd restarts.

Workaround:
None

Fixed Versions:
21.0.0

2038309 : After the full config sync, FQDN template node status changes to ‘fqdn-checking’ (Unknown) untill the DNS query is triggered

Links to More Info: BT2038309

Component: Local Traffic Manager

Symptoms:
The node’s availability changes to unknown, even though the DNS server is reachable and should have valid resolution data.

The FQDN resolver does not immediately send a DNS query upon receiving the sync, which delays recovery of the node status.

Node status returns to fqdn-up only after the next scheduled DNS query interval (For example, 240 seconds).

Conditions:
-- BIG-IP devices configured with FQDN template nodes.
-- Performing config sync with the force-full-load-push option.

The issue occurs on the sync receiver only. It does not reproduce without force-full-load-push.

Impact:
Temporary service visibility issue:

FQDN nodes incorrectly display 'fqdn-checking' or 'availability unknown' until the next DNS resolution cycle.

This can exist till the next FQDN interval configuration (For example, 4 minutes).

May confuse administrators monitoring node status.

Workaround:
To work around this issue, either:

-- After initiating the config sync force-full-load-push, initiate on the standby/sync receiver:
bigstart restart dynconfd

or:

-- Configure the FQDN template node with a shorter 'interval' value, so that the next DNS query occurs more quickly after the full config sync operation.

Fix:
None

Fixed Versions:
21.0.0

2037409 : Tmctl tables are corrupted for large cluster size and tmm memory shows 0

Links to More Info: BT2037409

Component: TMOS

Symptoms:
When a BIG-IP is deployed on a large cluster with 5 or more blades on VELOS chassis platforms, the following tables are shown as corrupted:
tmctl -d blade tmm/sdaglib_mirror_table
tmctl -d blade tmm/sdaglib_did_info
tmctl -d blade ipfix_destination_stats
tmctl -d blade tmm/sctp
tmctl -d blade tmm/lac

The command tmsh show sys tmm-info; shows 0 tmm memory
Memory (bytes)

tmsh show sys tmm-info

Conditions:
When using F5 VELOS Chassis platforms installed and deployed with BIG_IP with a number of blades 5 or above.

Impact:
Any data presented to user based on the impacted tables will be indicating incorrect data.

Workaround:
None

Fix:
A new DID table column is added to represent DAG PG tables in a concise format.This fits and adhere to TMSTAT size restriction and avoids table corruption for larger DAG tables using wide format(16-bit virtual server 8 bit) in DAG tables.

Fixed Versions:
21.0.0, 17.5.1.3

2035129-5 : The CMP stream communication between tmms on different blades might stall after a tmm memory exhaustion event

Links to More Info: BT2035129

Component: Local Traffic Manager

Symptoms:
Issues with ARP or NDP resolution. Intermittent issues with the tmm session table.

Conditions:
BIG-IP is running on a chassis platform
tmm has run out of memory at some point but was able to recover

Impact:
CMP communication is impacted which may affect the tmm session table, ARP and NDP resolution, intra-chassis mirroring among other things.

Workaround:
It is difficult to determine which tmm(s) on which slot(s) might have been affected by the issue. Either restart tmm on the blades that experienced a memory exhaustion event or restart tmm on each blade in the chassis.

Fixed Versions:
21.0.0

2035005 : VMware Horizon applications launched via BIG-IP as VDI proxy ignore args parameter in vmware-view URI

Links to More Info: BT2035005

Component: Access Policy Manager

Symptoms:
Applications launched through BIG-IP virtual server start correctly, but the args parameter is dropped.

Example: Command Prompt opens but does not execute ipconfig when launched with args=%2Fk%20ipconfig.

When bypassing BIG-IP (direct VCS node access), the same URI executes the command successfully.

Applications without args (e.g., Calculator) work as expected both with and without BIG-IP.

Conditions:
VMware Horizon published applications behind BIG-IP APM.

Launching applications via vmware-view:// URI with args parameter.

Protocols tested: Blast, PCoIP.

Issue occurs consistently when BIG-IP virtual server FQDN is used.

Direct access to Horizon Connection Server (bypassing BIG-IP) does not exhibit the problem.

Impact:
User cannot deep-link into specific app states or pass runtime arguments to published applications through BIG-IP.

Breaks workflows relying on args, such as opening IBM Notes documents directly or running pre-defined commands in applications.

Causes functional discrepancy between direct Horizon access and BIG-IP proxied access, leading to user frustration and support escalations.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

2034985-1 : Unable to forward NTLM SSO back-end cookies to front-end

Component: Access Policy Manager

Symptoms:
Unable to forward NTLM SSO back-end cookies to front-end.
NTLM has three HTTP round-trips and can set different sets of cookies in each trip. After successful NTLM SSO, APM does not forward some cookies from the back-end to the front-end.

Conditions:
-- NTLM SSO is configured.
-- The server side sends one or more 401 responses to the BIG-IP system during the transaction, followed by a 200 response.

Impact:
Cookies are not sent to the client side, and SSO negotiation fails.

Fix:
Send relevant cookies in response.

Fixed Versions:
21.0.0

2034789 : Unbound has been upgraded from version 1.20.0 to 1.23.1

Links to More Info: BT2034789

Component: Global Traffic Manager (DNS)

Symptoms:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Conditions:
None

Impact:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Workaround:
None

Fix:
Unbound has been upgraded to include the latest fixes in version 1.23.1

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

2033809 : ASM Connection Handling Improvement

Component: Application Security Manager

Symptoms:
ASM connections may not close properly under certain conditions.

Conditions:
- Processing large JSON requests
- Default ASM configuration (bypass_upon_load = 0)
- High memory usage scenarios

Impact:
Potential connection issues during high load.

Workaround:
NA

Fix:
Improved ASM connection handling.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1, 15.1.10.8

2017105 : Disk partition /var full after quick config changes★

Links to More Info: BT2017105

Component: Application Security Manager

Symptoms:
When a new configuration is applied, the previous data files are kept as long as they may be needed and also had a minimum age for deletion applied. When multiple config changes were made in quick succession this resulting in multiple generations that were under the minimum age for cleanup, and some duplicate data files that hadn't changed between generations. This can exhaust the available space in /var.

Conditions:
Many small config changes are applied in quick succession. This can occur during a version upgrade or EHF installation.

Impact:
Disk space was exhausted, leading to failure to apply configuration or configuration corruption.

Fix:
File cleanup now correctly removes files that are no longer needed, regardless of their age. "Duplicate" data files are now hardlinked to reduce wasted disk space.

Fixed Versions:
21.0.0

2016105 : TMM might crash under certain conditions

Links to More Info: K000156597, BT2016105

2016041 : Remove the unused DynaCache Package

Component: Local Traffic Manager

Symptoms:
DynaCache is shipped as part of BIG-IP and is no longer used anywhere in BIG-IP.

Conditions:
DynaCache Package is included in BIG-IP

Impact:
None

Workaround:
None

Fix:
DynaCache package has been removed from BIG-IP.

Fixed Versions:
21.0.0

2012301 : Upgrade the certificate to be compatible with the new upgraded gson package

Component: TMOS

Symptoms:
After the Gson package upgrade to 2.10.1, we need to update the certificate in cacert so that the SSL handshake exception is not present, as the new Gson package needs an updated certificate for verification.

Conditions:
Where the Gson package is used.

Impact:
Fails all the related packages in the build

Workaround:
Update the cacert with the correct certificate

Fix:
Certificate is updated to support Gson 2.10.1

Fixed Versions:
21.0.0

2008633 : Active mode FTP using port 0 for data-channel connections

Links to More Info: BT2008633

Component: Local Traffic Manager

Symptoms:
- Infrequent FTP data-channel failure.
- Control-channel is terminated with ABOR due to data-channel failure.

Conditions:
- FTP profile configured with data-port 0 (any).
- Active mode FTP.
- Server using privileged port(s) (<1024).

Impact:
Failed FTP data connection.

Workaround:
If the server uses a known privileged port (e.g., 20), set this as the data-port in the FTP profile.
Alternatively, configure the server to use non-privileged port (>= 1024).

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

2008573 : Login/Logout expected/unexpected string has no length validation

Links to More Info: BT2008573

Component: Application Security Manager

Symptoms:
You can configure an inappropriately long string for the login/logout criteria.

Conditions:
Configuring the Login/Logout expected/unexpected string.

Impact:
Upon asm restarted bd goes into restart loop. ASM traffic disrupted while bd restarts.

Workaround:
None

Fixed Versions:
21.0.0

2007705 : HSL can incorrectly handle pending TCP connections leading to a TMM crash

Links to More Info: BT2007705

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
A pool member is marked down or delete while there are TCP connection issues with some pool members

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
Does not core anymore, and TMM handle the situation correctly

Fixed Versions:
21.0.0

1991289-1 : ECA always invokes the default access profile 'kerberos_auth_default'

Links to More Info: BT1991289

Component: Access Policy Manager

Symptoms:
ECA always invokes the kerberos_auth_default profile, even when it’s known that the request will be denied later.

Conditions:
-- SSL Orchestrator Proxy configured with SWG-explicit NTLM ONLY Access Profile

Impact:
Increasing unnecessary load on apmd, which will cause a performance issue during peak time.

Workaround:
None

Fix:
ECA will not send a known invalid request to APMD to deny

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1991261-1 : AAA LDAP: priority group activation resets when updating configuration in APM

Links to More Info: BT1991261

Component: Access Policy Manager

Symptoms:
AAA LDAP pool-based configuration in APM resets the Priority Group Activation (PGA) setting to the default after any update to AAA LDAP configuration.

Manual changes to PGA (e.g., disabling it) are overwritten during AAA updates in the APM UI.

Conditions:
-- AAA LDAP is configured in APM with the "Use Pool" option enabled.
-- Priority Group Activation on the auto-generated pool is manually set to "Disabled" via Local Traffic > Pools.
-- Any subsequent update to the AAA LDAP configuration in APM resets the Priority Group Activation setting back to "Less than 1 Available Member(s)".

Impact:
-- Custom settings for Priority Group Activation are not persistent and are overwritten during APM updates.
-- Load balancing behavior may not work as intended if PGA is reset unexpectedly.

Workaround:
Manually update Priority Group Activation settings in the auto-generated pool via Local Traffic > Pools after each AAA LDAP configuration update in APM.
Disable Priority Group Activation immediately after updating any AAA LDAP configuration values in APM.

Fix:
No changes to the UI are required for the fix.
The TMUI backend logic has been updated to retain custom Priority Group Activation settings when reloading the LDAP AAA configuration.
When reloading the LDAP AAA configuration, the system will now preserve existing Priority Group Activation settings and prevent reinitialization of this variable.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1991241 : ECA plugin unresponsive

Links to More Info: BT1991241

Component: Access Policy Manager

Symptoms:
ECA plugin becomes unresponsive and is stuck on a read call.

Conditions:
-- SSL Orchestrator Proxy configured with SWG-explicit NTLM ONLY Access Profile

Impact:
ECA plugin became unresponsive, leading to a performance degradation.

Workaround:
None

Fix:
Added support for a read socket timeout.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1991237 : Unable to configure number of apmd threads using tmsh command

Links to More Info: BT1991237

Component: Access Policy Manager

Symptoms:
You are unable to configure the number of apmd threads via tmsh.

Conditions:
-- SSL Orchestrator Proxy is configured with SWG-explicit NTLM ONLY Access Profile
-- Any access policy configured in APM.

Impact:
Unable to control the number of apmd threads using tmsh command.

Workaround:
None

Fix:
Manage the number of apmd threads using TMSH. The default value will be used if no changes are required to the apmd threads, and the current behaviour will remain unchanged.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1990897 : APM hardening

Links to More Info: K000156596, BT1990897

1989133 : Unexpected blocking of valid login attempts after upgrade to version 17.5.0

Links to More Info: BT1989133

Component: Application Security Manager

Symptoms:
Users may experience blocking of legitimate login attempts due to incorrect classification of failed logins.

Conditions:
Occurs when brute force protection is enabled and login attempts are made to a configured login URL without authentication headers.

Impact:
Valid login attempts may be falsely flagged as brute force attacks, triggering enforcement actions such as CAPTCHA or blocking pages, potentially disrupting user access.

Workaround:
None

Fix:
Fixed issue with blocking valid login attempts

Fixed Versions:
21.0.0

1987361 : APMD file descriptor exhaustion when LDAP operational timeout is set to 180 seconds

Links to More Info: BT1987361

Component: Access Policy Manager

Symptoms:
You may observe below string in /var/log/apm*

"Too many open files"
"threads 560, running 560"

Conditions:
NTLM config with LDAP pool configuration.

Impact:
Unable to process APM traffic

Workaround:
Restart APMD process

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1983321 : CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers

Links to More Info: K000152614, BT1983321

1983229 : Post-rotate Command Improvements for iHealth

Links to More Info: K000154647, BT1983229

1982937 : InTune MDM endpoint compliance intermittently fails despite being compliant

Links to More Info: BT1982937

Component: Access Policy Manager

Symptoms:
Compliant devices are shown as non-compliant

Conditions:
MDM Intune mdm check is used

Impact:
Access policy is denied even for compliant devices

Workaround:
None

Fix:
Access policy should be allowed if device is compliant.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

1980721 : APMD Core while parsing the invalid JWT Header

Links to More Info: K000156602, BT1980721

1980649 : High CPU usage by bd

Links to More Info: BT1980649

Component: Application Security Manager

Symptoms:
High CPU usage by bd

Conditions:
-- ASM provisioned and in use
-- A specific condition leads BD to unnecessary high CPU

Impact:
High CPU

Workaround:
None

Fix:
BD no longer causes high CPU under the specific condition.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1980645-1 : Bypass APM for Horizon Blast/PcoIP connection for internal users

Links to More Info: BT1980645

Component: Access Policy Manager

Symptoms:
Need a method to bypass APM for Horizon Blast connection for internal users using some configuration option in VPE.

Conditions:
1. VMware VDI is configured in APM
2. Internal and external users traffic is separated before reaching this Virtual Server.

Impact:
Internal user VMware horizon desktop/app traffic always goes through the Virtual Server though it can be bypassed after Authentication.

Workaround:
None

Fix:
There should be a configurable option in VPE to bypass vmware horizon desktop/app traffic for Internal users.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1977933 : TMM might crash under certain conditions

Links to More Info: K000156741, BT1977933

1977917 : TMM might crash under certain conditions

Links to More Info: K000156741, BT1977917

1976925-2 : Device dos whitelist not working properly for DNS dos protection when BA enabled

Links to More Info: BT1976925

Component: Advanced Firewall Manager

Symptoms:
-- When VLANs are configured in the network-whitelist, TCP traffic was properly bypassed, and DOS attack alarms were not triggered.
-- DNS traffic, despite being sent from whitelisted VLANs, still trigger DOS attack alarms.

Conditions:
-- VLANs assigned to the network-whitelist.
-- Virtual wire mode (vWire) configured with the configured VLAN tags.
-- Behavioral Analysis (BA) is enabled alongside DNS A Query and DNS AAAA Query attack vectors.

Impact:
Despite being whitelisted, DNS queries (e.g., high-volume traffic) trigger DOS detection and mitigation due to improper whitelist logic handling. DNS resolution is disrupted.

Workaround:
None

Fixed Versions:
21.0.0

1976513 : Some ASM entity names are not shown in the REST error response message

Links to More Info: BT1976513

Component: Application Security Manager

Symptoms:
A REST response of patching a hostname for Virus Detection Server is missing ASM entity name "hostname" in the error message

Conditions:
A REST request is made on a specific ASM entity and error response is returned

Impact:
The error message in REST response may be unclear

Workaround:
None

Fix:
ASM entity names are shown in the REST error response message successfully

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1976113-1 : Deployment of BIG-IP Best Plus images on Azure fails with OSProvisioningClientError

Links to More Info: BT1976113

Component: TMOS

Symptoms:
When deploying BIG-IP Best Plus images in Azure, the deployment process fails with the following error message status:

Status: "OSProvisioningClientError"

Despite this error, the VM may still allow SSH login, causing confusion about the actual deployment status.

Conditions:
- Occurs during provisioning of BIG-IP Best Plus images in Azure.
- The error is related to SSH key generation timing during the provisioning process.

Impact:
- Deployment status is reported as Failed even though the VM is accessible via SSH.
- Automation workflows relying on successful provisioning status may break.
- Users may assume the deployment is unusable, leading to unnecessary troubleshooting or redeployment.

Workaround:
- After receiving the error, verify if the VM is accessible via SSH.
- If accessible, you can proceed with manual configuration.

Fix:
The fix ensures that the necessary SSH keys are generated prior to the service initialization.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

1975941 : Alternate_response_content length greater than 51200 in ACCOUNT_ALTERNATE_RESPONSE_FILE causing ASM restart loop

Links to More Info: BT1975941

Component: Application Security Manager

Symptoms:
Bd goes into a restart loop

Conditions:
Custom response body configured with tokens present and length becomes greater than 51200 after replacing tokens with their respective values.

Impact:
Bd constantly restarts. Traffic disrupted while bd restarts.

Workaround:
Reduce the size of response body less than 51200

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1975885-1 : Massive M_ACCESS string leak in TMM

Links to More Info: BT1975885

Component: Access Policy Manager

Symptoms:
Memory leak while deleting apm session.

Conditions:
-- Running a version that fixed ID 1672257 (currently version 17.5.0)
-- Access sessions are deleted

Impact:
Increase in tmm memory

Workaround:
None

Fixed Versions:
21.0.0

1974801 : Deprecated PKCSv1.5 in Marvell affects r5000-DF and r10000-DF Platforms

Component: Local Traffic Manager

Symptoms:
- SSL profile configuration fails with Marvell HSM keys
- SSL handshake fails during runtime
- Configuration rejection messages in UI/API
- Runtime errors and aborted connections

Conditions:
All 6 conditions must be present:

Platform: Marvell r5000-DF or r10000-DF
F5OS Version: ≥ 1.5.3
FIPS Firmware: ≥ 2.09
SSL profile references Marvell on-board HSM key
Cipher list includes only RSA key exchange
Attempting PKCS#1 v1.5 padding operations

Impact:
Configuration rejections and handshake failures

Workaround:
Update Cipher Suites (Primary recommendation) - Use ECDHE instead of RSA key exchange

Fixed Versions:
21.0.0

1972369 : BD performance improvement

Links to More Info: BT1972369

Component: Application Security Manager

Symptoms:
A specific performance issue that can be fixed occurs on a basic structure used throughout the BD.

Conditions:
ASM is configured and traffic is passing.

Impact:
Increased CPU utilization.

Workaround:
None

Fix:
Fixed the performance issue.

Fixed Versions:
21.0.0, 17.5.1.3

1971217 : False negative with illegal redirect attempt

Links to More Info: BT1971217

Component: Application Security Manager

Symptoms:
ASM does not block illegal redirect attempt in a certain scenario

Conditions:
Occurs with a specific configuration on ASM and a specific server redirect response .

Impact:
False negative.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1969861 : [APM][NTLM]ECA core SIGSEGV

Links to More Info: BT1969861

Component: Access Policy Manager

Symptoms:
ECA cores repeatedly

Conditions:
NTLM Configuration in APM

Impact:
Cannot process NTLM traffic.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1968237 : Configuration fails to load post upgrade due to invalid DoS signature predicate 'ip flags'★

Links to More Info: BT1968237

Component: Advanced Firewall Manager

Symptoms:
After upgrading from v16.1.4.1 to v17.1.2.2, both device slots remain in an offline state.
Configuration fails to load due to a DoS signature issue (/Common/dos_Sig).
The system throws the following error:
>01071cc8:3: Dos Signature (/Common/dos-common/Sig_69253_39_1737834503): Arg (Fragmented) for predicate 'IP Flags' is invalid for DNS/NETWORK signature.

Conditions:
-- DoS signatures are configured using persistence-based predicates such as ‘IP Flags’.
-- Configuration executed via tmsh commands as outlined in the documentation:
https://clouddocs.f5.com/cli/tmsh-reference/v15/modules/security/security_dos_dos-signature.html
-- This can be configured via the GUI as well
-- Issue occurs when upgrading from 16.1.4.1 to 17.1.2.2.

Impact:
Device will be in offline state Post Upgrade

Workaround:
None

Fix:
Fixed

Fixed Versions:
21.0.0, 17.5.1.3

1968033 : Remove the unused ImageMagick package from BIG-IP

Component: TMOS

Symptoms:
ImageMagick-6.7.8.9-15.el7_2 is no longer used anywhere in BIG-IP and is being removed.

Conditions:
None

Impact:
None

Workaround:
None

Fix:
ImageMagick has been removed from BIG-IP.

Fixed Versions:
21.0.0, 17.5.1.3

1967025 : Improved Permission Handling in REST SNMP Endpoint and TMSH

Component: TMOS

Symptoms:
Certain requests to the REST SNMP endpoint and TMSH improperly handle user permissions, which may lead to inconsistent behavior or access concerns.

Conditions:
Not specified

Impact:
Security best practices are not followed.

Workaround:
Only allow trusted administrators to access the REST interface or TMSH. Restrict management access to secure and trusted networks.

Fix:
User permissions for both REST SNMP endpoint and TMSH are now handled as expected, ensuring proper enforcement of access controls.

Fixed Versions:
21.0.0

1966849-1 : CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification

Links to More Info: K000152931

1966729 : Endpoint inspection not working with chrome browser

Links to More Info: BT1966729

Component: Access Policy Manager

Symptoms:
Endpoint inspection may not start when virtual server is accessed from Chrome browser of MacOS. When refreshed it may work properly.

Also client-type agent in access policy incorrectly detects MacOS as win11.

Conditions:
-- User accesses virtual server via a Chrome browser on MacOS.
-- Access policy has "client os" agent in VPE.

Impact:
Server incorrectly detects client platform macOS as win11

Workaround:
When HTTP_REQUEST {

if {[HTTP::uri] equals "/my.policy"} {
if {[HTTP::header exists "Sec-CH-UA-Platform-Version"] && [HTTP::header exists "Sec-CH-UA-Platform"]} {
set platform [string tolower [HTTP::header value "Sec-CH-UA-Platform"]]
set platform [string tolower [string trim [string map {＼" ""} $platform]]]
if { $platform ne "windows" } {
         HTTP::header remove "Sec-CH-UA-Platform-Version"
         log local0. "Removing header $platform"
}
}
}
}

when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}

Fix:
Server should detect platform correctly if client is using macOS.

Fixed Versions:
21.0.0, 17.5.1.2

1966313 : Websocket event logs show "N/A" for virtual server name except during upgrade request

Links to More Info: BT1966313

Component: Application Security Manager

Symptoms:
Remote logging for WebSocket traffic may display "N/A" in the vs_name field for messages other than the initial upgrade request.

Conditions:
Occurs when using a remote logging profile in CSV format with ASM and WebSocket traffic on a configured virtual server.

Impact:
Log entries may lack clarity or traceability due to missing virtual server name information, potentially complicating monitoring and troubleshooting.

Workaround:
None

Fixed Versions:
21.0.0

1965849-2 : [APM] TMM core is observed in validating the saml assertion signature

Links to More Info: BT1965849

Component: Access Policy Manager

Symptoms:
In SAML assertion signature validation, there is an error scenario where a macro in the defined log expects multiple arguments, which have been incorrectly passed.

Conditions:
SAML SP is configured with
- Invalid certificates.
- Or incorrect permission for certificates.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
SAML is configured with proper certificates with proper permissions.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3

1965329 : TMM may crash when re-declaring an LTM policy with a data-group

Links to More Info: BT1965329

Component: Local Traffic Manager

Symptoms:
TMM may crash when re-declaring an LTM policy with a data-group.

Conditions:
-- AS3 declaration that has a VIP with an LTM policy that uses a data-group.
-- The policy is re-declared while there is traffic on the VIP

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Declare while no traffic is on the VIP
Use iRules instead of LTM policies to access the data-group

Fix:
Tmm no longer crashes

Fixed Versions:
21.0.0

1965053 : Keymgmtd: Incorrect and misleading debug log statements

Links to More Info: BT1965053

Component: TMOS

Symptoms:
A few debug log statements in the keymgmtd daemon are inaccurate or misleading, resulting in confusion and difficulty when troubleshooting production issues.

Conditions:
Reviewing keymgmtd logs

Impact:
Misleading debug log messages

Workaround:
None

Fix:
Fixed misleading log messages

Fixed Versions:
21.0.0, 17.5.1.2

1962785 : Monitors of type snmp_link can fail

Links to More Info: BT1962785

Component: Global Traffic Manager (DNS)

Symptoms:
Monitors of type snmp_link can fail as they may not be added to the active probe list.

Conditions:
Use of monitor type snmp_link.

Impact:
Availability status may be shown in red.

Workaround:
None

Fix:
Removed the condition check for adding Monitors to the active probe list.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3, 16.1.6.1

1962073 : Creation of file type entries with trailing and/or leading spaces is allowed via REST in ASM policy

Links to More Info: BT1962073

Component: Application Security Manager

Symptoms:
Duplicate 'File Type' entries seen in ASM policy

Conditions:
'File Type' entries in ASM policy created via REST

Impact:
'File Type' protection do not work as expected

Workaround:
Delete the existing entries and add them via GUI

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1959725 : CVE-2024-42322 kernel: ipvs: properly dereference pe in ip_vs_add_service

Component: TMOS

Symptoms:
In the Linux kernel, the following vulnerability has been resolved: ipvs: properly dereference pe in ip_vs_add_service Use pe directly to resolve sparse warning: net/netfilter/ipvs/ip_vs_ctl.c:1471:27: warning: dereference of noderef expression

Conditions:
Linux kernel 4.7 up to (but not including) 5.10.237, 5.15.181, 6.1.119, 6.6.44, 6.10.3, and 6.11 are vulnerable to this CVE.

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1959709-1 : "Europe" IPs are allowed despite blocking all European countries

Links to More Info: BT1959709

Component: Application Security Manager

Symptoms:
Blocked Europe IP being allowed to access the web service

Conditions:
In ASM policy, configure to block all European countries. Thus any IP from 'Europe' should be blocked.

Impact:
IP access to the web service is allowed, which was supposed to be blocked.

Workaround:
None

Fixed Versions:
21.0.0, 16.1.6.1

1959513 : CVE-2023-52803 kernel: SUNRPC: Fix RPC client cleaned up the freed pipefs dentries

Component: TMOS

Symptoms:
BIG-IP is impacted because the vulnerable SUNRPC code for CVE-2023-52803 is present as a loadable kernel module in the affected kernel version (3.10.0). Although the module is not loaded by default, a privileged (root) user could load and use it, exposing the system to a potential denial-of-service via kernel crash if the vulnerability is triggered. Unprivileged or remote exploitation is not possible in the current configuration, so impact is limited to privileged misuse or error.

Conditions:
NA

Impact:
BIG-IP is impacted because the vulnerable SUNRPC code for CVE-2023-52803 is present as a loadable kernel module in the affected kernel version (3.10.0). Although the module is not loaded by default, a privileged (root) user could load and use it, exposing the system to a potential denial-of-service via kernel crash if the vulnerability is triggered. Unprivileged or remote exploitation is not possible in the current configuration, so impact is limited to privileged misuse or error.

Workaround:
Restrict shell and administrative access to trusted users only, and ensure that only authorized administrators are permitted to load kernel modules.

Fix:
Patched kernel to fix the CVE-2023-52803

Fixed Versions:
21.0.0, 17.1.3

1958513 : TMM might core with certain network traffic

Links to More Info: K000156691, BT1958513

1957157 : [nlad]OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.

Links to More Info: BT1957157

Component: Access Policy Manager

Symptoms:
You may observe below logs in /var/log/ltm
err nlad[31252]: OpenSSL: DRBG Continuous RNG test failed: DRBG stuck.
err fips_monitor[19162]: 01da0011:3: SelfTest/Integrity test failure detected, triggering reboot action

Conditions:
Conditions are unknown

Impact:
Unexpected reboot causing disruption to traffic and failover.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3

1952881 : Tmm memory leak in SCTP metadata

Links to More Info: BT1952881

Component: Service Provider

Symptoms:
Tmm crashes on out of memory.

Conditions:
Virtual server configured with a sctp profile and a legacy diameter profile.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Use the recommended message routing framework (MRF) Diameter solution instead of the legacy diameter (MBLB) profile.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

1952729 : Certificates with explicitly defined EC parameters are treated as invalid in Common Criteria mode and TLS communication will be rejected.

Links to More Info: BT1952729

Component: TMOS

Symptoms:
In Common Criteria mode, BIG-IP accepts certificates with explicit EC parameters

Conditions:
1. BIG-IP is in Common Criteria (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params.

Impact:
In Common Criteria mode, BIG-IP accepts certificates with explicit EC parameters and TLS connection is successful.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined EC params by BIG-IP.

Fixed Versions:
21.0.0, 17.5.1.2

1952657 : In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted

Links to More Info: BT1952657

Component: Local Traffic Manager

Symptoms:
BIG-IP accepts certificates with explicit EC parameters enabled while importing and handshakes will be successful.

Conditions:
1. BIG-IP is in CC (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params

Impact:
BIG-IP improperly imports certificates with explicitly-defined EC params when running in Common Criteria mode.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined ec params by BIG-IP while importing

Fixed Versions:
21.0.0, 17.5.1.2

1952557 : DB monitor incorrectly marks pool member UP if recv string configured but no results from DB server

Links to More Info: BT1952557

Component: Local Traffic Manager

Symptoms:
A database monitor (mssql, mysql, oracle, postgresql) may incorrectly mark a pool member as UP if the monitor is configured with a 'recv' string, but the query configured in the 'send' string does not return any results from the database server.

In this case, the DB (database) monitor attempts to match the 'recv' string to the result set from the database server, and fails to mark an empty result set as a mismatch.

Conditions:
-- A DB (database) monitor (mssql, mysql, oracle, postgresql) is configured and applied to an LTM or GTM pool.
-- The DB monitor has a 'send' string configured with a query that does not return any results from the database server.
-- The DB monitor has a 'recv' string configured.

Impact:
Pool members may be incorrectly marked UP.

Workaround:
In the DB monitor configuration, modify the query in the 'send' to return a result that does not match the 'recv' string.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

1937817 : CVE-2025-54500: A Particular HTTP/2 sequence may cause High CPU utilization [MadeYouReset]

Links to More Info: K000152001, BT1937817

1937777 : The client can resume a TLS session using psk_ke mode in the psk_key_exchange_modes extension.

Links to More Info: BT1937777

Component: Local Traffic Manager

Symptoms:
In TLS, the psk_key_exchange_modes extension in the Client Hello specifies the supported key exchange modes for resuming sessions with pre-shared keys (PSK).
As per Common Criteria guidelines, if client hello contains only psk_ke mode in the "psk_key_exchange_modes" extension then TLS handshake either (1) implicitly rejects the session ticket by performing a full handshake, or (2) terminates the TLS handshake to prevent the flow of application data.

Conditions:
In ClientHello, only psk_ke mode should be present in the "psk_key_exchange_modes" extension.
ClientHello should contain "pre_shared_key" extension too.

Impact:
TLS handshake will be successful with this configuration.

Workaround:
None

Fix:
Updated the code to perform full handshake if psk_ke mode present in the "psk_key_exchange_modes" extension.

Fixed Versions:
21.0.0, 17.5.1.2

1936421 : Core generated for autodosd daemon when synchronization process is terminated

Links to More Info: BT1936421

Component: Advanced Firewall Manager

Symptoms:
Autodosd cores on SIGSEGV.

Conditions:
-- AFM DoS vectors configured
-- This can occur during normal operation but the specific conditions that trigger it are unknown

Impact:
Autodosd is restarted, but up to 15 seconds of history may be lost.

Workaround:
None

Fix:
Fixed an autodosd crash.

Fixed Versions:
21.0.0, 17.5.1, 17.1.3

1936233 : TMM mismanagement of IPsec connections can slowly leak memory and cause tunnel negotiation to fail

Links to More Info: BT1936233

Component: TMOS

Symptoms:
-- The BIG-IP cannot setup a specific IPsec tunnel.
-- The BIG-IP may eventually run out of memory, or core

Conditions:
-- IPsec IKEv2
-- Tunnel config changes, or tunnel never works from initial setup

Impact:
-- TMM may run out of memory after a very long time
-- TMM may core due to the leaked connections

Workaround:
None

Fix:
The connection leak will not happen.

Fixed Versions:
21.0.0, 17.5.1.2

1935833 : Tmm cores with "ERR: Attempting to send MPI message to ourself"

Links to More Info: BT1935833

Component: TMOS

Symptoms:
A TMM crash occurs, tmm_assert is triggered if an MPI message is sent to the same TMM (self).

Conditions:
New IPsec tunnel configured or deleted and High Availability config sync is started.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.

Fix:
The crash no longer occurs.

Fixed Versions:
21.0.0, 17.5.1.2

1935053 : Impact of crypto queue limits on SSL handshake reliability

Links to More Info: BT1935053

Component: Local Traffic Manager

Symptoms:
SSL handshake failures triggered by sudden connection spikes and crypto queue saturation

Conditions:
1. Brief surge in SSL connection volume
2. Saturation of the crypto processing queue

Impact:
Degraded service availability due to SSL handshake disruptions

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3, 16.1.6.1

1934865 : Remove multiple redundant entries for port-list objects in configuration file

Links to More Info: BT1934865

Component: Advanced Firewall Manager

Symptoms:
When a port-list object is created using TMSH, REST or GUI under any context, redundant entries for the same object are generated in the configuration file under three contexts:

net port-list
security firewall port-list
security shared-objects port-list
For example, a port-list created using one CLI results in multiple entries referring to the same schema object, such as:
net port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

security shared-objects port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}


security firewall port-list /Common/portListExample {
    ports {
        80 { }
        443 { }
    }
}

This behaviour causes unnecessary duplication in the configuration file.

Conditions:
Creating a port-list object in any context results in the same object being added as three separate entries in the configuration file.

Ex: Using TMSH CLI configuration.
Redundant entries occur in the configuration file when:
A port-list object is created using any one of the following TMSH CLIs:
1. tmsh create net port-list
2. tmsh create security firewall port-list
3. tmsh create security shared-objects port-list
All three CLI commands point to the same object and record three separate entries in the configuration file.

Impact:
Redundant entries in the configuration file lead to:
1. Increased configuration file size unnecessarily.
2. Risk of user confusion during manual editing or review of configuration files.

This issue does not impact runtime functionality or object behaviour, but it introduces maintenance overhead when users interact with their configurations.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1

1934781 : In FIPS-CC mode ECC Certificates with explicitly defined EC parameters are accepted

Links to More Info: BT1934781

Component: Local Traffic Manager

Symptoms:
BIG-IP accepts certificates with explicit EC parameters enabled and handshakes will be successful.

Conditions:
1. BIG-IP is in CC (Common Criteria) mode
2. BIG-IP has ECC certificates as a Server and/or Clients/Servers interacting with BIG-IP sending ECC certificates with Explicit EC params

Impact:
BIG-IP improperly accepts certificates with explicitly-defined EC params when running in Common Criteria mode.

Workaround:
None

Fix:
Added fix to reject certificates with explicit defined ec params by BIG-IP

Fixed Versions:
21.0.0, 17.5.1.2

1934513 : Redefinition of xlink namespace leads to 'malformed document' violation

Links to More Info: BT1934513

Component: Application Security Manager

Symptoms:
An unexpected 'malformed document' violation is seen

Conditions:
- XML schema with redefined xlink namespace is set
- Request contains redefined xlink namespace

Impact:
False positive

Workaround:
None

Fix:
Redefinition of xlink namespace can be enabled through setting ASM internal variable 'allowXLINKRename' to 1

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3

1934493 : BIG-IP SFTP hardening

Links to More Info: K000151902, BT1934493

1934401 : iSeries HSB v5.26.8.0 firmware

Links to More Info: BT1934401

Component: TMOS

Symptoms:
iSeries HSB v5.26.8.0 firmware

Conditions:
iSeries i11000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
21.0.0, 17.5.1

1934397 : SSL Orchestrator l2 inline monitor failure on r2000 or r4000 tenants

Links to More Info: BT1934397

Component: Local Traffic Manager

Symptoms:
SSL Orchestrator l2 inline monitors may not function correctly on r2000 or r4000 tenants.

Conditions:
-- SSL Orchestrator
-- l2 inline monitor

A traffic capture will show packets being egressed out one interface and not arriving at the other.

Impact:
The l2 inline service monitored via these interfaces will be marked down.

Workaround:
The issue is due to the MAC filter that is installed for every interface's MAC address. When the filter also matches a vlan MAC address this issue occurrs.

Compare the output of

tmsh show net interface all-properties
and
tmsh show net vlan

and make sure there is no MAC overlap. If there is, create some "dummy" vlans to move the overlap.

After creating dummy vlans, re-assign the MACs with the following command

tmsh modify ltm global-settings general share-single-mac global
tmsh modify ltm global-settings general share-single-mac unique

Fix:
We now provide a workaround to disable MAC filters via xnet_init.tcl

echo -e "drvcfg iavf uc_mac_filter 0＼ndrvcfg iavf mc_mac_filter 0" >> /config/xnet_init.tcl

bigstart restart tmm

Fixed Versions:
21.0.0, 17.1.3

1934393 : iSeries HSB v5.9.14.0 firmware

Links to More Info: BT1934393

Component: TMOS

Symptoms:
iSeries HSB v5.9.14.0 firmware

Conditions:
iSeries i5000, i7000, or i10000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
21.0.0, 17.5.1

1934385 : iSeries HSB v4.3.5.0 firmware

Links to More Info: BT1934385

Component: TMOS

Symptoms:
iSeries HSB v4.3.5.0 firmware

Conditions:
iSeries i2000 or i4000 series appliance

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes HSB bit-flip issues. See ID891333 for more information.

Fixed Versions:
21.0.0, 17.5.1

1934157 : Http2 monitor fails if a pool is used for routing to pool members

Links to More Info: BT1934157

Component: Local Traffic Manager

Symptoms:
Http2 monitoring reports all pool members as down

Conditions:
The TCP connection to the pool members are sent to the gateway instead of the pool members

Impact:
Http2 monitoring not possible

Workaround:
Use tcp monitoring or https if possible and acceptable.

Fixed Versions:
21.0.0

1933825 : High cpu usage by BD

Links to More Info: BT1933825

Component: Application Security Manager

Symptoms:
High cpu usage by BD

Conditions:
A specific condition leads BD to unnecessary high CPU

Impact:
High CPU

Workaround:
None

Fix:
BD no longer causes high CPU under the specific condition.

Fixed Versions:
21.0.0, 17.5.1.3, 17.1.3

1930945-1 : [APM][KERBEROS][NTLM FALLBACK] Kerberos Authentication fails post-upgrade to v17.5.0/v17.5.1 — “Profile '/Common/kerberos_auth_config_default' was not found” and ECA Crashes★

Links to More Info: BT1930945

Component: Access Policy Manager

Symptoms:
1.ECA process continuously restarts (SIGSEGV/crash).

2. /var/log/apm contains errors indicating missing Kerberos config and NTLM fallback.

Conditions:
1. kerberos usecase

Impact:
1. Kerberos authentication fails, leading to unsuccessful proxy access for domain-joined users.

Workaround:
None

Fixed Versions:
21.0.0, 17.5.1

1928749 : TMM cores in rare circumstances

Links to More Info: BT1928749

Component: TMOS

Symptoms:
TMM cores in rare circumstances

Conditions:
Can occur after High Availability (HA) failover.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None

Fix:
TMM crash prevented.

Fixed Versions:
21.0.0, 17.5.1.2, 17.1.3

1928537 : Missing initial PKCS11d login state causes login failures on certain AWS CloudHSMs

Links to More Info: BT1928537

Component: Local Traffic Manager

Symptoms:
The PKCS11d daemon did not properly initialize the login state for each partition. It was previously assumed that a user was effectively “logged in” on startup, even though no explicit state indicated CKR_USER_NOT_LOGGED_IN.

This worked with older HSMs and earlier AWS CloudHSM SDK3 primarily because those libraries did not strictly require an explicit CKR_USER_NOT_LOGGED_IN state; they would either auto-login or return CKR_USER_ALREADY_LOGGED_IN in most cases.

However, newer AWS CloudHSM libraries (SDK5) and other current HSM vendors require a proper indication that the user is not logged in to handle re-login flows correctly.

Conditions:
Use SDK version 5 with BIG-IP.

Impact:
Key creation fails.

Workaround:
None