Component: REST Framework and TMOS Platform

Symptoms:
When you upgrade the BIG-IQ system, the /var/config/rest/config/restjavad.properties.json file previously existing on the BIG-IQ is carried forward in the UCS archive and is preserved following the upgrade. The restjavad.properties.json file in the ISO is not deployed to the BIG-IQ.

The intended use of the restjavad.properties.json file was solely for users to optionally set customized values that overwrite some of the default application properties values. During some of the past releases prior to 8.0, some vendor (F5)-defined default property values were accidentally included in the restjavad.properties.json file in the ISO file. Any new property value that was added to the restjavad.properties.json file in a particular version will not exist on the BIG-IQ following an upgrade to that version.

Conditions:
Upgrade the BIG-IQ from a version begining with 5.1 to a version up to and including 7.1.0.3.

Impact:
Any new property value that was added to the restjavad.properties.json file in a particular version will not exist on the BIG-IQ following an upgrade to that version.

Note: This only affects upgrades, not new installs. The restjavad.properties.json file on a newly installed BIG-IQ will have the same content as the file in the ISO.

Workaround:
Following an upgrade:
1. Retrieve the restjavad.properties.json file from the ISO.
2. Apply (add or replace) to it any custom settings you previously configured.
3. Replace that file as the /var/config/rest/config/restjavad.properties.json file on the BIG-IQ.

See K02972920: The restjavad.properties.json file is not updated with a newer version after upgrading the BIG-IQ system: https://support.f5.com/csp/article/K02972920.

Fix:
This was fixed in BIG-IQ 8.0.0. The restjavad.properties.json file in the ISO no longer contains any default application properties values.

On upgrade to version 8.0.0 or newer, the BIG-IQ will just work correctly, using the property values in the file prior to the upgrade. F5 recommends to replace the restjavad.properties.json file from the earlier BIG-IQ version with the new, clean file from the ISO, and only add to the file the property values you want to be different from the defaults.

For more information, see K62981141: Overview on the BIG-IQ restjavad property file: https://support.f5.com/csp/article/K62981141.

Behavior Change:
The restjavad.properties.json file in the ISO no longer contains any default application properties values.

Component: AppIQ

Symptoms:
When upgrading BIG-IQ to version 8.0.x, the upgrade might fail on some DCDs if the upgrade of DCD takes longer than 90 min.

Conditions:
Upgrade a DCD with a large amount of data.
The following error appears in the BIG-IQ var/log/restjavad.0.log:

Unable to complete software installation for {device-name} due to timeout

or:

Failed to start device software install due to time out

Impact:
The BIG-IQ upgrade fails and there is no automatic roll-back process. All DCDs that were upgraded successfully (before the timeout) must be rolled back to the previous partition (previous version). The last DCD that failed on timeout will need a manual reboot to the previous version.

Workaround:
The timeout is hardcoded. To work around this timeout us one of the following solutions:

1.Perform an incremental upgrade to the following versions before upgrading to 8.0.x:
7.0.0.2 or 7.1.0.3 where this bug is fixed.

OR

2.
Complete the rollback procedure and increase disk space before upgrading to 8.0.x

Fix:
The timeout is now 3.5 hours, rather than 90 minutes.
In addition new external parameters were added if 3.5 hours is not enough:
IF ever 3.5 hours will not be enough time for the upgrade, you can increase the timeout at restjavad parameters:
    private static final int INSTALL_CHECK_RETRIES = ServerProperties.getPropertyAsInt("platform", "clusterUpgrade",
            "isoInstallCheckRetries", 2520);
    private static final int SYSTEM_UP_CHECK_RETRIES = ServerProperties.getPropertyAsInt("platform", "clusterUpgrade",
            "upgradeSystemUpCheckRetries", 120);

Component: BIG-IQ Configuration - Security - Network Security

Symptoms:
After you upgrade BIG-IQ from version 5.4 to 7.1.0.2, you might not be able to edit some of the Network Security Context objects created in BIG-IQ version 5.4.

Conditions:
When you upgrade BIG-IQ from version 5.4 to BIG-IQ 7.1.0.2, and try to edit the Self-IP context objects created using BIG-IQ version 5.4 version through the BIG-IQ user interface.

Impact:
You cannot edit some Network Security Context objects.

Workaround:
N/A

Fix:
This issue is now fixed and you can now edit Network Security Context objects after upgrading BIG-IQ.

Component: AppIQ

Symptoms:
Under certain circumstances, the time period shown in monitoring graphs when selecting "Last Hour" or "Last 30m" is incorrect - it shows one hour of offset compared to the local time.

Conditions:
The way to reproduce this is to change the computer's timezone. Once the computer timezone is changed, browse to a dashboard (e.g. /monitoring/dashboards/device/health), select "Last Hour" and see the wrong X axis showing times from the future.

Impact:
Displays of unexpected time in graphs.

Fix:
The chart axes displayed are according to the operator's time-zone and not the time-zone of the BIG-IQ device location. This has always been the way BIG-IQ displays information.
 
When the operator requests statistics for a specific time period, e.g. last hour, the returned statistics are for the operator's last hour. This is to show real-time data regardless of the operator's location.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The Analytics processes appiqpostaggregator and appiqquery don't function correctly and might become OOM.

Conditions:
In rare instances, the BK may become corrupted. This may be temporal corruption of the ES cluster.

Impact:
The Analytics process receives exceptions, which affects its normal functionality.

Workaround:
N/A

Fix:
BIG-IQ now fixes itself when new BK is created for a particular module that becomes corrupted.

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IQ creates an alert on the Monitoring > Alerts screen with an SSL certificate expires.

Conditions:
Always

Impact:
High

Workaround:
If BIG-IQ isn't in a high availability configuration, regenerate a new certificate by typing the following command: run ha_generate_certs -f <discovery_ip>.

If BIG-IQ is currently in high availability configuration, create a certificate and install it on its peer by running the following script on the BIG-IQ on which the certificate is expired/expiring:

ha_rotate_certs -i <discovery_ip> -p <peer_discovery_ip>

Fix:
When an SSL certificate expires run the following command.

For BIG-IQ that is not part of a high availability configuration: run ha_generate_certs -f <discovery_ip>

For BIG-IQ that is in a high availability configuration: ha_rotate_certs -i <discovery_ip> -p <peer_discovery_ip>

Component: BIG-IQ SSL Orchestrator

Symptoms:
You cannot import BIG-IP device configurations to BIG-IQ if the BIG-IP devices and your BIG-IQ have any deployed SSLO configurations with the same name.

The import process for all BIG-IP devices with duplicate SSLO topology names fails with the error message "Duplicate names 'sslo_XXXX' detected between the BIG-IP device and BIG-IQ, please delete them on either side, then discover again."

Conditions:
This issue occurs when the name of the SSLO configuration deployed onto the BIG-IP device you want to import is the same as the name of an SSLO configuration originating from a BIG-IP device already being managed by BIG-IQ.

Impact:
You will not be able to discover and import the configuration to the BIG-IQ, unless you delete or rename the SSLO configuration in BIG-IQ causing the issue and re-deploy the topology.

Workaround:
N/A

Fix:
Discovery and import of BIG-IP devices with SSLO provisioned is successful, even when you use the same name for SSLO configurations across multiple BIG-IP devices, provided all BIG-IP devices are running the same SSLO RPM version.

Component: REST Framework and TMOS Platform

Symptoms:
Unspecified workers not being handled properly by REST API

Impact:
REST API not following best practice handling some workers

Workaround:
None

Fix:
REST API now following best practice handling workers

Component: BIG-IQ Application Management

Symptoms:
If you try to deploy an AS3 template from BIG-IQ that defines a GSLB_Domain using 'poolsCName' instead of 'pools', it fails with the following error: "Failed to execute step SET_TENANT: java.lang.NullPointerException""

Conditions:
Attempting to deploy AS3 deployments from BIG-IQ that defines a GSLB_Domain using 'poolsCName' instead of 'pools'.

Impact:
Unable to deploy the Application Service.

Workaround:
Use 'pools' instead of 'poolsCName' for the GSLB_Domain.

Fix:
BIG-IQ now collect the pool value from either 'pools' or 'poolsCName'.

Component: AppIQ

Symptoms:
Adjust the retention configuration for specific statistics groups (such as HTTP or ASM).

Conditions:
User wants configure a different retention for each statistics index group, rather than using the same global retention for all statistic groups.

Impact:
No system impact

Fix:
For BIG-IQ 8.0 it is possible to configure a different retention for each index type.
Generally all the statistics have the same retention that configured at:
https://{BIG-IQ-IP}/ui/system/bigiq-data-collection/cluster/settings/statistics-collection/configure

The retention can be configure for raw, hourly, daily, or monthly indexes or as we call them tl0,tl1,tl2,tl3 at elasticsearch db.

the default is [tl0,tl1,tl2,tl3] = [PT10H, P7D, P31D, P365D]

Lets say we want to configure a different retention for 2 statistics modules: http and asm.

We first need to find out what is the group names of those modules (each group contains number of modules and the retention is configured per some group and not for some individual module).

We first got to BIG-IQ CM console and send the following rest call:

# curl -X GET localhost:8898/mgmt/ap/v1/platform-config/resources/dynamic_global_parameter/modules-group-retention-global-parameters | jq . | less

{
  "kind": "dynamic_global_parameter",
  "ownerGroup": "appiq",
  "id": "modules-group-retention-global-parameters",
  "dependsOn": [],
  "state": "ACTIVE",
  "deploymentTarget": "any",
  "parameters": {
    "dos-detailed-group": {
      "name": "dos-detailed-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "afm-group": {
      "name": "afm-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "tcp-group": {
      "name": "tcp-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "asm-group": {
      "name": "asm-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },

.
.
.

    },
    "dns-detailed-group": {
      "name": "dns-detailed-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    },
    "http-group": {
      "name": "http-group",
      "value": [
        "",
        "",
        "",
        ""
      ]
    }
  },
  "selfLink": "https://localhost/mgmt/ap/v1/platform-config/resources/dynamic_global_parameter/modules-group-retention-global-parameters"
}


We can see here the 2 group names that we would like to configure: "http-group" and "asm-group".

We can see that each group has an array of size 4 - this is for the [tl0,tl1,tl2,tl3] different configuration - if it has empty string than the value is taken from the default configuration that configured at the UI (as explained above).

Let's say we would like the configure for the http-group different retention for tl0 and tl1 and for asm-group a different retention for tl1 and tl2 - then we will send the following rest:

curl -X PATCH localhost:8898/mgmt/ap/v1/platform-config/resources/dynamic_global_parameter/modules-group-retention-global-parameters -H 'Content-Type: application/json' -d '
{
"kind": "dynamic_global_parameter",
"ownerGroup": "appiq",
"id": "modules-group-retention-global-parameters",
"deploymentTarget": "any",
"parameters":
{
"http-group":
{
"name": "http-group",
"value": [
"PT24H",
"P12D",
"",
""
]
},
"dos-group":
{
"name": "dos-group",
"value": [
"",
"P5D",
"P62D",
""
]
}
}
}
'

Please note that the name of the group must appear twice - as the parameter name with the "name" inside.

Component: REST Framework and TMOS Platform

Symptoms:
Tokumond logs show incorrect values for the amount of available storage

2020-08-18_06:40:01.087121086 [INFO] 67% storage available. Exiting...
2020-08-18_06:50:01.924146033 [INFO] 67% storage available. Exiting...
2020-08-18_07:00:01.899879226 [INFO] 67% storage available. Exiting...
2020-08-18_07:10:01.932731808 [INFO] 61% storage available. Exiting...
2020-08-18_07:20:01.382651783 [INFO] 33% storage available. Exiting...
2020-08-18_07:30:01.338448881 [INFO] 15% storage available. Exiting...
2020-08-18_07:40:01.458523897 [INFO] 100% storage available. Exiting..

Conditions:
When /var gets up to 100% used, the returned value is "00%" and the available space shows as 100%.

Impact:
Incorrect and confusing messages may appear in the log files.

Workaround:
N/A

Fix:
Tokumond logs now show the correct calculation of amount of space available for /var.

Solution Article: K92678530

Component: AppIQ

Symptoms:
Elasticsearch is filled with hundreds of statistics in _t10_* indexes because the postaggregator stops working.

Conditions:
The retention of indexes stops working because the aggregation of indexes from tl0 to tl1 stops working, causing the tl0 indexes to accumulate and not aggregate.

Impact:
Elasticsearch begins to work slowly, become unresponsive, and some indexes might become corrupted. Retention stops working.

Workaround:
For BIG-IQ version version 7.1.x or earlier, refer to the solution article for workaround procedures.

Fix:
Issue fixed for version 8.0

To resolve ElasticSearch indexes that caused the ES be unresponsive then we have added index overflow protection in BIG-IQ v8.0.

If for some reason the ES indexes will start to accumulate data, then the agent manger will stop receiving new traffic from the index type that can cause the ES to become unresponsive.


When the indexes overflow protection mechanism kicks in, an empty graph appears for statistics in the affected monitoring screens - this is because the agentmanager temporarily stops receiving new statistics for this index type, until the affected index issue is resolved.

Also the appiqagent log (/var/log/appiq/agentmanager.log) for each DCD will throw the following error (for example if the http group index been accumulated beyond the threshold):

2021-01-01 01:34:29,748 ERROR c.f.a.a.r.s.StatisticsIndexesOverflowDetector [scheduling-1] The number of 'statistics_tl0_http-group*' indexes , 19, is above [retention(10) + high_watermark(8)]. ***** Any of those new Statistics will not be written to ElasticSearch - Please Check if the appiqconfigserver or appiqpostaggregator are OK and running at the BIG-IQ CM or check what is the root cause for this accumulation of the indexes *****

And if the number of the affected indexes are back to normal, the following log entry is shown:

2021-01-01 13:34:30,093 INFO c.f.a.a.r.s.StatisticsIndexesOverflowDetector [scheduling-1] The number of 'statistics_tl0_default-group*' indexes, 1, got back to normal ***** Those new Statistics writes will be resumed *****

Component: AppIQ

Symptoms:
The UI takes a long time to render pages that show active alerts related information.

Conditions:
The system is configured with a large number (thousands) of alerts

Impact:
Slowness of the UI in pages with active alert related information

Workaround:
Configure the query service to get alerts from in-memory storage (used by the health calculator process) instead of from elastic-search.

- In /var/config/appiq/queryservice/bin/run_queryservice_bigiq.sh, add "eventstore-alarms" to the "spring_profile" list.
- restart the query service using "bigstart restart appiquery" command.

Impact of workaround: There is a risk that a large amount of alerts will fill up the memory of appiqquery, hence it is important to increase its JVM memory, by editing the "/etc/biq_daemon_provision.json" file.
- If the alerts count on the UI is greater than 10k - the recommendation for 64GB systems is to increase the appiqquery JVM memory allocation from 800MB to 1.2GB while reducing the restjavad JVM memory allocation from 20000MB to 19600MB.
- If the alerts count on the UI is greater then 25k - the recommendation for 64GB system's is to increase the appiqquery JVM memory from 800MB to 2GB

For 32GB systems, the same values should apply. The only potential issue here is that it would not be safe to reduce the allocated JVM memory of restjavad in case the system has a large number of ASM devices with many ASM entities since, during import/discovery of these devices high memory consumption is expected by restjavad. Internal testing showed high memory consumption by restjavad with ~160 ASM devices and overall of 1000 policies. If this is not the case for your environment then you can safely modify the restjavad memory.

Once memory changes are done, query service and restjavad must be restarted, in order for the JVM memory changes to take effect, by running the command "bigstart restart restjavad appiqquery".

Fix:
Query service is configured by default to get alerts from in-memory storage (used by the health calculator process) instead of from elastic-search.

Data transfer between the health calculator service and query service has been improved to reduce the memory usage of the query service, which enables the query service to handle a much larger number of alerts without the need for increasing its JVM memory allocation.

Component: REST Framework and TMOS Platform

Symptoms:
Failover does not complete fully. You see an error in /var/log/restjavad.0.log:

Failed query '$skip=0&$top=150&$filter=name+eq+'*'&$orderby=name+asc&kind=cm:adc-core:working-config:ltm:pool:adcpoolstate&parentContext=https://localhost/mgmt/cm/adc-core/working-config/ltm/pool&modules=adc-core' - org.postgresql.util.PSQLException: ERROR: could not write to tuplestore temporary file: No space left on device

You also see diskmonitor errors:
err diskmonitor: 011d0004:3: Disk partition /var has only 7% free

Conditions:
This can occur if /var reaches 90% full, which can be caused by excessive table bloat in the Postgres database.

Impact:
HA configuration is removed, failover does complete.

Workaround:
Performing VACUUM FULL manually on DB will clean up bloat but can be disruptive to system. For more information on this procedure, see K18484011: BIG-IQ Reclaim unused disk space from postgres database, available at https://support.f5.com/csp/article/K18484011

Fix:
A weekly cron job has been scheduled that calls vacuum-digiq-db which will perform vacuum full on the 10 largest(memory) tables in bigiq_db

Component: REST Framework and TMOS Platform

Symptoms:
While in high availability (HA) pair, high /var usage will cause tokumond to stop on the primary but does not stop on the secondary, causing continued /var usage.

Conditions:
During high availability (HA) pair with high /var usage

Impact:
/var will eventually fill due to secondary tokumond not being filled

Component: REST Framework and TMOS Platform

Symptoms:
When a BIG-IQ has a large setup(database size), joining a device trust group may fail. If this occurs, the secondary's backup database may be removed.

Conditions:
-- Large database on BIG-IQ
-- You add the BIG-IQ to a device trust group

Impact:
Secondary device does not have a backup database after pairing fails

Fix:
Failed high availability (HA) backup does not remove secondary backup DB file anymore

Component: REST Framework and TMOS Platform

Symptoms:
BIG-IP may generate unsupported unicode error when policy workflows are triggered related to events:

ERROR: unsupported Unicode escape sequence
  Detail: \u0000 cannot be converted to text.
  Where: JSON data, line 1:

Conditions:
-- Policy workflows are created and triggered

Impact:
Unabled to see triggered workflows

Fix:
No longer see errors in restjavad logs

Component: BIG-IQ Access

Symptoms:
For BIG-IQ Access dashboards, no data will display when you select the "Before/After/Between" to view reports for a specific date-time range.

Conditions:
This occurs if you set the language on your computer to anything other than US English.

Impact:
You will be unable to view data for all Access dashboards. The error message "No Data Available" displays.

Workaround:
N/A

Fix:
The Access dashboards now display properly when a date-time filter is applied.

Component: REST Framework and TMOS Platform

Symptoms:
When upgrading BIG-IQ hardware, there is a race condition due to two different services trying to perform disk provisioning that might cause the hardware upgrade to fail.

Conditions:
Upgrading BIG-IQ hardware.

Impact:
The BIG-IQ upgrade fails.

Workaround:
Install BIG-IQ version 7.1.0.x in a new volume. Select the option to not automatically reboot to the new volume.
Mount the new volume using the command: volumeset -f mount {X}.
Edit /mnt/X/etc/bigstart/scripts/tokumx as follows:
- Add the following line after the existing 'setproperties ${service}' line: waitfor_disk_provisioning ${service}
- Replace the existing line 'if [ -f /bin/halid ]; then' with: if false; then
Unmount the new volume with the command: volumeset -f umount {X}.
Reboot to the new volume.

Fix:
BIG-IQ hardware upgrades no longer have two different services attempting to perform the disk provisioning.

Component: BIG-IQ Local Traffic & Management

Symptoms:
After discovering a BIG-IP device and importing its ASM service, BIG-IQ returns an error similar to the following:

-- Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Invalid entry "bot-defense" in "controls" string, valid options are: [acceleration, asm, avr, caching, ce, classification, client-ssl, compression, forwarding, l7dos, persistence, request-adaptation, response-adaptation, server-ssl, ssl-intercept, websocket].

Conditions:
This happens when you are running BIG-IQ version 7.1.0

This issue occurs when you import a BIG-IP with the following configuration:
a. BIG-IP contains a Bot Profile
b. BIG-IP contains an LTM Policy attached to this Bot Profile

Impact:
You cannot import the ASM services associated with the discovered BIG-IP device that contains bot-profiles.

BIG-IQ version 7.1.0 does support 'Anti-Bot Detection and Protection.

Fix:
Discovering a BIG-IP device and importing its ASM services that contain 'bot-profiles' no longer reports an error message.

Component: BIG-IQ Access

Symptoms:
The Access Session Summary page displays more than one entry per Session ID.

Conditions:
This happens when you view the Access Summary Page at BIG-IQ >> MONITORING >> DASHBOARDS >> Access >> Sessions >> Session Summary page.

Impact:
Some session details distributed across various columns are missing. Session details are duplicated across duplicate rows in the report.

Fix:
Session data is no longer listed twice on the dashboard, and this issue no longer occurs.

Component: BIG-IQ Access

Symptoms:
When trying to create a CSV report for active sessions, BIG-IQ returns an error similar to the following: "Error: No handler found for uri.".

Conditions:
This happens if you attempt to generate an Active Sessions report with more than 1,000 records.

Impact:
You cannot generate the CSV reports for Access reporting screens if the report contains a large number of records.

Workaround:
N/A

Fix:
This issue is now resolved and the Active Sessions CSV report properly downloads.

Component: REST Framework and TMOS Platform

Symptoms:
When searching for BIG-IP devices by IP addresses, BIG-IQ doesn't always include all results.

Conditions:
Searchnig for BIG-IP devices by IP addresses.

Impact:
Not all BIG-IP devices are displayed.

Workaround:
sed -i '/document._system_search_tags = row._system_search_tags;/a\ \ \ \ document._ranges = row._ranges;' /usr/share/rest/tokumon/src/transforms.js

bigstart kill tokumond

Fix:
The correct BIG-IP devices are displayed when searching by IP devices.

Component: BIG-IQ Local Traffic & Management

Symptoms:
Config sync fails and tunnel objects are configured incorrectly across devices in a device group.

Conditions:
All of the following:
 
1) BIG-IP is using a tunnel object
2) The tunnel is assigned to traffic-group-local-only
3) BIG-IP is configured with Device Services Clustering with config sync enabled.

Impact:
An incorrect tunnel object might be synced from one device to another device

Workaround:
A potential workaround is to have all tunnels on cluster reside on one BIG-IP device and import it last.

Fix:
Fixed an issue with config sync of tunnels that are assigned to traffic-group-local-only.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Policy signatures that have passed the enforcement readiness period are not reported.

Conditions:
Create an ASM policy using Central Policy Builder and leave it active beyond 7 days (or the policy staging period). Check for signatures ready to be enforced.

Impact:
All signatures report readyToBeEnforced = false, even if there are signatures that passed the staging period.

Workaround:
N/A

Fix:
Policy signatures that have passed the necessary staging period are reported as ready to be enforced.

Component: BIG-IQ Configuration - Security - Shared Security

Symptoms:
New storage fields included in BIG-IP 15.1.x are not validated in BIG-IQ, which is causing import failures

Conditions:
Import Network Security logs from BIG-IP v15.1.x that include storage values.

Impact:
Importing Network Security log with storage fields results in error message:

restjavad.4.log:[ERROR][19 Jun 2020 09:18:34 CEST][/cm/security-shared/working-config/log-profiles/232543a8-6e3e-3e3a-a42c-d2c592d223d4/network WorkingProfileNetworkCollectionWorker] Validation failure: java.lang.IllegalArgumentException: Invalid format field value : dest_ipint_categories
restjavad.4.log:[ERROR][19 Jun 2020 09:18:34 CEST][/cm/security-shared/tasks/config-copy/b16532b8-fd5d-431a-87cf-486ac566b9ad/worker SharedConfigCopyTaskWorker] Failed POST to target https://localhost/mgmt/cm/security-shared/working-config/log-profiles/232543a8-6e3e-3e3a-a42c-d2c592d223d4/network: java.lang.IllegalArgumentException: Invalid format field value : dest_ipint_categorie

Fix:
This issue is resolved for BIG-IQ version 8.x or later.

Component: BIG-IQ Access

Symptoms:
When you create an Access policy branch rule, BIG-IQ does not allow you to input a branch rule name that contains the '.' punctuation mark.

Conditions:
This issue occurs when you create an Access policy branch rule name that contains the '.' punctuation mark.

Impact:
You won't be able to create an Access policy branch rule with the punctuation mark '.' in the name.

Workaround:
N/A

Fix:
You can now create an Access policy branch rule name with the '.' punctuation in the name. This issue no longer occurs.

Component: BIG-IQ Access

Symptoms:
A Variable Assign agent in the VPE with custom expressions and attached to an Access policy might change new line characters to "\n". This causes the custom expression to fail with an error.

Conditions:
This error might happen if the Variable Assign agent was created with custom expressions spanning multiple lines. When the policy is deployed to managed BIG-IP devices, the new line characters show up as "\n" instead of actual new lines.

Impact:
The APM custom expression fails to work.

Workaround:
N/A

Fix:
This issue no longer occurs. You can now deploy a Variable Assign agent with multi-line custom expressions and attach it to an Access policy and deploy it to a BIG-IP device sucessfully.

Component: BIG-IQ Access

Symptoms:
Deploying an Access policy containing orphaned policy items to a BIG-IP device might fail with the following error:

"Critical Error: The access policy ("access-policy") has an item ("orphaned-policy-item") which is not referenced by any policy rule."

Conditions:
This error can happen if you:

1) Create an Access policy with a branch rule such as "URL Branching".
2) Add another item to that branch.
3) Delete the branch rule in "URL Branching".
4) Deploy the Access policy to a BIG-IP device.

Impact:
You cannot deploy access policies with orphaned policy items.

Fix:
This issue is now fixed and you can now deploy Access policies with orphaned objects.

Component: REST Framework and TMOS Platform

Symptoms:
The storage system might not recognize an address with a route domain (% followed by a number after the IP address) as a valid address. This could cause operations to fail or to hang. Logs under /var/log/postgres/ shows an error similar to:

ERROR: invalid input syntax for type inet: "10.10.1.4%6"

Conditions:
This happen when route domains are used.

Impact:
Operations might fail or hang and errors are logged.

Workaround:
None

Fix:
Addresses containing route domains are now correctly recognized as valid.

Component: BIG-IQ Access

Symptoms:
A local SAML SP service cannot be created with entity ID containing session variables, since host name is a mandatory field for local SP service.

Conditions:
When you create a local SAML SP service with session variables as entity ID and host name is not provided.

Impact:
You are unable to create the service until you specify a hostname.

Workaround:
N/A

Fix:
You are now able to create a local SAML SP service without a hostname.

Component: BIG-IQ Application Management

Symptoms:
After upgrading BIG-IQ, you are unable to deploy an AS3 application service from BIG-IQ.

Error message:
Failed to get cm-bigip-allBigIpDevices device for address 3.90.185.47 : java.lang.IllegalStateException: Device not found in device group: java.lang.IllegalStateException: Device not found in device group

Conditions:
This happens after you upgrade or reboot BIG-IQ.

Impact:
You cannot deploy an AS3 application service from BIG-IQ.

Workaround:
To work around this issues, from the command line type: bigstart restart restjavad

Fix:
This issue is now fixed.

Component: BIG-IQ Access

Symptoms:
When you click the CSV Report button from the Access User Summary by navigating to Monitoring >> Dashboard >> Access >> User Summary screen and the following error displays "Error: Not Authenticated."

Conditions:
This can happen when you click the CSV Report button on Access Reporting page.

Impact:
You can't export or generate the CSV reports for certain Access reporting screen.

Workaround:
N/A

Fix:
This issue no longer occurs and the CSV Report button now works as expected from the Access screen.

Component: REST Framework and TMOS Platform

Symptoms:
When BIG-IQ is performing resource-intensive operations, API responses might be slowed which can lead sometimes cause log-in sessions to time out, forcing users to log out of BIG-IQ.

Conditions:
BIG-IQ is performing resource-intensive operations, such as importing large device configurations.

Impact:
Users are forcibly logged out of the BIG-IQ user interface.

Workaround:
None

Fix:
This issue is now fixed and authorization is maintained even during periods of resource-intensive operations.

Component: AppIQ

Symptoms:
Managed BIG-IP devices running iApp analytics logs an error message similar to the following error /var/log/ltm:

err scriptd[8484]: 014f0013:3: Script (/Common/bigiq-analytics-send_stats) generated this Tcl error: (script did not successfully complete: (couldn't create pipe: too many open files while executing "exec /usr/bin/tmsh -c "list ltm virtual $virtual_name partition" | grep "partition " | tr -s " " | cut -d " " -f3- " ("foreach" body line 3) invoked from within "foreach virtual $virtual_list { set virtual_name "/[tmsh::get_name $virtual]" set partition_name [exec /usr/bi..." invoked from within "if { [file exists ${filename}0] != 1 || [ expr [clock seconds] - [file mtime ${filename}0] ] > 360 } { set infile [open "$filename$curr..." line:346))

Conditions:
When managing a BIG-IP device with a large number of virtual servers and running iApp analytics.

Impact:
iApp does not collect statistics for virtual server, pool, nodes, or statuses.

Workaround:
A workaround is available for BIG-IQ version 7.1. For more information see: https://support.f5.com/csp/article/K53001642

Fix:
iApp now collects data as expected.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Protected virtual servers with a monitoring/blocking application protection policy do not display enforcement mode following import from BIG-IP.

Conditions:
1. On BIG-IQ discover a BIG-IP device with a protected virtual server.

2. Check the virtual server's enforcement mode in the L7 security grid (Monitoring > DASHBOARDS > L7 Security).

Impact:
The virtual server will display 'Not Protected' enforcement status.

Workaround:
PATCH the VS (or update it via UI), wait a minute and it will get the protection mode.

For batch mode, restart restjavad, which marks all vips as dirty and protection mode will be recalculated for all of them.

Fix:
Protected virtual servers imported from a managed BIG-IP device now display the correct enforcement mode.

Component: BIG-IQ Local Traffic & Management

Symptoms:
When adding a Pool or Virtual Server to a Resource Group, the related Pool Members appear individually instead of all Pool Members.

Conditions:
When adding a Pool or Virtual Server to Resource Group.

Impact:
You must add Pool Members individually to Resource Groups after they are created or they will not be visible to the user with the associated role.

Workaround:
You can use an API call to create a Resource Group (RG) with the pools as you want them and use that Resource Group in a Role.
Here are the steps for that,

1. Find the pool (or pools that you want in the role and capture it's membersCollectionReference:
GET cm/adc-core/working-config/ltm/pool

2. modify the json body below to match the retrieved pool members URI path
 - change the name, description, and expression (note the /* at the end of the membersCollectionReference URI path)
 - you just need the pool members expression (the pool that owns it will be automatically added to the RG.)
 - you can have more than one expression in the referenceExpressions array.
{
  "resourceGroupName": "workaroundRGSample",
  "resourceGroupDisplayName": "workaroundRGSample",
  "resourceGroupDescription": "",
  "referenceExpressionsPatches": [
    {
      "targetKind": "cm:adc-core:working-config:ltm:pool:members:adcpoolmemberstate",
      "referenceExpressions": [
        {
          "name": "All Pool Members for newPool",
          "description": "All existing and future Pool Members for newPool.",
          "expression": "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*"
        }
      ]
    }
  ]
}

3. POST that to here: /shared/authorization/patch-resource-groups
- note this is a declarative API. If you want to change the RG you need to include ALL expressions that you want in the RG and POST to the same endpoint again. Like if you wnted to add a pool/members then the body above would contain two referenceExpressions.

4. You'll get a response like this:
{
    "id": "cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
    "kind": "shared:authorization:resource-groups:resourcegroupstate",
    "name": "workaroundRGSampleXX",
    "isPublic": true,
    "selfLink": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b",
    "isBuiltIn": false,
    "generation": 1,
    "description": "",
    "displayName": "workaroundRGSampleXX",
    "isSystemManaged": false,
    "lastUpdateMicros": 1588021146636422,
    "referenceExpressionCollectionReference": {
        "link": "https://localhost/mgmt/shared/authorization/resource-groups/cccd8304-3ec9-3bcf-aa58-e4a7d22ae57b/reference-expressions",
        "isSubcollection": true
    },
    "differences": {
        "added": [
            "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members",
            "/cm/adc-core/working-config/ltm/pool",
            "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631/members/*",
            "/cm/adc-core/working-config/ltm/pool/4c6ad591-26e5-3e5a-bc72-d0eb41dab631"
        ],
        "removed": []
    }
}

5. Now create a second Resource Group in the UI that does NOT include the Pool and Pool Members for the VIP.

6. Create a role that includes the RG you manually created above and the second RG (without the Pool and Pool Member) that you created in the UI.

Fix:
This issue is fixed.

Component: BIG-IQ Device Management

Symptoms:
If you are configuring BIG-IQ as a BIG-IP license manager only, selecting the option to skip licensing during setup, setup fails.

Conditions:
Selecting the skip license option when setting up a BIG-IQ to manage licenses for BIG-IP devices.

Impact:
Setup will fail to license a BIG-IP.

Workaround:
When setting up BIG-IQ to only manage licenses for BIG-IP devices, make sure to enter a license manager base registration key during setup.

Fix:
This issue is fixed.

Component: REST Framework and TMOS Platform

Symptoms:
When a backup expires, BIG-IQ is supposed to delete it according to its global pruning schedule (GPS). The GPS runs at around 1AM on every BIG-IQ device. However, this pruning of expired backups fails due to an invalid query.

Conditions:
BIG-IQ is configured and is running.

Impact:
Expired BIG-IQ backups are not pruned and a warning is logged.

Workaround:
Manually select and delete the expired backups.

Fix:
Fixed the datetime to be always stored in UTC and corrected the way timestamps are queried.
These two issues were the root cause that was preventing the BIG-IQ from successfully pruning expired backups.

Component: BIG-IQ Access

Symptoms:
When evaluating and deploying Access Groups containing a Remote Desktop configuration to a BIG-IP device, it might fail with the following following error:

"Critical error: Error getting aclOrder value on object."

Conditions:
This error can happen if a Remote Desktop object was created on a managed BIG-IP running version 15.1 or later and then discovered and services imported.

Impact:
You might not be able to deploy configurations containing Remote Desktop objects to a managed BIG-IP devices.

Workaround:
To resolve this issue, you can define aclOrder for a Remote Desktop object using the following API calls:

For Remote Desktop - Citrix
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/citrix

For Remote Desktop - RDP
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/rdp

For Remote Desktop - VMWare
https://X.X.X.X/mgmt/cm/access/working-config/apm/resource/remote-desktop/vmware-view

After defining the aclOrder for the Remote Desktop objects, you should be able to successfully evaluate and deploy this configuration to managed BIG-IP devices.

Fix:
This issue no longer occurs. You should be able to import configurations containing Remote Desktop objects and edit and save it on BIG-IQ. You should also be able to deploy configurations containing Remote Desktop objects to target BIG-IP devices from BIG-IQ.

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
The grid for the L7 Security Dashboard does not report attack data, even when objects are under attack.

Conditions:
Go to Monitoring > DASHBOARDS > L7 Security Dashboard
Run a DoS L7 attack
View the attacks in the summary bar (confirming attacks)
View the DoS attacks column in the grid, all report "No Data"

Impact:
No DoS attack count data for column in object grid.

Workaround:
N/A

Fix:
DoS attack information is now displayed correctly in the L7 dashboard.

Solution Article: K57274211

Component: BIG-IQ SSL Orchestrator

Symptoms:
After upgrading your managed BIG-IP devices from any 14.x version to 15.x and you try to edit a deployed SSL Orchestrator topology running RPM 5.4, BIG-IQ returns an error. As a result, you are unable to save the SSLO configuration and proceed to the next step.

Conditions:
This issue can happen in BIG-IQ after upgrading your managed BIG-IP devices from 14.x to 15.x.

Impact:
You cannot edit a deployed topology after upgrading a BIG-IP image from 14.X to 15.X.

Workaround:
To resolve this issue follow the steps in the order shown:
1. Re-deploy the security policy used by the topology before editing the topology. Remove all devices from the device page, add the devices back, then re-deploy the policy.
2. Edit the SSLO topology in a topology workflow. Click the topology icon in the first step of the wizard. Do not click Save & Next, and instead click the interception rule icon in the wizard. Update the Access profile in the interception rule page, click Save, and deploy the topology.

Fix:
You can now edit and and re-deploy all deployed SSLO configurations after upgrading the managed BIG-IP devices from version 14.x to 15.x.

Component: BIG-IQ SSL Orchestrator

Symptoms:
A deployment of an SSL Orchestrator topology can fail if that topology is an Existing Application type topology, and if the configuration was imported from a managed BIG-IP to the BIG-IQ.

Conditions:
For this condition to occur, an Existing Application topology must be deployed in BIG-IP and then imported back to BIG-IQ. After this, any redeployment of this imported topology which uses the Existing Application configuration type may fail.

Impact:
You cannot deploy an imported 'Existing Application' SSL Orchestrator topology from BIG-IQ.

Workaround:
Currently, there is no direct workaround to redeploy the imported topology without a deployment failure. Instead, you can delete the topology that is failing and deploy a new Existing Application topology with the same configuration.

Fix:
Deployment of an Existing Application SSLO topology is successful, even when you have imported that topology from the managed BIG-IP device to the BIG-IQ.

Component: BIG-IQ SSL Orchestrator

Symptoms:
In the SSL Orchestrator topology list page under the Configuration tab, the number of security services in the imported topology always shows 0, even if there are services that exist in this configuration.

Conditions:
This occurs whenever you try to view the number of services deployed in the topology list page.

Impact:
You might not be able to see how many services are being used by an imported topology.

Workaround:
To find the number of services attached to a particular topology, go to the service chain attached to the topology and check the number of services there.

Fix:
The topology list page now shows the exact number of security services associated with each topology.

Component: BIG-IQ SSL Orchestrator

Symptoms:
After selecting the button to remove an SSL Orchestrator (SSLO) configuration for any topologies running all 5.X SSLO RPM versions, the topology deployment will fail.

Conditions:
This issue occurs only when removing configurations from topologies running any 5.X SSLO RPM version.

Impact:
You are unable to deploy any SSLO topology, security policy, or inspection services to managed BIG-IP devices after using the Remove SSLO Configuration button in BIG-IQ unless you employ the workaround.

Workaround:
To effectively deploy a configuration after using the Remove SSLO Configuration button and clearing your device of all SSL Orchestrator configurations, you must reset your Device Settings and deploy them before attempting additional configurations on the device. Follow the steps in this order to get a successful deployment:

1) In BIG-IQ under Configuration >> SSL Orchestrator >> Devices, click on each managed device for which you did a full clean-up.
2) On each managed device page, modify the General Settings to your specifications. If you have nothing to change, change a field and then revert it to re-activate the Deploy button.
3) Click Deploy.
4) Make other configurations within a topology on this managed BIG-IP device and deploy them successfully.

Fix:
This issue is now fixed and the SSLO topology deployments will succeed after removing all SSLO configurations.

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
The Deployment and Configuration menus are currently not wide enough to display long virtual server and pool names.

Conditions:
This happens if the combination of partition and object names combined exceeds 21 characters.

Impact:
You cannot to read the full name of the virtual server or the pool configured for the virtual server.

Workaround:
None.

Fix:
This issue is now fixed.

Component: AppIQ

Symptoms:
BIG-IQ regularly queries the status of virtual servers and pools on BIG-IP devices running iApp, which can cause CPU spikes when the number of servers and pools are high.

Conditions:
When collecting statistics with iApp on BIG-IP devices that have more than 600 virtual servers and/or 400 pools.

Impact:
CPU usage spikes on managed BIG-IP devices when they reach maximum usage when statistics collection is enabled.

Workaround:
For BIG-IQ version 7.1, see the following article for a workaround: https://support.f5.com/csp/article/K53001642

Fix:
CPU spikes no longer occur as a result of status queries to BIG-IP devices.

Component: REST Framework and TMOS Platform

Symptoms:
The TACACS+ authentication provider uses a fixed, hard-coded value (5 seconds) for the timeout to get a response from the TACACS+ server. If a request to the TACACS+ server to authenticate a user or to retrieve the user properties does not complete within 5 seconds, the request fails. This causes the BIG-IQ authentication of a remote TACACS+ user to fail as well.

Conditions:
When you use a TACACS+ authentication provider to authenticate to BIG-IQ and the TACACS+ server is too slow, it will probably time out before you get authenticated.

Impact:
TACACS+ user authentication to BIG-IQ fails.

Workaround:
N/A

Fix:
You can now configure the connection timeout and read timeout settings.

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
LTM Virtual Server properties screen shows only the first 32 to 40 characters of the default pool's full name.

Conditions:
1. Log in with read-only permissions.
2. Navigate to Configuration>LOCAL TRAFFIC>Virtual Servers.
3. Click the name of a virtual server and scroll down to the Default Pool drop-down box.

Impact:
If the default pool has a long name, read-only users cannot see the full name of the default pool.

Workaround:
Keep the pool name shorter than 32 characters.

Fix:
The issue is now fixed.

Component: REST Framework and TMOS Platform

Symptoms:
When you set up an LDAP or Active Directory authentication provider that uses the LDAPS protocol on TCP port 636 with Server Certificate Validation enabled, and then disable Server Certificate Validation in the authentication provider settings you get an unexpected result.

When the user tries to authenticate to the BIG-IQ, the authentication fails with the error:
 Unable to connect to the authentication server. java.security.cert.CertificateException: No subject alternative names present.

Conditions:
LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then disabled.

Impact:
User authentication to BIG-IQ fails.

Workaround:
There are 3 potential workarounds:

1. Set up the LDAP or Active Directory authentication provider to use StartTLS on TCP port 389 instead of LDAPS on TCP port 636. Ideally, enable 'Server Certificate Validation'.
This is the most secure option.

2. If your LDAP/Active Directory server does not support StartTLS and you need to use LDAPS, set up the authentication provider with 'Server Certificate Validation' enabled.
This option is more secure than the next option.

3. If you need to use LDAPS and for some reason the authentication provider cannot validate the server certificate, then disable certificate validation from the very beginning. If you have first set it up with 'Server Certificate Validation' enabled:
  a. Delete the authentication provider.
  b. Restart restjavad.
  c. Re-create the authentication provider with 'Server Certificate Validation' disabled.

This last option is not recommended, because it is less secure.

Fix:
This has been fixed. User authentication to BIG-IQ does work correctly when you create an LDAP or Active Directory authentication provider with 'Server Certificate Validation' enabled, then you disable it.

Component: BIG-IQ SSL Orchestrator

Symptoms:
If you deploy a security policy through a topology from BIG-IQ, it does not display on BIG-IP.

Conditions:
1) Create a Security Policy with Proxy Connect enabled and with a BIG-IP device pool selected.
2) Create an Outbound SSLO topology, and in the 'Security Policy' section, use an existing security policy that was just created with the proxy connect enabled.
3) Deploy the topology.

Impact:
The security policy does not display on the managed BIG-IP device.

Workaround:
Deploy the same topology to BIG-IP from BIG-IQ with a security policy that does not have Proxy Connect enabled. Alternatively, disable the Proxy Connect option on the same topology and re-deploy.

Fix:
The issue is fixed. You now will be unable to select a security policy in the 'Use-Existing' security policy options when the following is true:

1) You are using an outbound topology
2) You enable Proxy Connect for the security policy

As a result, you will not be able to deploy a topology with an invalid security policy.

Component: AppIQ

Symptoms:
BIG-IP high availability (HA) peers become out of sync and log audit messages similar to the following.

01420002:5: AUDIT - pid=20880 user=root folder=/Common module=(tmos)# status=[Command OK] cmd_data=modify security analytics settings collect-all-dos-statistic enabled

Conditions:
When analytics iApp is pushed from BIG-IQ.

Impact:
BIG-IP high availability (HA) peers become out of sync.

Fix:
Peer BIG-IP devices in an HA configuration no longer become out of sync when BIG-IQ pushes the iApp.

Component: BIG-IQ SSL Orchestrator

Symptoms:
In the page Configuration >> SSL Orchestrator >> Services, the number of devices of the service always shows 0, when some of the devices are configured as BIG-IP HA.

Conditions:
This occurs whenever you try to view the number of devices are being used by a particular service in the page Configuration >> SSL Orchestrator >> Services.

Impact:
You might not be able to see how many devices are being used by a particular service when some of the devices are configured as BIG-IP HA.

Workaround:
To find the number of devices on which a particular service is deployed, in service list page find the location of the service, then go to page Configuration >> SSL Orchestrator >> Devices, check the number of devices attached to the location.

Fix:
The device list page shows the exact number of security services deployed to each device or cluster.

Component: BIG-IQ SSL Orchestrator

Symptoms:
When creating a new SSLO topology, you can still save your security policy configuration if you select the option to use an existing security policy, but do not select a security policy to add to your topology.

Conditions:
This will occur if you try to create a new topology, choose the 'Use Existing' option in the security policy configuration page, and save the configuration without selecting any security policy in the dropdown.

Impact:
You may deploy an invalid SSLO topology without a security policy attached.

Workaround:
When you create a new topology, and want to use an existing security policy, select the 'Use Existing' option from the security policy page and then select an existing security policy in the dropdown. You may also choose create a new security policy or not attach a security policy in order to avoid deploying an invalid topology.

Fix:
The issue is fixed. The security policy step in the topology wizard will require you to select a security policy when you opt to use an existing security policy.

Component: REST Framework and TMOS Platform

Symptoms:
Prior to BIG-IQ version 8.0.0, all RADIUS users were automatically members of a BIG-IQ RADIUS user group with no authorization attributes.

Conditions:
Create a RADIUS authentication provider and a RADIUS user group with no authorization attributes.

Impact:
Beginning with BIG-IQ version 8.0.0, a newly created RADIUS user group must have at least one authorization attribute. Only users having all the group's authorization attributes will be members of the group.

After you upgrade to BIG-IQ 8.0.0 or later, any existing RADIUS user groups without any authorization attributes will contain no members. They will therefore serve no purpose. All existing RADIUS users will have no authorization to access BIG-IQ functionality through the default membership in a group.

Workaround:
Create a user group with the necessary authorization attributes to provide users with permissions granted by the roles the group is in. A user associated with the Administrator role can make these changes to the RADIUS authentication provider (user groups).

Fix:
N/A

Behavior Change:
Prior to BIG-IQ version 8.0.0, all RADIUS users were automatically members of a RADIUS user group with no authorization attributes.

Beginning with BIG-IQ version 8.0.0, a newly created RADIUS user group must have at least one authorization attribute. Only users having all the group's authorization attributes will be members of the group. After you upgrade to BIG-IQ 8.0.0 or later, any existing RADIUS user groups without any authorization attributes will contain no members. They will therefore serve no purpose. All existing RADIUS users will have no authorization to access BIG-IQ functionality through the default membership in a group.

Solution Article: K26618426

Solution Article: K03585731

Solution Article: K20541896

Solution Article: K20445457

Component: REST Framework and TMOS Platform

Symptoms:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Conditions:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Impact:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Workaround:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Fix:
For more information on CVE-2017-9075, please see:
https://support.f5.com/csp/article/K02236463
For more information on CVE-2017-9076, please see:
https://support.f5.com/csp/article/K02613439
For more information on CVE-2017-9077, please see:
https://support.f5.com/csp/article/K61429540

Solution Article: K37111863

Component: REST Framework and TMOS Platform

Symptoms:
SNMP traps do not follow current best practices

Impact:
SNMP traps do not follow current best practices

Fix:
SNMP traps now follow current best practices

Component: REST Framework and TMOS Platform

Symptoms:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Conditions:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Impact:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Workaround:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Fix:
For more information on CVE-2018-2783, please see:
https://support.f5.com/csp/article/K44923228
For more information on CVE-2018-2790, please see:
https://support.f5.com/csp/article/K73122539
For more information on CVE-2018-2794, please see:
https://support.f5.com/csp/article/K54143451
For more information on CVE-2018-2795, please see:
https://support.f5.com/csp/article/K70321874
For more information on CVE-2018-2796, please see:
https://support.f5.com/csp/article/K71021401
For more information on CVE-2018-2797, please see:
https://support.f5.com/csp/article/K05441360
For more information on CVE-2018-2798, please see:
https://support.f5.com/csp/article/K24593421
For more information on CVE-2018-2799, please see:
https://support.f5.com/csp/article/K33924005
For more information on CVE-2018-2800, please see:
https://support.f5.com/csp/article/K35513527
For more information on CVE-2018-2811, please see:
https://support.f5.com/csp/article/K01294982
For more information on CVE-2018-2814, please see:
https://support.f5.com/csp/article/K60350722
For more information on CVE-2018-2815, please see:
https://support.f5.com/csp/article/K15217245
For more information on CVE-2018-2825, please see:
https://support.f5.com/csp/article/K13655013
For more information on CVE-2018-2826, please see:
https://support.f5.com/csp/article/K13655013

Component: REST Framework and TMOS Platform

Symptoms:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101

Conditions:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101

Impact:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101

Workaround:
None

Fix:
For more information, pleaser see:
https://support.f5.com/csp/article/K15526101

Solution Article: K32485746

Component: REST Framework and TMOS Platform

Symptoms:
For more information see: https://support.f5.com/csp/article/K91229003

Impact:
For more information see: https://support.f5.com/csp/article/K91229003

Fix:
For more information see: https://support.f5.com/csp/article/K91229003

Solution Article: K21462542

Component: REST Framework and TMOS Platform

Symptoms:
* An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.
(CVE-2016-0634)

* An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)

* A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)

Impact:
* An arbitrary command injection flaw was found in the way bash processed the hostname value. A malicious DHCP server could use this flaw to execute arbitrary commands on the DHCP client machines running bash under specific circumstances.
(CVE-2016-0634)

* An arbitrary command injection flaw was found in the way bash processed the SHELLOPTS and PS4 environment variables. A local, authenticated attacker could use this flaw to exploit poorly written setuid programs to elevate their privileges under certain circumstances. (CVE-2016-7543)

* A denial of service flaw was found in the way bash handled popd commands. A poorly written shell script could cause bash to crash resulting in a local denial of service limited to a specific bash session. (CVE-2016-9401)

Fix:
This has been fixed in BIG-IQ 8.0, which uses bash v. 4.2.46-29, which is not vulnerable.

This fix resolves CVE-2016-0634, CVE-2016-7543, and CVE-2016-9401.

Component: REST Framework and TMOS Platform

Symptoms:
Please see the KB article for details:
https://support.f5.com/csp/article/K02230327

Conditions:
BIG-IQ system was NOT VULNERABLE in default, standard and recommended configuration. To be considered vulnerable, it must have allowed remote update with TSIG authentication configured in BIND. This configuration combination is not a default configuration.

Impact:
Zone contents may be manipulated

Workaround:
To mitigate this vulnerability, you can use BIND's access control lists (ACLs) that require both address range validation and use of TSIG authentication in parallel. For information about configuring this type of compound authentication control, refer to the Using Access Control Lists (ACLs) with both addresses and keys Internet Systems Consortium (ISC) article.

Fix:
This has been fixed in BIG-IQ 8.0, which uses BIND v. 9.11.8, which is not vulnerable.

Component: REST Framework and TMOS Platform

Symptoms:
See KB for details:
https://support.f5.com/csp/article/K59448931

An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name might be able to circumvent TSIG authentication of AXFR requests through a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into providing an AXFR of a zone to an unauthorized recipient accepting bogus NOTIFY packets.

Conditions:
BIG-IQ is not vulnerable in default, standard, and recommended configuration. To be vulnerable, BIG-IQ would have to be specifically configured bind for zones and allow zone transfers and TSIG security.

Impact:
An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name might be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into providing an AXFR of a zone to an unauthorized recipient.
accepting bogus NOTIFY packets.

Workaround:
To mitigate this vulnerability, you can use BIND's access control lists (ACLs) that require both address range validation and use of TSIG authentication in parallel. For information about configuring this type of compound authentication control, refer to the Using Access Control Lists (ACLs) with both addresses and keys Internet Systems Consortium (ISC) article.

Fix:
This has been fixed in BIG-IQ 8.0.0, which uses BIND version 9.11.8, which is not vulnerable.

Solution Article: K51931024

Component: BIG-IQ Local Traffic & Management

Symptoms:
When the configuration gets imported from the BIG-IP into the working config, non-floating Virtual Servers are converted into floating Virtual Servers.

Conditions:
-- Virtual Servers are assigned to non-floating traffic-
groups on BIG-IP.
-- BIG-IP configuration is imported into BIG-IQ

Impact:
Potential errors when deploying configurations with Change Management, given that there's a discrepancy between the working-config in BigIQ and the running-config of the devices.

Solution Article: K92991044

Solution Article: K65460334

• The F5 Networks Technical Support web site: http://www.f5.com/support/
• The AskF5 web site: https://support.f5.com/csp/#/home
• The F5 DevCentral web site: http://devcentral.f5.com/

Generated: Tue Feb 23 13:02:27 2021 PST

Copyright F5 Networks (2021) - All Rights Reserved