BIG-IQ CM Release Information

Version: 8.3.0
Build: 118.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

Known Issues in BIG-IQ CM v8.3.x


Vulnerability Fixes

ID Number	CVE	Links to More Info	Description	Fixed Versions
1208001-10	CVE-2023-22374	K000130415, BT1208001	iControl SOAP vulnerability CVE-2023-22374	8.3.0, 8.2.0.1
1143073-7	CVE-2022-41622	K94221585, BT1143073	iControl SOAP vulnerability CVE-2022-41622	8.3.0
1073005-6	CVE-2023-22326	K83284425, BT1073005	iControl REST use of the dig command does not follow security best practices	8.3.0, 8.2.0.1

Functional Change Fixes

None


BIG-IQ Configuration - Security - Shared Security Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1196325	3-Major		Copying a BIG-IP device's DoS configuration doesn't work properly	8.3.0

BIG-IQ Configuration - Security - Web Application Security Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1215189-1	3-Major		Importing ASM Policy from a file fails	8.3.0

BIG-IQ Monitoring - Dashboards & Reports Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1190113-3	3-Major		Client Host Name Column missing in Access sessions summary CSV report	8.3.0
1079689	3-Major		The ACL Log Messages filter does not work as expected	8.3.0

AppIQ Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1117597-3	3-Major	BT1117597	Appiq logs are not updated or found when using BIG-IQ version 8.2.0★	8.3.0

BIG-IQ Device Management Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1182177-1	4-Minor	BT1182177	User Script task does not advance to next step	8.3.0

BIG-IQ DNS Management Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1184425-3	4-Minor		DNS Server is imported with the BIG-IP Health Monitor by default	8.3.0

REST Framework and TMOS Platform Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
811149-5	2-Critical		Remotely-authenticated users are unable to authenticate through the serial console	8.3.0
914081-8	3-Major	BT914081	Engineering Hotfixes missing bug titles	8.3.0
904785-5	3-Major	BT904785	Remotely authenticated users might not be able to log in over the serial console	8.3.0
807957-8	3-Major	BT807957	Link Up status should clear Link Down in Nokia Alarm database	8.3.0
789181-7	3-Major	BT789181	Link Status traps are not issued on BIG-IP VE systems	8.3.0
1154933-6	3-Major		Improper permissions handling in REST SNMP endpoing	8.3.0

BIG-IQ Application Management Fixes

ID Number	Severity	Links to More Info	Description	Fixed Versions
1205037	3-Major		Unable to edit/test an existing AWS Cloud Provider	8.3.0

 

Cumulative fix details for BIG-IQ CM v8.3.0 that are included in this release

914081-8 : Engineering Hotfixes missing bug titles

Links to More Info: BT914081

Component: REST Framework and TMOS Platform

Symptoms:
In Bug Tracker, some BIG-IP Engineering Hotfixes published after March 18, 2019 do not display the summary titles for fixed bugs.

Conditions:
BIG-IP Engineering Hotfixes published in Bug Tracker after March 18, 2019.

Impact:
Cannot see the summaries of the bugs fixed by running the 'tmsh show sys version' command.

Workaround:
For information on such bugs, consult F5 support, or the original Service Request submitted to F5 in which the affected Engineering Hotfix was requested.

Fix:
BIG-IP Engineering Hotfixes now include the summary titles for fixed bugs published in Bug Tracker.

Fixed Versions:
8.3.0

904785-5 : Remotely authenticated users might not be able to log in over the serial console

Links to More Info: BT904785

Component: REST Framework and TMOS Platform

Symptoms:
Remotely-authenticated users logging into BIG-IP through the serial console are immediately logged out after entering their username and password.

Logging in as the same user over SSH is successful.

Conditions:
Attempting to log in over serial console when using remote authentication (RADIUS, TACACS, LDAP) and role mapping configured on the BIG-IP system.

Impact:
Remotely-authenticated users cannot log in over the serial console.

Workaround:
You can work around this issue by using one of the following alternative processes:

-- Log in over SSH instead

-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using the command: 'tmsh modify auth remote-user remote-console-access tmsh' or or from the UI.

Fix:
Remotely-authenticated users are now able to successfully log in to BIG-IP through the serial console.

Fixed Versions:
8.3.0

811149-5 : Remotely-authenticated users are unable to authenticate through the serial console

Component: REST Framework and TMOS Platform

Symptoms:
Attempts to log in to the serial console with remote user credentials (RADIUS, LDAP, TACACS remote auth) fails with one of the following error messages:

-- 'Cannot load user credentials for user' (v13.1.1.2)
-- 'Session setup problem, abort.' (v14.1.0.1)

Conditions:
Configure BIG-IQ for remote authentication and attempt authentication through the serial console.

Impact:
Remote authentication users are unable to login to the serial console.

Workaround:
There are two workarounds:
-- Remote authentication users can login using an SSH connection to the BIG-IP system's management IP address.

-- Use the credentials of a local user account to login to the serial console.

Fix:
Fixed in BIG-IQ 8.3.0 Release

Fixed Versions:
8.3.0

807957-8 : Link Up status should clear Link Down in Nokia Alarm database

Links to More Info: BT807957

Component: REST Framework and TMOS Platform

Symptoms:
When using Nokia NetAct (the alertd.nokia.alarm DB variable has the value "enable"), the LINK STATUS traps are the same for down/disable and up/enable. That has the side effect of leaving entries in the Nokia Alarm database.

Conditions:
Enable Nokia NetAct and see that the alarm database has uncleared entries for link status changes.

Impact:
This is confusing because entries in the database that do not clear.

Fix:
A new DB variable has been implemented (alertd.nokia.linktraps). The default value is disabled and the variable only takes effect when alertd.nokia.alarm is enabled. Note that the first time these variables are enabled you must restart the alertd and nokiasnmpd daemons. With these variables enabled (and the daemons restarted) the link status traps are broken out into two separate traps. The LINK UP/ENABLED trap clears the LINK DOWN/DISABLED trap.

Fixed Versions:
8.3.0

789181-7 : Link Status traps are not issued on BIG-IP VE systems

Links to More Info: BT789181

Component: REST Framework and TMOS Platform

Symptoms:
The Link Status traps, both F5 proprietary and standard LinkUp/LinkDown are issued on the BIG-IP hardware but not on BIG-IP Virtual Edition (VE) configurations.

Conditions:
This occurs when interfaces on hardware-based BIG-IP systems or VE-based BIG-IP configurations experience link status events (links go up or down, or are administratively enabled or disabled).

Impact:
Log messages are issued and SNMP traps are issued if an SNMP trap destination is configured.

On a VE-based BIG-IP system, these logs and traps do not occur.

An SNMP client waiting for a Link Status trap on an administrative enable or disable then, does not receive the trap.

Workaround:
None.

Fix:
VE now issues link status messages (which will cause traps to be issued) when interfaces on VEs are administratively disabled and enabled. The underlying interface status impacted by cables being plugged/unplugged must be monitored on the underlying system (the hypervisor) and is not logged by VE. If an interface on VE is not configured, then it is in the uninitialized state. If the interface in that state is disabled/enabled, the Link status message issued on enable is Link DOWN.

Fixed Versions:
8.3.0

1215189-1 : Importing ASM Policy from a file fails

Component: BIG-IQ Configuration - Security - Web Application Security

Symptoms:
Importing an ASM Policy from a file fails with access field validation not present for the Login Page.

Conditions:
Importing an ASM policy from a file.

Impact:
Importing an ASM Policy from a file fails.

Workaround:
N/A

Fix:
You can now import an ASM policy from a file successfully.

Fixed Versions:
8.3.0

1208001-10 : iControl SOAP vulnerability CVE-2023-22374

Links to More Info: K000130415, BT1208001

1205037 : Unable to edit/test an existing AWS Cloud Provider

Component: BIG-IQ Application Management

Symptoms:
Unable to edit/test an existing AWS Cloud Provider from BIG-IQ.

Conditions:
AWS Cloud Provider is configured and user tried to open its configuration in edit mode.

Impact:
Unable to edit/test an existing AWS Cloud Provider from BIG-IQ.

Workaround:
N/A

Fix:
You are now able to successfully edit and test an existing AWS Cloud Provider from BIG-IQ.

Fixed Versions:
8.3.0

1196325 : Copying a BIG-IP device's DoS configuration doesn't work properly

Component: BIG-IQ Configuration - Security - Shared Security

Symptoms:
Attempting to copy a BIG-IP device's DoS configuration from BIG-IQ does not complete.

Conditions:
When the udpPortList is empty, attempt to copy the BIG-IP
device's DoS configuration into another device.

Impact:
BIG-IQ does not finish the DoS copy task.

Workaround:
N/A

Fix:
Fixed in BIG-IQ 8.3.0 Release

Fixed Versions:
8.3.0

1190113-3 : Client Host Name Column missing in Access sessions summary CSV report

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
The Access sessions summary CSV report does not contain the Client Host Name Data.

Conditions:
Create a CSV report.

Impact:
The Client Hostname does not appear in the CSV report.

Workaround:
NA

Fix:
Access sessions summary CSV report now contains the Client Hostname column.

Fixed Versions:
8.3.0

1184425-3 : DNS Server is imported with the BIG-IP Health Monitor by default

Component: BIG-IQ DNS Management

Symptoms:
If you import a BIG-IP DNS Server (Server Product Type: BIG-IP) that does not have a monitor, BIG-IQ assigns the default monitor /Common/bigip.

Conditions:
Import a BIG-IP DNS Server without a monitor to BIG-IQ.

Impact:
BIG-IQ shows a BIG-IP monitor added to the DNS Server even though it does not exist

Workaround:
The imported DNS Server can be edited to save without any monitor by clicking the 'Select Health Monitor...' option and save.

Fix:
Updated DNS Server Health Monitor to match the BIG-IP Configuration

Fixed Versions:
8.3.0

1182177-1 : User Script task does not advance to next step

Links to More Info: BT1182177

Component: BIG-IQ Device Management

Symptoms:
When you run the User Script from BIG-IQ on multiple BIG-IP devices, the script does not advance if it fails on a single BIG-IP device.

Conditions:
The User Script fails on a BIG-IP device with a 404 error.

Impact:
The User Script does not complete.

Fix:
The User Script no longer fails on all BIG-IP devices if it fails on one.

Fixed Versions:
8.3.0

1154933-6 : Improper permissions handling in REST SNMP endpoing

Component: REST Framework and TMOS Platform

Symptoms:
Certain requests to the REST SNMP standpoint improperly handle user permissions.

Conditions:
Not specified

Impact:
Security best practices are not followed

Workaround:
Only allow trusted users to have access to the REST interface.

Fix:
User permissions work as expected.

Fixed Versions:
8.3.0

1143073-7 : iControl SOAP vulnerability CVE-2022-41622

Links to More Info: K94221585, BT1143073

1117597-3 : Appiq logs are not updated or found when using BIG-IQ version 8.2.0★

Links to More Info: BT1117597

Component: AppIQ

Symptoms:
After installing or uypgrading to BIG-IQ version 8.2.0, the following log files are no longer updated or visible under /var/log/appiq:

NOTE: health-calculator.log is not affected by this issue

CM:
configserver.log
queryservice.log
postaggregator.log

DCD:
*agentmanager.log

Conditions:
Installing or upgrading to BIG-IQ version 8.2.0.

Impact:
Appiq logs are non-existent or outdated in the /var/log/appiq folder.

Workaround:
1. Go to the F5 Downloads portal(https://downloads.f5.com/esd/index.jsp).
2. Select Find a Download > BIG-IQ Centralized Management > 8.2.0 > Utilities.
3. Download the AppiqLogsWorkaroundID1117597.tar.gz file and transfer the AppiqLogsWorkaroundID1117597.tar.gz to /shared/tmp/ folder of BIG-IQ CM and DCD.
4. Extract the AppiqLogsWorkaroundID1117597.tar.gz on BIG-IQ CM and DCD and update the permissions.
a. cd /shared/tmp/
b. tar -xzvf AppiqLogsWorkaroundID1117597.tar.gz
c. chmod 644 agentmanager_log4j2.xml configserver_log4j2.xml queryservice_log4j2.xml postaggregator_log4j2.xml
5. Replace the files on BIG-IQ CM and DCD:
a. yes | cp /shared/tmp/agentmanager_log4j2.xml /var/config/appiq/agentmanager/config/log4j2.xml
b. yes | cp /shared/tmp/configserver_log4j2.xml /var/config/appiq/configserver/config/log4j2.xml
c. yes | cp /shared/tmp/queryservice_log4j2.xml /var/config/appiq/queryservice/config/log4j2.xml
d. yes | cp /shared/tmp/postaggregator_log4j2.xml /var/config/appiq/postaggregator/config/log4j2.xml
6. Restart restjavad for the configurations to take effect on BIG-IQ CM and DCD:
a. tmsh restart sys service restjavad
7. Once restarted confirm if the below logs are generated in /var/log/appiq/
a. For BIG-IQ CM:
i. configserver.log
ii. queryservice.log
iii. postaggregator.log
b. For BIG-IQ DCD:
i. agentmanager.log

Fix:
Appiq logs are now available in the /var/log/appiq folder.

Fixed Versions:
8.3.0

1079689 : The ACL Log Messages filter does not work as expected

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
After upgrading to BIG-IQ version 8.1.0.2, you cannot filter ACL logs by IP address.

Conditions:
- Navigate to , for example "Remote Access -> Sessions -> ACL -> ACL Logs Messages"
- Set filter to "All (excluding username)" and search for a valid search string (for example, "Allow"). The search returns unexpected results.
- Conversely, change the filter to "User Name" and search for "dsa" user. There are search results.

Impact:
Searching ACL Logs Messages with valid search values does not return expected results.

Workaround:
NA

Fix:
Fixed in BIG-IQ 8.3.0 Release

Fixed Versions:
8.3.0

1073005-6 : iControl REST use of the dig command does not follow security best practices

Links to More Info: K83284425,  BT1073005Cumulative fix details for BIG-IQ CM v8.3.0 that are included in this release

Known Issues in BIG-IQ CM v8.3.x

Known Issue details for BIG-IQ CM v8.3.x