994801-1 : SCP file transfer system

Links to More Info: K98606833, BT994801

974505 : Vertical scrollbar is missing from quick edit panel on applications page

Links to More Info: BT974505

Component: BIG-IQ Application Management

Symptoms:
Unable to see all of the Port and Nodes information as the vertical scroll bar is missing.

Conditions:
This is encountered on the applications page if there are several nodes associated with a virtual server.

Impact:
Incomplete view of the ports and nodes.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0, 8.3.0

968657-3 : Added support for IMDSv2 on AWS

Links to More Info: BT968657

Component: REST Framework and TMOS Platform

Symptoms:
AWS added a token-based Instance MetaData Service API (IMDSv2). Prior versions of BIG-IP Virtual Edition supported only a request/response method (IMDSv1). When the AWS API is starting with IMDSv2, you will receive the following error message:

get_dossier call on the command line fails with:
        01170003:3: halGetDossier returned error (1): Dossier generation failed.

This latest version of BIG-IP Virtual Edition now supports instances started with IMDSv2.

Conditions:
AWS instances started with IMDSv2.

Impact:
BIG-IP Virtual Edition cannot license or re-license AWS instances started with IMDSv2 and other metadata-based functionality will not function.

Fix:
With the latest version of BIG-IP VE, you can now initialize "IMDSv2 only" instances in AWS and migrate your existing instances to "IMDSv2 only" using aws-cli commands. For details, consult documentation: https://clouddocs.f5.com/cloud/public/v1/shared/aws-ha-IAM.html#check-the-metadata-service-for-iam-role
 
IMDSv2 documentation from AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html

Fixed Versions:
8.4.0

966541-13 : Improper data logged in plaintext

Links to More Info: K06110200, BT966541

940317-6 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317

938385-1 : BIG-IQ limits script output to 24576 bytes

Component: BIG-IQ Device Management

Symptoms:
Command output of scripts present under "Device > Script management" section of BIG-IQ is truncated to save only last 24576 bytes. This value is hardcoded in Java file .

Conditions:
Viewing script output.

Impact:
No workaround is available to increase the size and avoid truncation.

Fix:
You can now modify 'maxOutputFileSize in the restjavad.properties.json file as shown allowing you to specify the size limit of script output.

{
"platform" :
    {
     "miscellaneous":
        {
            "maxScriptOutputSize": 24567
        }
    }
}

Fixed Versions:
8.4.0

937037 : CVE-2020-15778 SCP insecurely allows backtick characters

Links to More Info: K04305530

896521-3 : Nonencrypted storage of proxy.password's value in DB

Links to More Info: K20850144

Component: REST Framework and TMOS Platform

Symptoms:
See: https://my.f5.com/manage/s/article/K20850144

Conditions:
See: https://my.f5.com/manage/s/article/K20850144

Impact:
See: https://my.f5.com/manage/s/article/K20850144

Workaround:
See: https://my.f5.com/manage/s/article/K20850144

Fix:
See: https://my.f5.com/manage/s/article/K20850144

Fixed Versions:
8.4.0

850509-6 : Zone Trusted Signature inadequately maintained, following change of master key

Links to More Info: BT850509

Component: REST Framework and TMOS Platform

Symptoms:
During config load or system start-up, you may see the following error:

-- 01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.

In some instances, other errors resembling the following may appear:

-- Failed to sign zone transfer query for zone DNSZONE01 using TSIG key zone01key.pl.

-- Failed to transfer DNSZONE01 from 203.0.113.53, will attempt IXFR (Retry).

Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.

Impact:
Unable to view TSIG keys. Configuration cannot be loaded. Failures of DNS zone transfers may occur.

Workaround:
None.

Fix:
When master key changes, TSIG keys are now properly re-encrypted, so this problem no longer exists.

Fixed Versions:
8.4.0

841541 : SIGABRT on corosync process

Links to More Info: K16352404

816277-5 : Extremely long nameserver name causes GUI Error

Links to More Info: BT816277

Component: REST Framework and TMOS Platform

Symptoms:
Extremely long nameserver and tsig key name gives an error in the GUI while viewing:

-- Bad Request. Your browser sent a request that this server could not understand.
-- Request-URI Too Long. The requested URL's length exceeds the capacity limit for this server.

Conditions:
When nameserver and tsig key name length exceeds 3300 characters.

Impact:
The GUI reports an error when you try to view them. Youa re unable to view nameserver and tsig keys having extremely long names.

Workaround:
Create nameserver and tsig keys with shorter names, preferably fewer than 255 characters.

Fix:
Nameserver and tsig key names are now validated, so this error no longer occurs.

Fixed Versions:
8.4.0

794389-7 : iControl REST endpoint response inconsistency

Links to More Info: K89509323, BT794389

661767 : In WebUI, Audit Log and Deployment Task page shows incorrect username for the task

Links to More Info: BT661767

Component: REST Framework and TMOS Platform

Symptoms:
When a different user attempts to deploy an Evaluation made by another user, the Audit Log and Deployment Task page will display an incorrect username.

Conditions:
Deployment is invoked by a user who did not create the evaluation.

Impact:
The incorrect username information of Audit Log for Deployment Tasks is displayed.

Workaround:
None

Fix:
This issue is fixed

Fixed Versions:
8.4.0, 8.3.0

1824241 : Unable to import the BIG-IP LTM service due to IKE Peer validation

Links to More Info: BT1824241

Component: BIG-IQ Configuration - Network

Symptoms:
When importing the LTM service on a BIG-IP with the below IKE Peer configuration, the import fails with IKE Peer validation 'In main mode with preshared key authentication, id-type can only be address.'
IKE version: 2
Auth method: Pre-shared
Verified ID type: FQDN or value other than the address

Conditions:
BIG-IP version is v16.1.1 or above and IKE Peer is configured with v2, Auth method Pre-shared, Verified ID type FQDN or value other than the address.

Impact:
LTM service cannot be imported successfully.

Workaround:
None.

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1820969 : BIG-IQ private mock IP addresses and hostnames are displayed when main.bundle.js file is executed

Links to More Info: BT1820969

Component: General BIG-IQ User Experience

Symptoms:
Display of mock IP addresses and hostnames

Conditions:
When main.bundle.js file is executed through a web browser or curl command.

Impact:
Revealing the IP and hostname information.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1785365 : Backing up an F5OS configuration generates an invalid file.

Component: BIG-IQ Device Management

Symptoms:
When using BIG-IQ to create a backup file for F5OS v1.8.0 and above, the F5OS backup file is downloaded with corrupted data.

Conditions:
Using BIG-IQ to create a backup file for F5OS version 1.8.0 and above.

Impact:
Valid F5OS backup file is not created in BIG-IQ.

Workaround:
Download the generated backup file directly from F5OS Device.

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1784257 : BIG IQ unable to send e-mails with TLS encryption for servers with TLSv1.2

Links to More Info: BT1784257

Component: REST Framework and TMOS Platform

Symptoms:
Sending e-mail fails with an error in Logs when using SMTP setup with TLS encryption.

Conditions:
When SMTP configuration with TLS encryption and the server is with TLSv1.2.

Impact:
Unable to receive e-mails from BIG-IQ.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1758097 : Topology Record creation page does not show datacenter options

Component: BIG-IQ DNS Management

Symptoms:
The Datacenter dropdown menu in the topology record creation UI (Configuration > GSLB > Topology Records > Create) is empty.

Conditions:
Creating a topology record when there are datacenter(s) that exist for the DNS Sync Group.

Impact:
Unable to create a topology record.

Workaround:
None.

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1731041 : Unable to modify VDI (RDP) resources for resource assign agent

Links to More Info: BT1731041

Component: BIG-IQ Access

Symptoms:
After deploying VDI (RDP) resources to APM, you are unable to modify the resources.

Conditions:
Adding the VDI (RDP) resources will not get assigned to the resource assign agent, and Removing the VDI (RDP) resources errors out.

Impact:
Cannot modify the VDI (RDP) resources for resource assign agent.

Workaround:
No workaround, remove the resource assign agent and deploy, then add the respective VDI (RDP) resource to the resource assign agent to deploy.

Fix:
After deploying VDI (RDP) resources to APM, you can modify the resources.

Fixed Versions:
8.4.0

1702565-4 : tmsh configuration save improvements

Component: REST Framework and TMOS Platform

Symptoms:
In some scenarios, saving system configuration does not work properly.

Conditions:
NA

Impact:
NA

Workaround:
Permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users

Fix:
The configuration issue has been resolved.

Fixed Versions:
8.4.0

1702449-6 : CVE-2023-52881 Linux kernel vulnerability

Links to More Info: K000148479, BT1702449

1632813 : Venafi connection objects do not always open as expected in the BIG-IQ UI

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Venafi connection objects do not always open as expected in the BIG-IQ UI

Conditions:
Opening or editing a Venafi object in the BIG-IQ UI (Configuration -> Local Traffic -> Certificate Management -> Third Party CA Management)

Impact:
Venafi connection object cannot be managed.

Workaround:
N/A

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1632389 : Compare Assessments option may show incorrect information.

Component: BIG-IQ Device User Interface

Symptoms:
Compare Assessments option for pre and post BIG-IP upgrades shows incorrect device information.

Conditions:
Creating a compare assessment for pre and post a BIG-IP upgrade.

Impact:
The configuration data in the compare assessment is not accurate.

Workaround:
None.

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1621249-4 : CVE-2024-3596: Blast Radius

Links to More Info: K000141008, BT1621249

1583201-4 : Input validation improvements

Component: REST Framework and TMOS Platform

Symptoms:
A REST API endpoint may incorrectly parse certain parameters.

Conditions:
N/A

Impact:
Incorrect behavior

Workaround:
Restrict access to the management interface to trusted users.

Fix:
The REST API endpoint issue has been resolved.

Fixed Versions:
8.4.0

1582781-4 : CVE-2021-23177 libarchive: extracting a symlink with ACLs modifies ACLs of target

Links to More Info: K000140961

1582757 : BIG-IP Licensing api_cert and api_key information are not added to the License assigned from BIG-IQ Registration Key Pool

Component: BIG-IQ Device Management

Symptoms:
The BIG-IP License file does not receive the api_key/api_cert information.

Conditions:
BIG-IP is Licensed from BIG-IQ and BIG-IP License Text has api_key/ api_cert information.

Impact:
BIG-IP cannot download files from external servers as the cert information is incomplete.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1581897-4 : CVE-2021-31566 libarchive: symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive

Links to More Info: K000140963, BT1581897

1581749-1 : CVE-2018-1000877 libarchive: Double free in RAR decoder resulting in a denial of service

Links to More Info: K000140964, BT1581749

1581745-1 : CVE-2018-1000878 libarchive: Use after free in RAR decoder resulting in a denial of service

Links to More Info: K000140964, BT1581745

1581445-4 : Libarchive vulnerability CVE-2022-36227

Links to More Info: K000140954, BT1581445

1574977 : Venafi Policy Folders are fetched only with absolute path and does not work with relative path

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Error message is displayed.

Conditions:
When obtaining policy folders from Venafi using the relative file path.

Impact:
Policy folder paths cannot be displayed and cannot manage certificates.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1567905-4 : libxml2 vulnerability CVE-2022-40304

Links to More Info: K000139594

1561693-1 : CVE-2016-10209 libarchive: NULL pointer dereference in archive_wstring_append_from_mbs function

Links to More Info: K000148259, BT1561693

1561105-4 : CVE-2018-1000880 libarchive: Improper input validation in WARC parser resulting in a denial of service

Links to More Info: K000148256, BT1561105

1561073 : Unable to Import APM module.

Component: BIG-IQ Configuration - Access

Symptoms:
APM module import fails with below error:
Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Property 'name' value 'Generative AI - Text & Code' has an invalid character that is not in the allowed set of characters '-a-zA-Z_.0-9'.

Conditions:
APM Config contains 'Generative AI - Text & Code' SWG URL Category or Custom Category with any of special Characters as '.*-:_?=@,&()'.

Impact:
APM module cannot be imported successfully.

Workaround:
None

Fix:
This issue is fixed

Fixed Versions:
8.4.0

1560525-4 : CVE-2019-1000019 libarchive: Out of bounds read in archive_read_support_format_7zip.c resulting in a denial of service

Links to More Info: K000148255, BT1560525

1559933-4 : CVE-2019-1000020 libarchive: Infinite recursion in archive_read_support_format_iso9660.c resulting in denial of service

Links to More Info: K000148255, BT1559933

1494265 : DO declaration push fails, if SNMP Object name contains special characters

Component: BIG-IQ Device Management

Symptoms:
It is not possible to override the SNMP object name as the SNMP community name using the CM's WebUI.

Conditions:
DO declaration is executed only through CLI.

Impact:
Configuration cannot be done if name has special characters.

Workaround:
None

Fix:
This issue is fixed

Fixed Versions:
8.4.0

1382169 : The Device Count in Listed Devices of Device Group for HA is incorrectly displayed

Links to More Info: BT1382169

Component: REST Framework and TMOS Platform

Symptoms:
Device Count for Device Groups displays with an incorrect value.

Conditions:
The configuration of the system is set to HA mode, with two CM nodes that are fully functional. Additionally, a switchover operation from Active CM must be carried out.

Impact:
Incorrect Device Count is shown for the Device Groups.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1378065 : Events search does not work for graph in Monitoring

Links to More Info: BT1378065

Component: AppIQ

Symptoms:
No results were found when looking for a particular event on the graph below.

Monitoring->DASHBOARDS->Device->Health -> Search for events

Conditions:
Some events should be included in the Graph to enable searching.

Impact:
Unable to search the Events

Workaround:
NA

Fix:
This issue is fixed

Fixed Versions:
8.4.0

1348041 : In the Network Security Audit Log GUI, the Object Name and Object Type columns are not user intuitive.

Component: BIG-IQ Local Traffic & Management

Symptoms:
Due to the same Object Type displayed for Deployment and Evaluation Task in Network Security Audit Log user is unable to distinguish between Evaluation and Deployment Tasks.

Conditions:
When creating and performing a Network Security Evaluation.

Impact:
In the Network Security Audit Log GUI, the Object Name and Object Type columns are not user intuitive.

Workaround:
None

Fix:
This issue is fixed

Fixed Versions:
8.4.0, 8.3.0

1341477 : The 'Resolve Import Conflicts' page in the 'Import' task configuration screens was not resizing correctly

Component: BIG-IQ Local Traffic & Management

Symptoms:
The window screen failed to properly resize in accordance with the window size. This issue occurring persistently.

Conditions:
When performing Discover/Re-Discover and Import/Re-Import tasks.

Impact:
The differences of configuration cannot be rendered properly and impacts the decision of selection.

Workaround:
None

Fix:
This issue is fixed

Fixed Versions:
8.4.0

1341037 : Sort by "Managed by Third Party" does not work in the certificate list

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
Unable to sort the "Managed by Third Party" column in the certificate list.

Conditions:
When sorting the 'Managed by Third Party' column in "Certificates & Keys" table view.

Impact:
Sort functionality of 'Managed by Third Party' column will not work.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1329633 : Certificates/ Key bundles import fails

Links to More Info: BT1329633

Component: BIG-IQ Local Traffic & Management

Symptoms:
The logs for restjavad display following errors, while importinhg from certificate and keys bundle
- "Failed to update cert bundle subcollection: java.lang.IllegalArgumentException: Duplicate item. Key already exists: partition : Common"
- "Failed to update cert bundle subcollection, see log for details"

Conditions:
When Big IQ imports certificate bundles from Big IP

Impact:
Unable to import Certificate and Keys bundles

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1327665 : Unable to manage Certificate Bundle imported by non-admin user

Component: BIG-IQ Local Traffic & Management

Symptoms:
When a non-admin user imports the Certificate Bundle, it is not visible to non-admin user.

Conditions:
This happens only when non-admin user performs the operation.

Impact:
Non-admin user unable to manage the Certificate Bundle.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1323085 : Unable to view/delete VELOS Device

Links to More Info: BT1323085

Component: BIG-IQ Device Management

Symptoms:
The VELOS Device without any partitions is not visible on the F5OS Platform's Devices List Screen, and it results in one of the following errors:

- Sytem Unavailable:
Cannot read properties of undefined (reading 'length')

- System Unavailable:
item.partitionsConfig is undefined

Conditions:
VELOS device with no parttions is added to BIG-IQ

Impact:
Unable to view/delete VELOS device

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1322261 : Unable to manage Certificates & Keys created by a non-admin user

Component: BIG-IQ Local Traffic & Management

Symptoms:
When a non-admin user creates the Certificates & Keys, the same are not visible to non-admin user.

Conditions:
When a non-admin user performs the operation.

Impact:
Non-admin user unable to manage the Certificates & Keys.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1315301 : BIG IQ displays incorrect Metachar data for violation details

Links to More Info: BT1315301

Component: BIG-IQ Monitoring - Logs

Symptoms:
For single violation, Metachar is displayed incorrectly.

Conditions:
When single violation event log is received.

Impact:
For violation, incorrect Metachar data is displayed.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1314849 : When importing a cluster device, the SNAT pool member/SNAT translation address is importing the wrong IP address

Links to More Info: BT1314849

Component: BIG-IQ Configuration - Local Traffic

Symptoms:
The imported cluster device is incorrectly assigning the SNAT pool member/SNAT translation address as the wrong IP address.

Conditions:
When importing a cluster device.

Impact:
Incorrect SNAT pool member/SNAT translation address is stored in BIG IQ of a cluster device.

Workaround:
None

Fix:
This issue is fixed

Fixed Versions:
8.4.0

1311585 : User Group creation fails with non-admin user

Links to More Info: BT1311585

Component: BIG-IQ Local Traffic & Management

Symptoms:
When non-admin user creates a user group, the operation fails.

Conditions:
When a non-admin user has a reference to stale roles that lack roleTypePermissions and attempts to create a user group, then the operation fails.

Impact:
Unable to create user-group by non-admin user.

Workaround:
None

Fix:
This Issue is fixed

Fixed Versions:
8.4.0

1301285 : In DNS, creating or updating a DOS Profile causes a validation error.

Links to More Info: BT1301285

Component: BIG-IQ Network Security

Symptoms:
Creating or updating a query for a DOS Profile, Protocol DNS Security Attacks, when validating the Per Source IP Mitigation Threshold EPS with Mitigation Threshold EPS Parameters, a prior limit supported for BIG-IP v14.0.1 is upheld.

Conditions:
When DNS A Query has Per Source IP Rate Limit setting less that 1 percent and greater than 0.1 percent of vector Rate Limit.

Impact:
Unable to Create a DNS A Query with Per Source IP Rate Limit setting less that 1 percent and greater than 0.1 percent of vector Rate Limit.

Workaround:
NA

Fix:
This Issue is fixed.

Fixed Versions:
8.4.0, 8.2.0

1301225 : BIG IP/ BIG-IQ Backup Schedules display default settings rather than current settings in UI

Component: BIG-IQ System User Interface

Symptoms:
Any of the following:
- Viewing an existing BIG IP/ BIG-IQ Backup Schedule. The Backup Schedule start date is getting reset to the present date in UI

- Viewing an existing Backup Schedule, which was previously set with a backup archive option (For example, SFTP or SCP) will not show the settings configured for the external archive location.

Conditions:
Existing Backup Schedule.

Impact:
Current schedule configuration is not visible in the UI. Modifications to the schedule may reset unspecified options to default.

Workaround:
There is no way to work around this issue without a UI code update. However, the stored backup schedule can be viewed using the command line:

restcurl "/shared/task-scheduler/scheduler?＼$filter=('name'+eq+'<backup_schedule_name>')"

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1300729 : BIG-IQ Applications take a long time to load for non-admin users

Component: BIG-IQ Application Management

Symptoms:
BIG-IQ Applications take longer time to load.

Conditions:
Loading BIG-IQ applications when there are many application roles defined.

Impact:
Applications page loads slowly.

Workaround:
None.

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1297933 : Application Services shows incorrect Servers count in the deployment map

Links to More Info: BT1297933

Component: BIG-IQ Application Management

Symptoms:
When the AS3 Application Service is deployed with Server addresses and Servers, the Server count is displayed incorrectly in the deployment map.

Conditions:
When the AS3 Application Service is deployed with te following members, the Server count is displayed incorrectly:
- Pool -> 'Server addresses' under 'Members'
- Pool -> 'Servers' -> 'Server address'

Impact:
Servers count is displayed incorrectly in the deployment map.

Workaround:
None

Fix:
This Issue is fixed.

Fixed Versions:
8.4.0

1297109 : Enable/ Disable options missing for a Custom DNS Operator

Component: REST Framework and TMOS Platform

Symptoms:
When logged in as a Custom Service Role Type (DNS Operator) with permission for the Pool and its members within the Resource Group, the Enable/Disable options for Pool members will not be visible on the Pool Details Page.

Conditions:
- Custom Service Role Type.
- Pool and Pool members are added to resource groups.

Impact:
Unable to Enable/ Disable the Pool Member as a Custom Service Role user.

Workaround:
None

Fix:
This Issue is fixed.

Fixed Versions:
8.4.0

1295077 : Failed to download the BIG-IQ/ BIG-IP backup file from BIG-IQ

Links to More Info: BT1295077

Component: BIG-IQ System User Interface

Symptoms:
Although the backup file was successfully created in the /shared/ucs_backups folder, unable to download a saved BIG-IP or BIG-IQ backup file from BIG-IQ.

Conditions:
Downloading a file from one of the following screens:

Devices -> Backup & Restore -> Backup Files -> Download
System -> Backup & Restore -> Backup Files -> Download

BIG-IQ returns similar to the following error:
"File does not exist or file path is not a file: /shared/f5os_backup/<UCS_filename>.ucs"

Impact:
Unable to download the BIG-IQ or BIG-IP backup file.

Workaround:
If BIG-IQ does not have an F5OS platform/ device discovered, delete the directory /shared/f5os_backup and create a symbolic link /shared/f5os_backup -> /shared/ucs_backups/ using the following commands from BIG-IQ:

* rm -rf /shared/f5os_backup
* ln -s /shared/ucs_backups /shared/f5os_backup

If BIG-IQ has an F5OS platform/ device discovered, copy any existing backup files to the existing directory /shared/ucs_backups when the F5OS Backups are not running, delete the directory /shared/f5os_backup, and create a symbolic link /shared/f5os_backup -> /shared/ucs_backups/ using the following commands on BIG-IQ:

* cp /shared/f5os_backup/* /shared/ucs_backups/
* rm -rf /shared/f5os_backup
* ln -s /shared/ucs_backups /shared/f5os_backup

Fix:
This issue is fixed

Fixed Versions:
8.4.0

1239389 : Error when trying to save the settings for the Child Security Policy Attack Signatures

Component: BIG-IQ Configuration - Security - Web Application Security

Symptoms:
An error occurs when trying to save the settings for the Child Security Policy Attack Signature.

Conditions:
-- Parent Policy has Attack Signatures, General Policy Settings, Headers Inheritance set to Optional
-- Child Security Policy has the Attack Signature Inheritance Set to Decline

Impact:
Unable to save the Child Security Policy

Workaround:
To prevent the occurrence of Attack Signatures error, the Child policy must have its General Policy Settings and Headers inheritance properties set to Decline in order to update the Attack Signatures.

Or, The Inheritance settings for the General Policy Settings and Headers can be set to None within the Parent Policy.

Fix:
This issue is fixed

Fixed Versions:
8.4.0

1186333 : SSL permissions nullify RBAC restrictions

Links to More Info: BT1186333

Component: BIG-IQ Local Traffic & Management

Symptoms:
All SSL certificates are listed when the application service role is added along with the SSL permission role.

Conditions:
Create SSL resource group with permission for a few objects, application service role.
Assign User with both the above mentioned roles.

Impact:
Some objects are presented that the user does not have permission to see.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1185421-7 : iControl SOAP uncaught exception when handling certain payloads

Links to More Info: K000133472, BT1185421

1183453-4 : Local privilege escalation vulnerability (CVE-2022-31676)

Links to More Info: K87046687

1182761 : PostgresDB bloat results in software upgrade failure

Links to More Info: BT1182761

Component: REST Framework and TMOS Platform

Symptoms:
The upgrade process is unsuccessful due to repeated errors found in the postgres/bootstrap logs.
PostgresDB bloat can lead to software upgrade failure

Conditions:
This can happen when certain Role-based access control (RBAC) configurations (in postgresDB) are present prior to the upgrade. For example, a large number of custom roles.

Impact:
The upgrade can fail, if the disk fills up during an upgrade or post-successful upgrade, the device is left in an inoperable state.

Workaround:
Perform the following steps on problematic BIG-IQ node
1. Move update-top-pg-tables.cron-d to /etc/cron.d/update-top-pg-tables on the BIG-IQ. This needs to be done in order for the crontab to work
    #chmod 600 /etc/cron.d/update-top-pg-tables

2. Re-run RBAC-RESET (assuming that is the original operation that filled /var)
    #rbac-reset

3. Confirm RBAC-RESET completes without errors"

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1182737 : BIG-IQ global configuration documents are not stored in ES due to maximum limit reached

Links to More Info: BT1182737

Component: REST Framework and TMOS Platform

Symptoms:
The following error can be seen in /var/log/tokumon/current:

2022-10-10_13:04:18.38501 [SEVERE] es: _index:global command:index status:400 _id:https://localhost/mgmt/cm/global/tasks/deploy-app-service/8c722b61-da2f-4660-89f9-5d1c9b91fade error:{""type"":""illegal_argument_exception"",""reason"":""Limit of total fields [5000] in index [global] has been exceeded""} see searchd log for complete error.

Conditions:
Search filter in Applications -> Application Deployments works when searched with existing column values but does not work when searched with values other than those mentioned in columns.

Impact:
Using the global search, the global records are not listed.

Workaround:
Execute the following steps:

1. Change /usr to read/write:
#mount -o remount,rw /usr
2. Change to the directory:
#cd /usr/share/rest/tokumon/config/modules
3. Make a copy of global.js:
#cp global.js global.js.orig
4. Edit global.js using nano,vi, etc
5. Under "mappings"."properties"."_value", add the following line json element/object
    ,"body": {
        "enabled": false
    }

6. Save and quit
7. Force tokumon to delete and rebuild all indices:
#bigstart kill tokumond

NOTE: If tokumon begins restarting constantly, there is a likely syntax error in the changes made in step 5. Stop tokumond (bigstart stop tokumond) and repeat step 5 to find the error. If the problem persists, revert the file to the copy made in step 3.
#cp global.js.orig global.js
#bigstart kill tokumond

8. Ensure /usr is set to readonly:
#mount -o remount,ro /usr"

Fix:
Global records are listed when searched using the global search.

Fixed Versions:
8.4.0

1161601 : Certificate status is not updated.

Component: BIG-IQ Local Traffic & Management

Symptoms:
Certificate status gets stuck at "Associating" or "Downloading From" state.

Conditions:
BIG-IP should have more than 100+ certificates.

Impact:
Certificate status is not updated.

Workaround:
None.

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1143073-13 : iControl SOAP vulnerability CVE-2022-41622

Links to More Info: K94221585, BT1143073

1124729 : Filter function on the Registration Key Pool License properties page is not behaving as expected.

Links to More Info: BT1124729

Component: BIG-IQ Device User Interface

Symptoms:
Filtering the Registration Keys list does not return the expected results.

Conditions:
Filtering the Registration Keys list.

Impact:
Unable to search for specified registration keys.

Workaround:
None.

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1124337 : Scheduled reports don't always integrate time zone changes.

Links to More Info: BT1124337

Component: BIG-IQ Monitoring - Dashboards & Reports

Symptoms:
Changing the time zone is not always reflected in scheduled reports that were scheduled before changing the time zone.

Conditions:
Viewing a scheduled report generated by BIG-IQ, if the report was generated after a time zone change, and the time zone change was done after the scheduled report was defined.

Impact:
The time zone in the scheduled report is different from the time zone in the browser.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1111409 : Unable to configure Attack Signature override on HTTP URLs in some Web Application Security child policies

Links to More Info: BT1111409

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
Attempting to save or change an Attack Signature override on HTTP URLs in Web Application Security Child-type Policies will not succeed, resulting in the intended modification not occurring.

Conditions:
Web Application Security Policy configured as a Child Policy with Attack Signature inheritance set to Mandatory or set to Optional and configured to be Accepted.

Impact:
Any desired modifications to Attack Signature override on HTTP URLs cannot occur.

Workaround:
None

Fix:
The issue is fixed

Fixed Versions:
8.4.0

1106333 : Post Aggregation takes a longer time

Links to More Info: BT1106333

Component: BIG-IQ System User Interface

Symptoms:
In the Post Aggregator logs located at /var/log/appiq/postaggregator.log, the following log message
indicates more time for aggregation in ms.

"2023-06-06 03:40:54,273 INFO c.f.a.a.TimeRangeAggregator [scheduling-1] All aggregations computed in 48654272ms"

Conditions:
Post Aggregator searches for the indices that are not available in the ES.

Impact:
Post Aggregation takes a longer time to complete.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1098829-9 : Security vulnerabilities found in expat lib(used by iControlSoap) prior to version 2.4.8

Links to More Info: K19473898, BT1098829

1098825-8 : iControl Expat vulnerabilities [ CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827 ]

Links to More Info: K91589041

1098813-8 : iControl Expat vulnerabilities [CVE-2021-46143]

Links to More Info: K23231802

1091453-9 : libxml2 vulnerability CVE-2022-23308

Links to More Info: K32760744, BT1091453

1087201-11 : OpenSSL Vulnerability: CVE-2022-0778

Links to More Info: K31323265, BT1087201

1084781-8 : Resource Admin permission modification

Component: REST Framework and TMOS Platform

Symptoms:
A user with the Resource Admin role may have incorrect permissions.

Conditions:
A user with Resource Admin role.

Impact:
Undisclosed

Workaround:
None

Fix:
Resource Admin permissions are matched to expected behavior.

Fixed Versions:
8.4.0, 8.3.0, 8.2.0.1

1041577-13 : SCP file transfer system, completing fix for 994801

Links to More Info: K98606833, BT1041577

1029761 : SNMP request for system information shows an "unknown" value for sysObjectID

Links to More Info: BT1029761

Component: REST Framework and TMOS Platform

Symptoms:
When performing SNMP request for system information, the sysObjectID returns unknown value.

Conditions:
BIG-IQ version is 8.0 and above.

Impact:
Unable to view the system details.

Workaround:
None

Fix:
This issue is fixed.

Fixed Versions:
8.4.0

1018997-11 : Improper logging of sensitive DB variables

Links to More Info: K20850144, BT1018997

1008397-3 : Grafana vulnerability CVE-2019-15043

Links to More Info: K00843201

• The F5 Technical Support website: http://www.f5.com/support/
• The MyF5 website: https://my.f5.com/manage/s/
• The F5 DevCentral website: http://community.f5.com/

Generated: Tue Mar 25 08:58:51 2025 PDT

©2025 F5, Inc. All rights reserved.